diff --git a/vault/data_source_kubernetes_auth_backend_config.go b/vault/data_source_kubernetes_auth_backend_config.go index b790a8248..d9cdf4a51 100644 --- a/vault/data_source_kubernetes_auth_backend_config.go +++ b/vault/data_source_kubernetes_auth_backend_config.go @@ -49,6 +49,18 @@ func kubernetesAuthBackendConfigDataSource() *schema.Resource { Optional: true, Description: "Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.", }, + "disable_iss_validation": { + Type: schema.TypeBool, + Computed: true, + Optional: true, + Description: "Optional disable JWT issuer validation. Allows to skip ISS validation.", + }, + "disable_local_ca_jwt": { + Type: schema.TypeBool, + Computed: true, + Optional: true, + Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.", + }, }, } } @@ -81,8 +93,9 @@ func kubernetesAuthBackendConfigDataSourceRead(d *schema.ResourceData, meta inte } d.Set("pem_keys", pemKeys) - d.Set("issuer", resp.Data["issuer"]) + d.Set("disable_iss_validation", resp.Data["disable_iss_validation"]) + d.Set("disable_local_ca_jwt", resp.Data["disable_local_ca_jwt"]) return nil } diff --git a/vault/data_source_kubernetes_auth_backend_config_test.go b/vault/data_source_kubernetes_auth_backend_config_test.go index b1f5accba..c21c88ecf 100644 --- a/vault/data_source_kubernetes_auth_backend_config_test.go +++ b/vault/data_source_kubernetes_auth_backend_config_test.go @@ -2,6 +2,7 @@ package vault import ( "fmt" + "strconv" "testing" "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" @@ -53,6 +54,8 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) { backend := acctest.RandomWithPrefix("kubernetes") jwt := kubernetesJWT issuer := "kubernetes/serviceaccount" + disableIssValidation := true + disableLocalCaJwt := true resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -60,7 +63,7 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) { CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer), + Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -76,10 +79,14 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) { "pem_keys.0", kubernetesPEMfile), resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "issuer", issuer), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_iss_validation", strconv.FormatBool(disableIssValidation)), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)), ), }, { - Config: testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt, issuer), + Config: testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -95,6 +102,10 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) { "pem_keys.0", kubernetesPEMfile), resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "issuer", issuer), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_iss_validation", strconv.FormatBool(disableIssValidation)), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)), ), }, }, @@ -110,11 +121,11 @@ data "vault_kubernetes_auth_backend_config" "config" { }`, testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt), backend) } -func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string, issuer string) string { +func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool) string { return fmt.Sprintf(` %s data "vault_kubernetes_auth_backend_config" "config" { backend = "%s" -}`, testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer), backend) +}`, testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt), backend) } diff --git a/vault/resource_kubernetes_auth_backend_config.go b/vault/resource_kubernetes_auth_backend_config.go index 776723f93..c590b6c1d 100644 --- a/vault/resource_kubernetes_auth_backend_config.go +++ b/vault/resource_kubernetes_auth_backend_config.go @@ -66,6 +66,18 @@ func kubernetesAuthBackendConfigResource() *schema.Resource { Optional: true, Description: "Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.", }, + "disable_iss_validation": { + Type: schema.TypeBool, + Computed: true, + Optional: true, + Description: "Optional disable JWT issuer validation. Allows to skip ISS validation.", + }, + "disable_local_ca_jwt": { + Type: schema.TypeBool, + Computed: true, + Optional: true, + Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.", + }, }, } } @@ -104,6 +116,14 @@ func kubernetesAuthBackendConfigCreate(d *schema.ResourceData, meta interface{}) if v, ok := d.GetOk("issuer"); ok { data["issuer"] = v.(string) } + + if v, ok := d.GetOk("disable_iss_validation"); ok { + data["disable_iss_validation"] = v + } + + if v, ok := d.GetOk("disable_local_ca_jwt"); ok { + data["disable_local_ca_jwt"] = v + } _, err := client.Logical().Write(path, data) if err != nil { return fmt.Errorf("error writing Kubernetes auth backend config %q: %s", path, err) @@ -155,6 +175,8 @@ func kubernetesAuthBackendConfigRead(d *schema.ResourceData, meta interface{}) e d.Set("kubernetes_host", resp.Data["kubernetes_host"]) d.Set("kubernetes_ca_cert", resp.Data["kubernetes_ca_cert"]) d.Set("issuer", resp.Data["issuer"]) + d.Set("disable_iss_validation", resp.Data["disable_iss_validation"]) + d.Set("disable_local_ca_jwt", resp.Data["disable_local_ca_jwt"]) iPemKeys := resp.Data["pem_keys"].([]interface{}) pemKeys := make([]string, 0, len(iPemKeys)) @@ -197,6 +219,14 @@ func kubernetesAuthBackendConfigUpdate(d *schema.ResourceData, meta interface{}) data["issuer"] = v.(string) } + if v, ok := d.GetOk("disable_iss_validation"); ok { + data["disable_iss_validation"] = v + } + + if v, ok := d.GetOk("disable_local_ca_jwt"); ok { + data["disable_local_ca_jwt"] = v + } + _, err := client.Logical().Write(path, data) if err != nil { return fmt.Errorf("error updating Kubernetes auth backend config %q: %s", path, err) diff --git a/vault/resource_kubernetes_auth_backend_config_test.go b/vault/resource_kubernetes_auth_backend_config_test.go index ea675d2a7..d5a1a8f23 100644 --- a/vault/resource_kubernetes_auth_backend_config_test.go +++ b/vault/resource_kubernetes_auth_backend_config_test.go @@ -2,6 +2,7 @@ package vault import ( "fmt" + "strconv" "testing" "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" @@ -64,6 +65,8 @@ func TestAccKubernetesAuthBackendConfig_import(t *testing.T) { backend := acctest.RandomWithPrefix("kubernetes") jwt := kubernetesJWT issuer := "kubernetes/serviceaccount" + disableIssValidation := false + disableLocalCaJwt := false resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -71,7 +74,7 @@ func TestAccKubernetesAuthBackendConfig_import(t *testing.T) { CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer), + Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -87,6 +90,10 @@ func TestAccKubernetesAuthBackendConfig_import(t *testing.T) { "pem_keys.#", "1"), resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "issuer", issuer), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_iss_validation", strconv.FormatBool(disableIssValidation)), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)), ), }, { @@ -208,6 +215,8 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) { backend := acctest.RandomWithPrefix("kubernetes") jwt := kubernetesJWT issuer := "api" + disableIssValidation := true + disableLocalCaJwt := true resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -215,7 +224,7 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) { CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer), + Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -231,6 +240,10 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) { "pem_keys.0", kubernetesPEMfile), resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "issuer", "api"), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_iss_validation", strconv.FormatBool(disableIssValidation)), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)), ), }, }, @@ -243,6 +256,10 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) { newJWT := kubernetesAnotherJWT oldIssuer := "kubernetes/serviceaccount" newIssuer := "api" + oldDisableIssValidation := false + newDisableIssValidation := true + oldDisableLocalCaJwt := false + newDisableLocalCaJwt := true resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -250,7 +267,7 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) { CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccKubernetesAuthBackendConfigConfig_full(backend, oldJWT, oldIssuer), + Config: testAccKubernetesAuthBackendConfigConfig_full(backend, oldJWT, oldIssuer, oldDisableIssValidation, oldDisableLocalCaJwt), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -266,10 +283,16 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) { "pem_keys.0", kubernetesPEMfile), resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "issuer", oldIssuer), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "issuer", oldIssuer), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_iss_validation", strconv.FormatBool(oldDisableIssValidation)), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_local_ca_jwt", strconv.FormatBool(oldDisableLocalCaJwt)), ), }, { - Config: testAccKubernetesAuthBackendConfigConfig_full(backend, newJWT, newIssuer), + Config: testAccKubernetesAuthBackendConfigConfig_full(backend, newJWT, newIssuer, newDisableIssValidation, newDisableLocalCaJwt), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -285,6 +308,10 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) { "pem_keys.0", kubernetesPEMfile), resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "issuer", newIssuer), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_iss_validation", strconv.FormatBool(newDisableIssValidation)), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "disable_local_ca_jwt", strconv.FormatBool(newDisableLocalCaJwt)), ), }, }, @@ -306,7 +333,7 @@ resource "vault_kubernetes_auth_backend_config" "config" { }`, backend, kubernetesCAcert, jwt) } -func testAccKubernetesAuthBackendConfigConfig_full(backend, jwt string, issuer string) string { +func testAccKubernetesAuthBackendConfigConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool) string { return fmt.Sprintf(` resource "vault_auth_backend" "kubernetes" { type = "kubernetes" @@ -320,5 +347,7 @@ resource "vault_kubernetes_auth_backend_config" "config" { token_reviewer_jwt = %q pem_keys = [%q] issuer = %q -}`, backend, kubernetesCAcert, jwt, kubernetesPEMfile, issuer) + disable_iss_validation = %t + disable_local_ca_jwt = %t +}`, backend, kubernetesCAcert, jwt, kubernetesPEMfile, issuer, disableIssValidation, disableLocalCaJwt) } diff --git a/website/docs/r/kubernetes_auth_backend_config.md b/website/docs/r/kubernetes_auth_backend_config.md index f03915d57..c3622becc 100644 --- a/website/docs/r/kubernetes_auth_backend_config.md +++ b/website/docs/r/kubernetes_auth_backend_config.md @@ -20,11 +20,12 @@ resource "vault_auth_backend" "kubernetes" { } resource "vault_kubernetes_auth_backend_config" "example" { - backend = "${vault_auth_backend.kubernetes.path}" - kubernetes_host = "http://example.com:443" - kubernetes_ca_cert = "-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----" - token_reviewer_jwt = "ZXhhbXBsZQo=" - issuer = "api" + backend = "${vault_auth_backend.kubernetes.path}" + kubernetes_host = "http://example.com:443" + kubernetes_ca_cert = "-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----" + token_reviewer_jwt = "ZXhhbXBsZQo=" + issuer = "api" + disable_iss_validation = "true" } ``` @@ -40,7 +41,12 @@ The following arguments are supported: * `pem_keys` - (Optional) List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. -* `issuer` - Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. +* `issuer` - Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. + +* `disable_iss_validation` - (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + +* `disable_local_ca_jwt` - (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + ## Attributes Reference