Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[k8s auth backend confiugration] Introduce disable_iss_validation and disable_local_ca_jwt params #870

Merged
merged 4 commits into from
Oct 8, 2020
Merged

[k8s auth backend confiugration] Introduce disable_iss_validation and disable_local_ca_jwt params #870

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e131d12
[k8s auth backend confiugration] Introduce disable_iss_validation param
riuvshyn Sep 24, 2020
01d8ac5
Add support for disable_local_ca_jwt param
riuvshyn Sep 29, 2020
292741f
Update go.mod
riuvshyn Oct 1, 2020
b61c220
Update kubernetes_auth_backend_config.md
riuvshyn Oct 1, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion vault/data_source_kubernetes_auth_backend_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,18 @@ func kubernetesAuthBackendConfigDataSource() *schema.Resource {
Optional: true,
Description: "Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.",
},
"disable_iss_validation": {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Optional disable JWT issuer validation. Allows to skip ISS validation.",
},
"disable_local_ca_jwt": {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
},
}
}
Expand Down Expand Up @@ -81,8 +93,9 @@ func kubernetesAuthBackendConfigDataSourceRead(d *schema.ResourceData, meta inte
}

d.Set("pem_keys", pemKeys)

d.Set("issuer", resp.Data["issuer"])
d.Set("disable_iss_validation", resp.Data["disable_iss_validation"])
d.Set("disable_local_ca_jwt", resp.Data["disable_local_ca_jwt"])

return nil
}
19 changes: 15 additions & 4 deletions vault/data_source_kubernetes_auth_backend_config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package vault

import (
"fmt"
"strconv"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
Expand Down Expand Up @@ -53,14 +54,16 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
backend := acctest.RandomWithPrefix("kubernetes")
jwt := kubernetesJWT
issuer := "kubernetes/serviceaccount"
disableIssValidation := true
disableLocalCaJwt := true

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testProviders,
CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy,
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer),
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -76,10 +79,14 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
"pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"issuer", issuer),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_iss_validation", strconv.FormatBool(disableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)),
),
},
{
Config: testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt, issuer),
Config: testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -95,6 +102,10 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
"pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"issuer", issuer),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_iss_validation", strconv.FormatBool(disableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)),
),
},
},
Expand All @@ -110,11 +121,11 @@ data "vault_kubernetes_auth_backend_config" "config" {
}`, testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt), backend)
}

func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string, issuer string) string {
func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool) string {
return fmt.Sprintf(`
%s

data "vault_kubernetes_auth_backend_config" "config" {
backend = "%s"
}`, testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer), backend)
}`, testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt), backend)
}
30 changes: 30 additions & 0 deletions vault/resource_kubernetes_auth_backend_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,18 @@ func kubernetesAuthBackendConfigResource() *schema.Resource {
Optional: true,
Description: "Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.",
},
"disable_iss_validation": {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Optional disable JWT issuer validation. Allows to skip ISS validation.",
},
"disable_local_ca_jwt": {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
},
}
}
Expand Down Expand Up @@ -104,6 +116,14 @@ func kubernetesAuthBackendConfigCreate(d *schema.ResourceData, meta interface{})
if v, ok := d.GetOk("issuer"); ok {
data["issuer"] = v.(string)
}

if v, ok := d.GetOk("disable_iss_validation"); ok {
data["disable_iss_validation"] = v
}

if v, ok := d.GetOk("disable_local_ca_jwt"); ok {
data["disable_local_ca_jwt"] = v
}
_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error writing Kubernetes auth backend config %q: %s", path, err)
Expand Down Expand Up @@ -155,6 +175,8 @@ func kubernetesAuthBackendConfigRead(d *schema.ResourceData, meta interface{}) e
d.Set("kubernetes_host", resp.Data["kubernetes_host"])
d.Set("kubernetes_ca_cert", resp.Data["kubernetes_ca_cert"])
d.Set("issuer", resp.Data["issuer"])
d.Set("disable_iss_validation", resp.Data["disable_iss_validation"])
d.Set("disable_local_ca_jwt", resp.Data["disable_local_ca_jwt"])

iPemKeys := resp.Data["pem_keys"].([]interface{})
pemKeys := make([]string, 0, len(iPemKeys))
Expand Down Expand Up @@ -197,6 +219,14 @@ func kubernetesAuthBackendConfigUpdate(d *schema.ResourceData, meta interface{})
data["issuer"] = v.(string)
}

if v, ok := d.GetOk("disable_iss_validation"); ok {
data["disable_iss_validation"] = v
}

if v, ok := d.GetOk("disable_local_ca_jwt"); ok {
data["disable_local_ca_jwt"] = v
}

_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error updating Kubernetes auth backend config %q: %s", path, err)
Expand Down
41 changes: 35 additions & 6 deletions vault/resource_kubernetes_auth_backend_config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package vault

import (
"fmt"
"strconv"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
Expand Down Expand Up @@ -64,14 +65,16 @@ func TestAccKubernetesAuthBackendConfig_import(t *testing.T) {
backend := acctest.RandomWithPrefix("kubernetes")
jwt := kubernetesJWT
issuer := "kubernetes/serviceaccount"
disableIssValidation := false
disableLocalCaJwt := false

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testProviders,
CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy,
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer),
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -87,6 +90,10 @@ func TestAccKubernetesAuthBackendConfig_import(t *testing.T) {
"pem_keys.#", "1"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"issuer", issuer),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_iss_validation", strconv.FormatBool(disableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)),
),
},
{
Expand Down Expand Up @@ -208,14 +215,16 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) {
backend := acctest.RandomWithPrefix("kubernetes")
jwt := kubernetesJWT
issuer := "api"
disableIssValidation := true
disableLocalCaJwt := true

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testProviders,
CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy,
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer),
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -231,6 +240,10 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) {
"pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"issuer", "api"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_iss_validation", strconv.FormatBool(disableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)),
),
},
},
Expand All @@ -243,14 +256,18 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) {
newJWT := kubernetesAnotherJWT
oldIssuer := "kubernetes/serviceaccount"
newIssuer := "api"
oldDisableIssValidation := false
newDisableIssValidation := true
oldDisableLocalCaJwt := false
newDisableLocalCaJwt := true

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testProviders,
CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy,
Steps: []resource.TestStep{
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, oldJWT, oldIssuer),
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, oldJWT, oldIssuer, oldDisableIssValidation, oldDisableLocalCaJwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -266,10 +283,16 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) {
"pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"issuer", oldIssuer),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"issuer", oldIssuer),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_iss_validation", strconv.FormatBool(oldDisableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_local_ca_jwt", strconv.FormatBool(oldDisableLocalCaJwt)),
),
},
{
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, newJWT, newIssuer),
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, newJWT, newIssuer, newDisableIssValidation, newDisableLocalCaJwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
Expand All @@ -285,6 +308,10 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) {
"pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"issuer", newIssuer),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_iss_validation", strconv.FormatBool(newDisableIssValidation)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"disable_local_ca_jwt", strconv.FormatBool(newDisableLocalCaJwt)),
),
},
},
Expand All @@ -306,7 +333,7 @@ resource "vault_kubernetes_auth_backend_config" "config" {
}`, backend, kubernetesCAcert, jwt)
}

func testAccKubernetesAuthBackendConfigConfig_full(backend, jwt string, issuer string) string {
func testAccKubernetesAuthBackendConfigConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool) string {
return fmt.Sprintf(`
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
Expand All @@ -320,5 +347,7 @@ resource "vault_kubernetes_auth_backend_config" "config" {
token_reviewer_jwt = %q
pem_keys = [%q]
issuer = %q
}`, backend, kubernetesCAcert, jwt, kubernetesPEMfile, issuer)
disable_iss_validation = %t
disable_local_ca_jwt = %t
}`, backend, kubernetesCAcert, jwt, kubernetesPEMfile, issuer, disableIssValidation, disableLocalCaJwt)
}
18 changes: 12 additions & 6 deletions website/docs/r/kubernetes_auth_backend_config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,12 @@ resource "vault_auth_backend" "kubernetes" {
}

resource "vault_kubernetes_auth_backend_config" "example" {
backend = "${vault_auth_backend.kubernetes.path}"
kubernetes_host = "http://example.com:443"
kubernetes_ca_cert = "-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----"
token_reviewer_jwt = "ZXhhbXBsZQo="
issuer = "api"
backend = "${vault_auth_backend.kubernetes.path}"
kubernetes_host = "http://example.com:443"
kubernetes_ca_cert = "-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----"
token_reviewer_jwt = "ZXhhbXBsZQo="
issuer = "api"
disable_iss_validation = "true"
}
```

Expand All @@ -40,7 +41,12 @@ The following arguments are supported:

* `pem_keys` - (Optional) List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

* `issuer` - Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
* `issuer` - Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.

* `disable_iss_validation` - (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

* `disable_local_ca_jwt` - (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`


## Attributes Reference

Expand Down