2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 18:39:22 +00:00
|
|
|
|
2023-03-02 22:05:40 +00:00
|
|
|
package ca
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
)
|
|
|
|
|
|
|
|
func NewK8sAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
|
|
|
|
params := authMethod.Params
|
|
|
|
role, ok := params["role"].(string)
|
|
|
|
if !ok || strings.TrimSpace(role) == "" {
|
|
|
|
return nil, fmt.Errorf("missing 'role' value")
|
|
|
|
}
|
|
|
|
// don't check for `token_path` as it is optional
|
|
|
|
|
|
|
|
authClient := NewVaultAPIAuthClient(authMethod, "")
|
|
|
|
// Note the `jwt` can be passed directly in the authMethod as a Param value
|
|
|
|
// is a freeform map in the config where they could hardcode it.
|
|
|
|
if legacyCheck(params, "jwt") {
|
|
|
|
return authClient, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
authClient.LoginDataGen = K8sLoginDataGen
|
|
|
|
return authClient, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func K8sLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
|
|
|
|
params := authMethod.Params
|
|
|
|
role := params["role"].(string)
|
|
|
|
|
|
|
|
// read token from file on path
|
|
|
|
tokenPath, ok := params["token_path"].(string)
|
|
|
|
if !ok || strings.TrimSpace(tokenPath) == "" {
|
|
|
|
tokenPath = defaultK8SServiceAccountTokenPath
|
|
|
|
}
|
|
|
|
rawToken, err := os.ReadFile(tokenPath)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return map[string]any{
|
|
|
|
"role": role,
|
|
|
|
"jwt": strings.TrimSpace(string(rawToken)),
|
|
|
|
}, nil
|
|
|
|
}
|