From 7ec3103eb4851c81b27b1f7ab71f0e0a8a7f362a Mon Sep 17 00:00:00 2001 From: JoshVanL Date: Mon, 11 Nov 2019 12:19:10 +0000 Subject: [PATCH] Changes the vault issuer Kubernetes auth path to require the full path Signed-off-by: JoshVanL --- .../cert-manager/crds/clusterissuers.yaml | 9 ++++----- deploy/charts/cert-manager/crds/issuers.yaml | 9 ++++----- deploy/manifests/00-crds.yaml | 18 ++++++++---------- .../output/reference/api-docs/index.html | 2 +- pkg/apis/certmanager/v1alpha2/const.go | 2 +- pkg/apis/certmanager/v1alpha2/types_issuer.go | 7 +++---- pkg/internal/vault/vault.go | 4 +--- test/e2e/suite/issuers/vault/issuer.go | 2 +- 8 files changed, 23 insertions(+), 30 deletions(-) diff --git a/deploy/charts/cert-manager/crds/clusterissuers.yaml b/deploy/charts/cert-manager/crds/clusterissuers.yaml index 395d49685..ba93c0ccf 100644 --- a/deploy/charts/cert-manager/crds/clusterissuers.yaml +++ b/deploy/charts/cert-manager/crds/clusterissuers.yaml @@ -1473,11 +1473,10 @@ spec: - secretRef properties: mountPath: - description: The value here will be used as part of the - path used when authenticating with vault, for example - if you set a value of "foo", the path used will be `/v1/auth/foo/login`. - If unspecified, the default value "kubernetes" will be - used. + description: The vault here is the path to use when authenticating + with vault, for example setting a value to `/v1/auth/foo/login`. + If unspecified, the default value "/v1/auth/kubernetes/login" + will be used. type: string role: description: A required field containing the Vault Role diff --git a/deploy/charts/cert-manager/crds/issuers.yaml b/deploy/charts/cert-manager/crds/issuers.yaml index cf6164e20..d7382c669 100644 --- a/deploy/charts/cert-manager/crds/issuers.yaml +++ b/deploy/charts/cert-manager/crds/issuers.yaml @@ -1473,11 +1473,10 @@ spec: - secretRef properties: mountPath: - description: The value here will be used as part of the - path used when authenticating with vault, for example - if you set a value of "foo", the path used will be `/v1/auth/foo/login`. - If unspecified, the default value "kubernetes" will be - used. + description: The vault here is the path to use when authenticating + with vault, for example setting a value to `/v1/auth/foo/login`. + If unspecified, the default value "/v1/auth/kubernetes/login" + will be used. type: string role: description: A required field containing the Vault Role diff --git a/deploy/manifests/00-crds.yaml b/deploy/manifests/00-crds.yaml index 08a75974f..0f555c59e 100644 --- a/deploy/manifests/00-crds.yaml +++ b/deploy/manifests/00-crds.yaml @@ -3257,11 +3257,10 @@ spec: - secretRef properties: mountPath: - description: The value here will be used as part of the - path used when authenticating with vault, for example - if you set a value of "foo", the path used will be `/v1/auth/foo/login`. - If unspecified, the default value "kubernetes" will be - used. + description: The vault here is the path to use when authenticating + with vault, for example setting a value to `/v1/auth/foo/login`. + If unspecified, the default value "/v1/auth/kubernetes/login" + will be used. type: string role: description: A required field containing the Vault Role @@ -4912,11 +4911,10 @@ spec: - secretRef properties: mountPath: - description: The value here will be used as part of the - path used when authenticating with vault, for example - if you set a value of "foo", the path used will be `/v1/auth/foo/login`. - If unspecified, the default value "kubernetes" will be - used. + description: The vault here is the path to use when authenticating + with vault, for example setting a value to `/v1/auth/foo/login`. + If unspecified, the default value "/v1/auth/kubernetes/login" + will be used. type: string role: description: A required field containing the Vault Role diff --git a/docs/generated/reference/output/reference/api-docs/index.html b/docs/generated/reference/output/reference/api-docs/index.html index 2c112376c..616326daf 100755 --- a/docs/generated/reference/output/reference/api-docs/index.html +++ b/docs/generated/reference/output/reference/api-docs/index.html @@ -2691,7 +2691,7 @@ Appears In: mountPath
string -The value here will be used as part of the path used when authenticating with vault, for example if you set a value of "foo", the path used will be /v1/auth/foo/login. If unspecified, the default value "kubernetes" will be used. +The vault here is the path to use when authenticating with vault, for example setting a value to /v1/auth/foo/login. If unspecified, the default value "/v1/auth/kubernetes/login" will be used. role
string diff --git a/pkg/apis/certmanager/v1alpha2/const.go b/pkg/apis/certmanager/v1alpha2/const.go index e6bb792c2..2a4dbabdb 100644 --- a/pkg/apis/certmanager/v1alpha2/const.go +++ b/pkg/apis/certmanager/v1alpha2/const.go @@ -38,5 +38,5 @@ const ( // Default mount path location for Kubernetes ServiceAccount authentication // (/v1/auth/kubernetes/login) - DefaultVaultKubernetesAuthMountPath = "kubernetes" + DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes/login" ) diff --git a/pkg/apis/certmanager/v1alpha2/types_issuer.go b/pkg/apis/certmanager/v1alpha2/types_issuer.go index 75e81eb4e..274db4926 100644 --- a/pkg/apis/certmanager/v1alpha2/types_issuer.go +++ b/pkg/apis/certmanager/v1alpha2/types_issuer.go @@ -193,10 +193,9 @@ type VaultAppRole struct { // Authenticate against Vault using a Kubernetes ServiceAccount token stored in // a Secret. type VaultKubernetesAuth struct { - // The value here will be used as part of the path used when authenticating - // with vault, for example if you set a value of "foo", the path used will be - // `/v1/auth/foo/login`. If unspecified, the default value "kubernetes" will - // be used. + // The vault here is the path to use when authenticating with vault, for + // example setting a value to `/v1/auth/foo/login`. If unspecified, the + // default value "/v1/auth/kubernetes/login" will be used. // +optional Path string `json:"mountPath,omitempty"` diff --git a/pkg/internal/vault/vault.go b/pkg/internal/vault/vault.go index 1b97b55d6..690f00a89 100644 --- a/pkg/internal/vault/vault.go +++ b/pkg/internal/vault/vault.go @@ -22,7 +22,6 @@ import ( "fmt" "net/http" "path" - "path/filepath" "strings" "time" @@ -318,8 +317,7 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1 mountPath = v1alpha2.DefaultVaultKubernetesAuthMountPath } - url := filepath.Join("/v1", "auth", mountPath, "login") - request := client.NewRequest("POST", url) + request := client.NewRequest("POST", mountPath) err = request.SetJSONBody(parameters) if err != nil { return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error()) diff --git a/test/e2e/suite/issuers/vault/issuer.go b/test/e2e/suite/issuers/vault/issuer.go index a3ffe52c3..cec16ea8d 100644 --- a/test/e2e/suite/issuers/vault/issuer.go +++ b/test/e2e/suite/issuers/vault/issuer.go @@ -63,7 +63,7 @@ var _ = framework.CertManagerDescribe("Vault Issuer", func() { vaultKubernetesRoleName := "kubernetes-role" vaultPath := path.Join(intermediateMount, "sign", role) appRoleAuthPath := "approle" - kubernetesAuthPath := "kubernetes" + kubernetesAuthPath := "/v1/auth/kubernetes/login" var roleId, secretId string var vaultInit *vaultaddon.VaultInitializer