Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add use_annotations_as_alias_metadata field to auth_kubernetes_config #2213

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add use_annotations_as_alias_metadata field to auth_kubernetes_config #2213

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ FEATURES:
* Add support for `allowed_kubernetes_namespace_selector` in `vault_kubernetes_secret_backend_role` ([#2180](https://github.com/hashicorp/terraform-provider-vault/pull/2180)).
* Add new data source `vault_namespace`. Requires Vault Enterprise: ([#2208](https://github.com/hashicorp/terraform-provider-vault/pull/2208)).
* Add new data source `vault_namespaces`. Requires Vault Enterprise: ([#2212](https://github.com/hashicorp/terraform-provider-vault/pull/2212)).
* Add `use_annotations_as_alias_metadata` to `vault_kubernetes_auth_backend_config`. Requires Vault 1.16+. ([#2213](https://github.com/hashicorp/terraform-provider-vault/pull/2213)).

IMPROVEMENTS:
* Enable Secrets Sync Association resource to track sync status across all subkeys of a secret. Requires Vault 1.16+ Enterprise. ([#2202](https://github.com/hashicorp/terraform-provider-vault/pull/2202))
Expand Down
1 change: 1 addition & 0 deletions internal/consts/consts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -399,6 +399,7 @@ const (
FieldTLSMaxVersion = "tls_max_version"
FieldCaseSensitiveNames = "case_sensitive_names"
FieldMaxPageSize = "max_page_size"
FieldUseAnnotationsAsAliasMetadata = "use_annotations_as_alias_metadata"
FieldUserFilter = "userfilter"
FieldDiscoverDN = "discoverdn"
FieldDenyNullBind = "deny_null_bind"
Expand Down
9 changes: 9 additions & 0 deletions vault/data_source_kubernetes_auth_backend_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ func kubernetesAuthBackendConfigDataSource() *schema.Resource {
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
consts.FieldUseAnnotationsAsAliasMetadata: {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Optional use annotations from the client token's associated service account as alias metadata for the Vault entity.",
},
},
}
}
Expand Down Expand Up @@ -104,6 +110,9 @@ func kubernetesAuthBackendConfigDataSourceRead(d *schema.ResourceData, meta inte
d.Set(consts.FieldIssuer, resp.Data[consts.FieldIssuer])
d.Set(consts.FieldDisableISSValidation, resp.Data[consts.FieldDisableISSValidation])
d.Set(consts.FieldDisableLocalCAJWT, resp.Data[consts.FieldDisableLocalCAJWT])
if v, ok := resp.Data[consts.FieldUseAnnotationsAsAliasMetadata]; ok {
d.Set(consts.FieldUseAnnotationsAsAliasMetadata, v)
}

return nil
}
13 changes: 9 additions & 4 deletions vault/data_source_kubernetes_auth_backend_config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
issuer := "kubernetes/serviceaccount"
disableIssValidation := true
disableLocalCaJwt := true
useAnnotationsAsAliasMetadata := true

resource.Test(t, resource.TestCase{
PreCheck: func() { testutil.TestAccPreCheck(t) },
Expand All @@ -70,7 +71,7 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
disableIssValidation, disableLocalCaJwt, false),
disableIssValidation, disableLocalCaJwt, false, useAnnotationsAsAliasMetadata),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -90,10 +91,12 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(disableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(disableLocalCaJwt)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(useAnnotationsAsAliasMetadata)),
),
},
{
Config: testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt),
Config: testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt, useAnnotationsAsAliasMetadata),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -113,6 +116,8 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(disableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(disableLocalCaJwt)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(useAnnotationsAsAliasMetadata)),
),
},
},
Expand All @@ -128,12 +133,12 @@ data "vault_kubernetes_auth_backend_config" "config" {
}`, testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, kubernetesCAcert), backend)
}

func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool) string {
func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool, useAnnotationsAsAliasMetadata bool) string {
return fmt.Sprintf(`
%s

data "vault_kubernetes_auth_backend_config" "config" {
backend = "%s"
}`, testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
disableIssValidation, disableLocalCaJwt, false), backend)
disableIssValidation, disableLocalCaJwt, false, useAnnotationsAsAliasMetadata), backend)
}
28 changes: 28 additions & 0 deletions vault/resource_kubernetes_auth_backend_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,12 @@ func kubernetesAuthBackendConfigResource() *schema.Resource {
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
consts.FieldUseAnnotationsAsAliasMetadata: {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Optional use annotations from the client token's associated service account as alias metadata for the Vault entity.",
},
}
return &schema.Resource{
Create: kubernetesAuthBackendConfigCreate,
Expand Down Expand Up @@ -177,6 +183,11 @@ func kubernetesAuthBackendConfigCreate(d *schema.ResourceData, meta interface{})
if v, ok := d.GetOk(consts.FieldDisableLocalCAJWT); ok {
data[consts.FieldDisableLocalCAJWT] = v
}

if v, ok := d.GetOk(consts.FieldUseAnnotationsAsAliasMetadata); ok {
data[consts.FieldUseAnnotationsAsAliasMetadata] = v
}

_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error writing Kubernetes auth backend config %q: %s", path, err)
Expand Down Expand Up @@ -245,13 +256,26 @@ func kubernetesAuthBackendConfigRead(d *schema.ResourceData, meta interface{}) e
consts.FieldPEMKeys,
}

optionalParams := []string{
// only supported by Vault 1.16.0 and up
consts.FieldUseAnnotationsAsAliasMetadata,
}

for _, k := range params {
v := resp.Data[k]
if err := d.Set(k, v); err != nil {
return err
}
}

for _, k := range optionalParams {
if v, ok := resp.Data[k]; ok {
if err := d.Set(k, v); err != nil {
return err
}
}
}

return nil
}

Expand Down Expand Up @@ -302,6 +326,10 @@ func kubernetesAuthBackendConfigUpdate(d *schema.ResourceData, meta interface{})
setData(consts.FieldDisableLocalCAJWT, v)
}

if v, ok := d.GetOk(consts.FieldUseAnnotationsAsAliasMetadata); ok {
setData(consts.FieldUseAnnotationsAsAliasMetadata, v)
}

_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error updating Kubernetes auth backend config %q: %s", path, err)
Expand Down
44 changes: 29 additions & 15 deletions vault/resource_kubernetes_auth_backend_config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func TestAccKubernetesAuthBackendConfig_import(t *testing.T) {
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
false, false, false),
false, false, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand Down Expand Up @@ -235,7 +235,7 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) {
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
true, true, false),
true, true, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand Down Expand Up @@ -275,7 +275,7 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) {
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, oldJWT, oldIssuer,
false, false, false),
false, false, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -301,7 +301,7 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) {
},
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, newJWT, newIssuer,
true, true, false),
true, true, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -326,7 +326,7 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) {
{
// ensure we can set disable_iss_validation to false
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, newJWT, newIssuer,
false, true, false),
false, true, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand Down Expand Up @@ -429,7 +429,7 @@ resource "vault_kubernetes_auth_backend_config" "config" {
}

func testAccKubernetesAuthBackendConfigConfig_full(backend, caCert, jwt, issuer string,
disableIssValidation, disableLocalCaJwt, omitCA bool,
disableIssValidation, disableLocalCaJwt, omitCA, useAnnotationsAsAliasMetadata bool,
) string {
var caConfig string
if !omitCA {
Expand All @@ -451,12 +451,13 @@ resource "vault_kubernetes_auth_backend_config" "config" {
issuer = %q
disable_iss_validation = %t
disable_local_ca_jwt = %t
}`, backend, caConfig, jwt, kubernetesPEMfile, issuer, disableIssValidation, disableLocalCaJwt)
use_annotations_as_alias_metadata = %t
}`, backend, caConfig, jwt, kubernetesPEMfile, issuer, disableIssValidation, disableLocalCaJwt, useAnnotationsAsAliasMetadata)

return config
}

func testAccKubernetesAuthBackendConfigConfig_fullUnsetCA(backend, jwt, issuer string, disableIssValidation, disableLocalCaJwt bool) string {
func testAccKubernetesAuthBackendConfigConfig_fullUnsetCA(backend, jwt, issuer string, disableIssValidation, disableLocalCaJwt bool, useAnnotationsAsAliasMetadata bool) string {
config := fmt.Sprintf(`
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
Expand All @@ -471,7 +472,8 @@ resource "vault_kubernetes_auth_backend_config" "config" {
issuer = %q
disable_iss_validation = %t
disable_local_ca_jwt = %t
}`, backend, jwt, kubernetesPEMfile, issuer, disableIssValidation, disableLocalCaJwt)
use_annotations_as_alis_metadata = %t
}`, backend, jwt, kubernetesPEMfile, issuer, disableIssValidation, disableLocalCaJwt, useAnnotationsAsAliasMetadata)

return config
}
Expand All @@ -494,7 +496,7 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, "", oldJWT, oldIssuer,
false, false, true),
false, false, true, true),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -516,11 +518,13 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(true)),
),
},
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, oldJWT, oldIssuer,
false, false, false),
false, false, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -542,11 +546,13 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(false)),
),
},
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, "", oldJWT, oldIssuer,
false, false, true),
false, false, true, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -568,11 +574,13 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(false)),
),
},
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, "", oldJWT, oldIssuer,
false, false, false),
false, false, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -594,6 +602,8 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(false)),
),
},
{
Expand All @@ -611,7 +621,7 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
}
},
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, "", oldJWT, oldIssuer,
false, false, false),
false, false, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -633,11 +643,13 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(false)),
),
},
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, oldJWT, oldIssuer,
false, false, false),
false, false, false, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -659,6 +671,8 @@ func TestAccKubernetesAuthBackendConfig_fullInK8sCluster(t *testing.T) {
consts.FieldDisableISSValidation, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(false)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(false)),
),
},
},
Expand Down
Loading