Support K8s auth (spiffe#5058)

Signed-off-by: Matteo Kamm <[email protected]>

Author: InverseIntegral

pkg/server/plugin/keymanager/hashicorpvault/hashicorp_vault.go

@@ -55,19 +55,21 @@ type Config struct {
 	Namespace string `hcl:"namespace" json:"namespace"`
 	// TransitEnginePath specifies the path to the transit engine to perform key operations.
 	TransitEnginePath string `hcl:"transit_engine_path" json:"transit_engine_path"`
+
 	// If true, vault client accepts any server certificates.
 	// It should be used only test environment so on.
 	InsecureSkipVerify bool `hcl:"insecure_skip_verify" json:"insecure_skip_verify"`
 
+	// TODO: Support CA certificate path here instead of insecure skip verify
+
 	// Configuration for the Token authentication method
 	TokenAuth *TokenAuthConfig `hcl:"token_auth" json:"token_auth,omitempty"`
 	// Configuration for the AppRole authentication method
 	AppRoleAuth *AppRoleAuthConfig `hcl:"approle_auth" json:"approle_auth,omitempty"`
 	// Configuration for the Client Certificate authentication method
 	CertAuth *CertAuthConfig `hcl:"cert_auth" json:"cert_auth,omitempty"`
-
-	// TODO: Support other auth methods
-	// TODO: Support client certificate and key
+	// Configuration for the Kubernetes authentication method
+	K8sAuth *K8sAuthConfig `hcl:"k8s_auth" json:"k8s_auth,omitempty"`
 }
 
 // TokenAuthConfig represents parameters for token auth method
@@ -103,6 +105,18 @@ type CertAuthConfig struct {
 	ClientKeyPath string `hcl:"client_key_path" json:"client_key_path"`
 }
 
+// K8sAuthConfig represents parameters for Kubernetes auth method.
+type K8sAuthConfig struct {
+	// Name of the mount point where Kubernetes auth method is mounted. (e.g., /auth/<mount_point>/login)
+	// If the value is empty, use default mount point (/auth/kubernetes)
+	K8sAuthMountPoint string `hcl:"k8s_auth_mount_point" json:"k8s_auth_mount_point"`
+	// Name of the Vault role.
+	// The plugin authenticates against the named role.
+	K8sAuthRoleName string `hcl:"k8s_auth_role_name" json:"k8s_auth_role_name"`
+	// Path to the Kubernetes Service Account Token to use authentication with the Vault.
+	TokenPath string `hcl:"token_path" json:"token_path"`
+}
+
 // Plugin is the main representation of this keymanager plugin
 type Plugin struct {
 	keymanagerv1.UnsafeKeyManagerServer
@@ -188,6 +202,13 @@ func parseAuthMethod(config *Config) (AuthMethod, error) {
 		authMethod = CERT
 	}
 
+	if config.K8sAuth != nil {
+		if err := checkForAuthMethodConfigured(authMethod); err != nil {
+			return 0, err
+		}
+		authMethod = K8S
+	}
+
 	if authMethod != 0 {
 		return authMethod, nil
 	}
@@ -222,6 +243,16 @@ func (p *Plugin) genClientParams(method AuthMethod, config *Config) (*ClientPara
 		cp.CertAuthRoleName = config.CertAuth.CertAuthRoleName
 		cp.ClientCertPath = p.getEnvOrDefault(envVaultClientCert, config.CertAuth.ClientCertPath)
 		cp.ClientKeyPath = p.getEnvOrDefault(envVaultClientKey, config.CertAuth.ClientKeyPath)
+	case K8S:
+		if config.K8sAuth.K8sAuthRoleName == "" {
+			return nil, status.Error(codes.InvalidArgument, "k8s_auth_role_name is required")
+		}
+		if config.K8sAuth.TokenPath == "" {
+			return nil, status.Error(codes.InvalidArgument, "token_path is required")
+		}
+		cp.K8sAuthMountPoint = config.K8sAuth.K8sAuthMountPoint
+		cp.K8sAuthRoleName = config.K8sAuth.K8sAuthRoleName
+		cp.K8sAuthTokenPath = config.K8sAuth.TokenPath
 	}
 
 	return cp, nil

pkg/server/plugin/keymanager/hashicorpvault/testdata/k8s/signing-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEnwIBAAKCAQAwrCHZ8ldBNltOjJTUMWopdAuHGcxuPUsTjdaoZL71q6YC8TbD
+cD5aFX152g17tfSHbukr53YD+0TfrDcL/vdSt7Acs5FUHK1ULcuzGvhXx2rUiosW
+Zk8Nc99gjwHXOV3DoUBVk04edXo7SMmVKPiYemwm0XvSoBhU3NpnBGJ/DQq7TG+W
+wFIaxbURpVxpUP2oWZRebUuQgund8Pjh6kxUkX6XcFH+0y4+wMDV3YdLTuFTYwEc
+q/XqdUIEasc1lPT7CwwAlxR+jQTKGnDji6KQerSiktwOUjBpQVb/j/m2+53suhju
+XHLUcId2x9yfe73kTTMcYsQ4woEHt9xGRniJAgMBAAECggEAKC5y49LFZfjR+E7m
+ryb8VayPt8D8nCXNzR7Tj8FcRMSoENXCOCZ50zTambYCW5cjgIt3w98Z9r+BZIZw
+C186Hve2VHuKBr6F+XC1Me+aBh2DfGPD34Im0RxP1Q86ncumNNLyobMyUsL5XegB
+QzrHwFmQ35shdgjlDWomg9WC2w/Y2P6zLpbua/lZNBBo3ISXdU1EZNdCl6cJct5N
+Q9bbr6PJrL1JdQIC8fA0c1MXiN5XCAaVqSuxlLqiTVrNcTPweJb4iHbvgNf7pvwT
+kPEH/10dQirdtjFPR8+WmihES8lIWBcqqemB/dpDoLpjyTo3ZcLODKQiE4o0gLyu
+Mw+C4QKBgHOXDRwH/7rxif4S+ngxcJS1OKigfHbf0JLdEVX6X6y5QkGZAd9c3hgP
+FbroBx0XXohrLaXcaDVAx8DpylPum2NuibsTg/HUToc9FxH5PXYYp15Thjai2KJ0
+zMjV/Z3DuzJ8465Cv0QL7kuCalgilEU01F03zVaIgnm1ZBjZyAtfAoGAa8u/x6C4
+9VNdYSgIhDzPPmTaxWy6jWFZV5mcmRckHqYGQFw8c9VFCFA07endetbn+3SniDi5
+ujnNV+HStLTHq5uv1QkqCWFXc8B06vKcfLbwsHCzPOcRz7NHGfICQpHKo64R+/un
+RWJv1KO1u0gvMy/4/OJXDYFn2YsZ5CFKbRcCgYBXXIav9Ou24u8kdDuRs+weuIjG
+CeWIAsik9ygvDzhYVvxYj8f2hT3meSA3Tz5xIkR0Xmz1uouYFAnlJ82fees/T0AR
+gEJs98USOX3CO9nT8/YrOH1rtdB9mEFeWT2Bi3lkQzfhcNkWGN5Ve4/cZOYjGDaY
+7Z/oEuxqCEpK7e5fiQKBgAqQ9kODJZ4mhci4O916eHYNPMSNW9vv5uoHTKpU8l1u
+uL4mTGauSQ3/jrCjc+pOln63eJSJuureL5qlsBm2frv7jsi7FTvGJuRZwRwmm+A9
+rmodIfSeUciiMh4A8ufDkrFopqqkiEjs1Tlqsq2g7b9+vFFNfmr8fEl+sRMDkGAR
+AoGACfGod8qGIMX8gxRiLGPVK98wJAJhlLxeVztoSP3pQbpyf+GU7r+Nf8DyzhE5
+xomJ1aF25lBMSGSo74QZgIpFxcNKbR+9zcYpzsSJfq9vIktvgLYPn9g7GDr1rWMi
+r8G7GT0udgiJIODc7JFGuBDid4iwlHQZdCFmot3gfBbpsJk=
+-----END RSA PRIVATE KEY-----

pkg/server/plugin/keymanager/hashicorpvault/testdata/k8s/token

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsImtpZCI6Ik1ZWTNhcmZRaWVTRzlrR3Y0NE5JSEpmWHB6aUswVFRibFBQQ3ZjN1ZFX0UifQ.eyJhdWQiOlsiYXBpIiwic3BpcmUtc2VydmVyIl0sImV4cCI6NDgxMDQxMzg1MywiaWF0IjoxNjIzMjA0MjUzLCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6InNwaXJlIiwicG9kIjp7Im5hbWUiOiJzcGlyZS1zZXJ2ZXItMCIsInVpZCI6ImY5MDIzNzAyLWY0ZWQtNGVkOS1hYjQwLWJjNjkxNDJhYTlhNiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoic3BpcmUtc2VydmVyIiwidWlkIjoiNjgwOGI0YzctMGI1My00NWY0LTgzZjctZTg5Mzc3NTZlZWFlIn19LCJuYmYiOjE2MjMyMDQyNTMsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpzcGlyZTpzcGlyZS1zZXJ2ZXIifQ.G_dFjt8NzCFq-_QRm8Kbvq4Lt2iJN7Eos57k82aj2dS4TEMkefc2D07MLG4Sur3f2TYZ0xt51Cp3tCKaH8trUyS7sM07_gPO1GLtj-sAKgiRSjrbLPh2Du_J7Rapb42CN77Nb9EhZcc-B1zSg-J56Ypnl54M4UDotbYxIdHEHNvVWQf4KPP2X2IX47b_7Osm1p1jE3p086F6xSA3iDTIIpa6c1Ch3EzjXPK7XgdEDaVpI0TyrO2r2wBeVDTXSO0E8GWzSnaMnAPzypmdSK7jhD0bpF1SClLTC7PCbkqF6K9C-dQM0F-QWoM1hPMTJGG5bQy_xtQS6PT_b-uPUYNpzA

pkg/server/plugin/keymanager/hashicorpvault/vault_client_test.go

@@ -330,6 +330,112 @@ func TestNewAuthenticatedClientCertAuthFailed(t *testing.T) {
 	spiretest.RequireGRPCStatusHasPrefix(t, err, codes.Unauthenticated, "authentication failed auth/cert/login: Error making API request.")
 }
 
+func TestNewAuthenticatedClientK8sAuth(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.K8sAuthResponseCode = 200
+	for _, tt := range []struct {
+		name      string
+		response  []byte
+		renew     bool
+		namespace string
+	}{
+		{
+			name:     "K8s Authentication success / Token is renewable",
+			response: []byte(testK8sAuthResponse),
+			renew:    true,
+		},
+		{
+			name:     "K8s Authentication success / Token is not renewable",
+			response: []byte(testK8sAuthResponseNotRenewable),
+		},
+		{
+			name:      "K8s Authentication success / Token is renewable / Namespace is given",
+			response:  []byte(testK8sAuthResponse),
+			renew:     true,
+			namespace: "test-ns",
+		},
+	} {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			fakeVaultServer.K8sAuthResponse = tt.response
+
+			s, addr, err := fakeVaultServer.NewTLSServer()
+			require.NoError(t, err)
+
+			s.Start()
+			defer s.Close()
+
+			cp := &ClientParams{
+				VaultAddr:        fmt.Sprintf("https://%v/", addr),
+				Namespace:        tt.namespace,
+				CACertPath:       testRootCert,
+				K8sAuthRoleName:  "my-role",
+				K8sAuthTokenPath: "testdata/k8s/token",
+			}
+			cc, err := NewClientConfig(cp, hclog.Default())
+			require.NoError(t, err)
+
+			renewCh := make(chan struct{})
+			client, err := cc.NewAuthenticatedClient(K8S, renewCh)
+			require.NoError(t, err)
+
+			select {
+			case <-renewCh:
+				require.Equal(t, false, tt.renew)
+			default:
+				require.Equal(t, true, tt.renew)
+			}
+
+			if cp.Namespace != "" {
+				headers := client.vaultClient.Headers()
+				require.Equal(t, cp.Namespace, headers.Get(consts.NamespaceHeaderName))
+			}
+		})
+	}
+}
+
+func TestNewAuthenticatedClientK8sAuthFailed(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.K8sAuthResponseCode = 500
+
+	s, addr, err := fakeVaultServer.NewTLSServer()
+	require.NoError(t, err)
+
+	s.Start()
+	defer s.Close()
+
+	retry := 0 // Disable retry
+	cp := &ClientParams{
+		MaxRetries:       &retry,
+		VaultAddr:        fmt.Sprintf("https://%v/", addr),
+		CACertPath:       testRootCert,
+		K8sAuthRoleName:  "my-role",
+		K8sAuthTokenPath: "testdata/k8s/token",
+	}
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	_, err = cc.NewAuthenticatedClient(K8S, renewCh)
+	spiretest.RequireGRPCStatusHasPrefix(t, err, codes.Unauthenticated, "authentication failed auth/kubernetes/login: Error making API request.")
+}
+
+func TestNewAuthenticatedClientK8sAuthInvalidPath(t *testing.T) {
+	retry := 0 // Disable retry
+	cp := &ClientParams{
+		MaxRetries:       &retry,
+		VaultAddr:        "https://example.org:8200",
+		CACertPath:       testRootCert,
+		K8sAuthTokenPath: "invalid/k8s/token",
+	}
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	_, err = cc.NewAuthenticatedClient(K8S, renewCh)
+	spiretest.RequireGRPCStatusHasPrefix(t, err, codes.Internal, "failed to read k8s service account token:")
+}
+
 func TestRenewTokenFailed(t *testing.T) {
 	fakeVaultServer := newFakeVaultServer()
 	fakeVaultServer.LookupSelfResponse = []byte(testLookupSelfResponseShortTTL)

pkg/server/plugin/keymanager/hashicorpvault/vault_fake_test.go

@@ -211,6 +211,61 @@ var (
     "renewable": false
   }
 }`
+
+	testK8sAuthResponse = `{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "s.scngmDktKCWVRhkggMiyV7E7",
+    "accessor": "",
+    "policies": ["default"],
+    "token_policies": ["default"],
+    "metadata": {
+      "role": "my-role",
+      "service_account_name": "spire-server",
+      "service_account_namespace": "spire",
+      "service_account_secret_name": "",
+      "service_account_uid": "6808b4c7-0b53-45f4-83f7-e8937756eeae"
+    },
+    "lease_duration": 3600,
+    "renewable": true,
+    "entity_id": "c69a6e0e-3f2c-98a0-39f9-e4d3d7cc294f",
+    "token_type": "service",
+    "orphan": true
+  }
+}
+`
+
+	testK8sAuthResponseNotRenewable = `{
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": null,
+  "wrap_info": null,
+  "warnings": null,
+  "auth": {
+    "client_token": "b.AAAAAQIUprvfquccAKnvL....",
+    "accessor": "",
+    "policies": ["default"],
+    "token_policies": ["default"],
+    "metadata": {
+      "role": "my-role",
+      "service_account_name": "spire-server",
+      "service_account_namespace": "spire",
+      "service_account_secret_name": "",
+      "service_account_uid": "6808b4c7-0b53-45f4-83f7-e8937756eeae"
+    },
+    "lease_duration": 3600,
+    "renewable": false,
+    "entity_id": "c69a6e0e-3f2c-98a0-39f9-e4d3d7cc294f",
+    "token_type": "batch",
+    "orphan": true
+  }
+}`
 )
 
 type FakeVaultServerConfig struct {