Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove cert and pem enforcement #150

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Remove cert and pem enforcement #150

wants to merge 7 commits into from

Conversation

imthaghost
Copy link
Contributor

@imthaghost imthaghost commented Apr 21, 2022
edited
Loading

Overview

Some users didn't find it necessary for Vault to enforce the CA cert or PEM keys. Examples can be found in the related issues.

Design of Change

We add false booleans to the kubernetes_ca_cert and pem_keys fields. While the required field on the FieldSchema struct are deprecated we added this just for future reference and documentation. We also remove checks that enforced kubernetes_ca_cert to be present instead we just default to the local CA cert if kubernetes_ca_cert is not set which will return an error of x509: certificate signed by unknown authority if the user did supply an appropriate CA cert.

Related Issues

Issue #62
Issue #88

Docs

I don't believe docs need to be added since this is implied in the example below.

Screen Shot 2022-04-21 at 4 11 55 PM

tomhjp
tomhjp reviewed Apr 22, 2022
View reviewed changes
Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please can we get some unit test coverage? It's harder to test in an automated way, but I'd also like to ensure we at least manually test using the OS trust store. LMK if you'd like any help with that and I can go into more detail.

tvoran
tvoran reviewed Apr 22, 2022
View reviewed changes
path_config.go Outdated Show resolved Hide resolved
tvoran
tvoran reviewed Apr 25, 2022
View reviewed changes
path_config_test.go Outdated Show resolved Hide resolved
@imthaghost imthaghost requested a review from tomhjp April 26, 2022 19:25
tvoran
tvoran reviewed Apr 27, 2022
View reviewed changes
path_config_test.go
Comment on lines +544 to +561
"no CA default to system": {
config: map[string]interface{}{
"kubernetes_host": "host",
"disable_local_ca_jwt": false,
"kubernetes_ca_cert": "",
},
setupInClusterFiles: true,

expected: &kubeConfig{
PublicKeys: []interface{}{},
PEMKeys: []string{},
Host: "host",
CACert: testLocalCACert,
TokenReviewerJWT: testLocalJWT,
DisableISSValidation: true,
DisableLocalCAJwt: false,
},
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this test different than "no CA or JWT, default to local" in TestConfig_LocalCaJWT()? IIRC disable_local_ca_jwt defaults to false, and kubernetes_ca_cert defaults to "".

vault-plugin-auth-kubernetes/path_config_test.go

Lines 361 to 375 in a0dfafe

"no CA or JWT, default to local": {
config: map[string]interface{}{
"kubernetes_host": "host",
},
setupInClusterFiles: true,
expected: &kubeConfig{
PublicKeys: []interface{}{},
PEMKeys: []string{},
Host: "host",
CACert: testLocalCACert,
TokenReviewerJWT: testLocalJWT,
DisableISSValidation: true,
DisableLocalCAJwt: false,
},
},

calvn
calvn reviewed Apr 27, 2022
View reviewed changes
path_config.go Show resolved Hide resolved
tomhjp
tomhjp reviewed Apr 28, 2022
View reviewed changes
path_config.go
@@ -161,11 +159,11 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ

// Determine if we load the local CA cert or the CA cert provided
// by the kubernetes_ca_cert path into the backend's HTTP client
certPool := x509.NewCertPool()
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
}
if disableLocalJWT || len(caCert) > 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How come we don't use system certs if disableLocalJWT is true?

path_config.go
@@ -161,11 +159,11 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ

// Determine if we load the local CA cert or the CA cert provided
// by the kubernetes_ca_cert path into the backend's HTTP client
certPool := x509.NewCertPool()
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
}
if disableLocalJWT || len(caCert) > 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a more idiomatic check for empty strings:

Suggested change
if disableLocalJWT || len(caCert) > 0 {
if disableLocalJWT || caCert != "" {

@rinormaloku
Copy link

@imthaghost and @tomhjp can we merge this?

@tvoran tvoran mentioned this pull request Mar 6, 2024
Merged
@thyton thyton mentioned this pull request Mar 13, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvoran tvoran tvoran left review comments

@calvn calvn calvn left review comments

@tomhjp tomhjp tomhjp left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@imthaghost @rinormaloku @tvoran @calvn @tomhjp