add vault client k8s auth

client/vault/vautl.go → client/vault/vault.go

@@ -2,14 +2,21 @@ package vault
 
 import (
 	"fmt"
+	"io/ioutil"
 
 	vault "github.com/hashicorp/vault/api"
 	"github.com/spf13/viper"
 )
 
+const (
+	k8sServiceAccountFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+)
+
 func NewVaultClient() (*vault.Client, error) {
 	config := vault.DefaultConfig()
-	config.Address = viper.GetString("vault_addr")
+	if config.Address = viper.GetString("vault_addr"); config.Address == "" {
+		return nil, fmt.Errorf("unable to initialize vault client: no vault address defined")
+	}
 
 	client, err := vault.NewClient(config)
 	if err != nil {
@@ -18,6 +25,24 @@ func NewVaultClient() (*vault.Client, error) {
 
 	if token := viper.GetString("vault_token"); token != "" {
 		client.SetToken(token)
+	} else if role := viper.GetString("vault_kube_auth_role"); role != "" {
+		jwt, err := ioutil.ReadFile(k8sServiceAccountFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read k8s service account: %v", err)
+		}
+
+		viper.SetDefault("vault_kube_auth_name", "kubernetes")
+		path := fmt.Sprintf("auth/%s/login", viper.GetString("vault_kube_auth_name"))
+		params := map[string]interface{}{
+			"jwt":  string(jwt),
+			"role": role,
+		}
+		secret, err := client.Logical().Write(path, params)
+		if err != nil {
+			return nil, fmt.Errorf("failed to login with k8s service account: %v", err)
+		}
+
+		client.SetToken(secret.Auth.ClientToken)
 	} else {
 		return nil, fmt.Errorf("unable to initialize vault client: no login method found")
 	}

docs/clients.md

@@ -0,0 +1,23 @@
+# Clients
+
+## Vault Client
+
+Requests against a Vault server are handled by this client. Since most requests need authentication, a Vault token can be defined in the environment or fetched by the client for example with a Kubernetes service account.
+
+**Config**
+| Environment Variable | Type   | Default      | Description                                                                                                                    |
+|----------------------|--------|--------------|--------------------------------------------------------------------------------------------------------------------------------|
+| VAULT_ADDR           | string | --           | see [Vault Environment Variables](https://www.vaultproject.io/docs/commands#environment-variables)                             |
+| VAULT_TOKEN          | string | --           | see [Vault Environment Variables](https://www.vaultproject.io/docs/commands#environment-variables)                             |
+| VAULT_KUBE_AUTH_NAME | string | `kubernetes` | Name of the Kubernetes auth backend mount point, see [Vault Kubernetes Auth](https://www.vaultproject.io/docs/auth/kubernetes) |
+| VAULT_KUBE_AUTH_ROLE | string | --           | Name of the Kubernetes auth backend role, see [Vault Kubernetes Auth](https://www.vaultproject.io/docs/auth/kubernetes)        |
+
+## Redis Client
+
+This client handles Redis requests.
+
+**Config**
+| Environment Variable | Type   | Default          | Description                             |
+|----------------------|--------|------------------|-----------------------------------------|
+| REDIS_ADDR           | string | `localhost:6379` | Host and port of the Redis instance     |
+| REDIS_PASSWORD       | string | --               | An optional password for authentication |

docs/kms.md

@@ -26,7 +26,7 @@ Set `KMS_BACKEND` to `vault`.
 |----------------------|--------|-----------------------------|------------------------|
 | KMS_VAULT_KEY_PATH   | string | `kv/data/terraform-backend` | Path of the key secret |
 
-Make sure that `VAULT_ADDR` and `VAULT_TOKEN` are set properly (see [Vault Environment Variables](https://www.vaultproject.io/docs/commands#environment-variables) for more information).
+Make sure that the [Vault client](clients.md#vault-client) is set up properly.
 
 ## Vault Transit Secrets Engine
 
@@ -42,4 +42,4 @@ Set `KMS_BACKEND` to `transit`.
 | KMS_TRANSIT_ENGINE   | string | `transit`           | Name (mount point) of the Transit secrets engine |
 | KMS_TRANSIT_KEY      | string | `terraform-backend` | Name of the Transit key                          |
 
-Make sure that `VAULT_ADDR` and `VAULT_TOKEN` are set properly (see [Vault Environment Variables](https://www.vaultproject.io/docs/commands#environment-variables) for more information).
+Make sure that the [Vault client](clients.md#vault-client) is set up properly.

docs/lock.md

@@ -16,4 +16,4 @@ This backend uses a external Redis server to lock the states. It's scalable and
 ### Config
 Set `LOCK_BACKEND` to `redis`.
 
-Make sure that `REDIS_ADDR` is set properly (e.g. to `localhost:6379` for a local Redis instance). Optionally `REDIS_PASSWORD` can be set also.
+Make sure that the [Redis client](clients.md#redis-client) is set up properly.

go.mod

@@ -16,70 +16,74 @@ require (
 require (
 	github.com/armon/go-metrics v0.3.10 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
-	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/go-test/deep v1.0.8 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/uuid v1.1.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v1.0.0 // indirect
+	github.com/hashicorp/go-hclog v1.1.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.4.3 // indirect
-	github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect
+	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.3 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
-	github.com/hashicorp/go-version v1.2.0 // indirect
+	github.com/hashicorp/go-version v1.4.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-3 // indirect
 	github.com/hashicorp/vault/sdk v0.4.1 // indirect
-	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
+	github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.13.5 // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
 	github.com/klauspost/cpuid v1.3.1 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/minio/md5-simd v1.1.0 // indirect
 	github.com/minio/sha256-simd v0.1.1 // indirect
-	github.com/mitchellh/copystructure v1.0.0 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
-	github.com/mitchellh/reflectwalk v1.0.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/oklog/run v1.0.0 // indirect
+	github.com/oklog/run v1.1.0 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
-	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
+	github.com/rogpeppe/go-internal v1.6.2 // indirect
 	github.com/rs/xid v1.2.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/objx v0.2.0 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
-	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.0.0-20211210111614-af8b64212486 // indirect
+	golang.org/x/sys v0.0.0-20220207234003-57398862261d // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
+	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	google.golang.org/grpc v1.43.0 // indirect
+	google.golang.org/genproto v0.0.0-20220207185906-7721543eae58 // indirect
+	google.golang.org/grpc v1.44.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )