feat: add token_default_audiences option to create role

client.go

@@ -53,8 +53,8 @@ func (c *client) createToken(ctx context.Context, namespace, name string, ttl ti
 	intTTL := int64(ttl.Seconds())
 	resp, err := c.k8s.CoreV1().ServiceAccounts(namespace).CreateToken(ctx, name, &authenticationv1.TokenRequest{
 		Spec: authenticationv1.TokenRequestSpec{
-			Audiences:         audiences,
 			ExpirationSeconds: &intTTL,
+			Audiences:         audiences,
 		},
 	}, metav1.CreateOptions{})
 	if err != nil {

integrationtest/creds_integration_test.go

@@ -145,30 +145,42 @@ func TestCreds_audiences(t *testing.T) {
 	type testCase struct {
 		roleConfig        map[string]interface{}
 		credsConfig       map[string]interface{}
-		expectedAudiences []string
+		expectedAudiences []interface{}
 	}
 
 	tests := map[string]testCase{
-		"audiences set": {
+		"both set": {
+			roleConfig: map[string]interface{}{
+				"allowed_kubernetes_namespaces": []string{"*"},
+				"service_account_name":          "sample-app",
+				"token_default_audiences":       []string{"foo", "bar"},
+			},
+			credsConfig: map[string]interface{}{
+				"kubernetes_namespace": "test",
+				"audiences":            "baz,qux",
+			},
+			expectedAudiences: []interface{}{"baz", "qux"},
+		},
+		"default to token_default_audiences": {
 			roleConfig: map[string]interface{}{
 				"allowed_kubernetes_namespaces": []string{"*"},
 				"service_account_name":          "sample-app",
+				"token_default_audiences":       []string{"foo", "bar"},
 			},
 			credsConfig: map[string]interface{}{
 				"kubernetes_namespace": "test",
-				"audiences":            "foo,bar",
 			},
-			expectedAudiences: []string{"foo", "bar"},
+			expectedAudiences: []interface{}{"foo", "bar"},
 		},
-		"audiences not set": {
+		"default to audiences of k8s cluster setup if both not set": {
 			roleConfig: map[string]interface{}{
 				"allowed_kubernetes_namespaces": []string{"*"},
 				"service_account_name":          "sample-app",
 			},
 			credsConfig: map[string]interface{}{
 				"kubernetes_namespace": "test",
 			},
-			expectedAudiences: []string{},
+			expectedAudiences: []interface{}{"https://kubernetes.default.svc.cluster.local"},
 		},
 	}
 	i := 0
@@ -227,6 +239,7 @@ func TestCreds_service_account_name(t *testing.T) {
 		"service_account_name":                  "sample-app",
 		"token_max_ttl":                         oneDay,
 		"token_default_ttl":                     oneHour,
+		"token_default_audiences":               nil,
 	}, roleResponse.Data)
 
 	result1, err := client.Logical().Write(path+"/creds/testrole", map[string]interface{}{
@@ -304,6 +317,7 @@ func TestCreds_kubernetes_role_name(t *testing.T) {
 			"service_account_name":                  "",
 			"token_max_ttl":                         oneDay,
 			"token_default_ttl":                     oneHour,
+			"token_default_audiences":               nil,
 		}
 		testRoleType(t, client, path, roleConfig, expectedRoleResponse)
 	})
@@ -338,6 +352,7 @@ func TestCreds_kubernetes_role_name(t *testing.T) {
 			"service_account_name":                  "",
 			"token_max_ttl":                         oneDay,
 			"token_default_ttl":                     oneHour,
+			"token_default_audiences":               nil,
 		}
 		testClusterRoleType(t, client, path, roleConfig, expectedRoleResponse)
 	})
@@ -407,6 +422,7 @@ func TestCreds_generated_role_rules(t *testing.T) {
 			"service_account_name":                  "",
 			"token_max_ttl":                         oneDay,
 			"token_default_ttl":                     oneHour,
+			"token_default_audiences":               nil,
 		}
 		testRoleType(t, client, path, roleConfig, expectedRoleResponse)
 	})
@@ -442,6 +458,7 @@ func TestCreds_generated_role_rules(t *testing.T) {
 			"service_account_name":                  "",
 			"token_max_ttl":                         oneDay,
 			"token_default_ttl":                     oneHour,
+			"token_default_audiences":               nil,
 		}
 		testClusterRoleType(t, client, path, roleConfig, expectedRoleResponse)
 	})

integrationtest/helpers.go

@@ -390,15 +390,16 @@ func testK8sTokenTTL(t *testing.T, expectedSec int, token string) {
 	assert.Equal(t, expectedSec, int(exp-iat))
 }
 
-func testK8sTokenAudiences(t *testing.T, expectedAudiences []string, token string) {
+func testK8sTokenAudiences(t *testing.T, expectedAudiences []interface{}, token string) {
 	parsed, err := josejwt.ParseSigned(token)
 	require.NoError(t, err)
 	claims := map[string]interface{}{}
 	err = parsed.UnsafeClaimsWithoutVerification(&claims)
 	require.NoError(t, err)
 	aud := claims["aud"].([]interface{})
-	for _, audience := range expectedAudiences {
-		assert.Contains(t, aud, interface{}(audience))
+	assert.Equal(t, len(expectedAudiences), len(aud))
+	for _, expectedAudience := range expectedAudiences {
+		assert.Contains(t, aud, expectedAudience)
 	}
 }
 

integrationtest/integration_test.go

@@ -162,6 +162,7 @@ func TestRole(t *testing.T) {
 		"generated_role_rules":          sampleRules,
 		"token_default_ttl":             "1h",
 		"token_max_ttl":                 "24h",
+		"token_default_audiences":       []string{"foobar"},
 	})
 	assert.NoError(t, err)
 
@@ -180,6 +181,7 @@ func TestRole(t *testing.T) {
 		"service_account_name":                  "",
 		"token_max_ttl":                         oneDay,
 		"token_default_ttl":                     oneHour,
+		"token_default_audiences":               []interface{}{"foobar"},
 	}, result.Data)
 
 	// update
@@ -188,6 +190,7 @@ func TestRole(t *testing.T) {
 		"extra_annotations":             sampleExtraAnnotations,
 		"extra_labels":                  sampleExtraLabels,
 		"token_default_ttl":             "30m",
+		"token_default_audiences":       []string{"bar"},
 	})
 
 	result, err = client.Logical().Read(path + "/roles/testrole")
@@ -205,6 +208,7 @@ func TestRole(t *testing.T) {
 		"service_account_name":                  "",
 		"token_max_ttl":                         oneDay,
 		"token_default_ttl":                     thirtyMinutes,
+		"token_default_audiences":               []interface{}{"bar"},
 	}, result.Data)
 
 	// update again
@@ -228,6 +232,7 @@ func TestRole(t *testing.T) {
 		"service_account_name":                  "",
 		"token_max_ttl":                         oneDay,
 		"token_default_ttl":                     thirtyMinutes,
+		"token_default_audiences":               []interface{}{"bar"},
 	}, result.Data)
 
 	result, err = client.Logical().List(path + "/roles")

integrationtest/wal_rollback_test.go

@@ -66,6 +66,7 @@ func TestCreds_wal_rollback(t *testing.T) {
 			"kubernetes_role_type":          "RolE",
 			"token_default_ttl":             "1h",
 			"token_max_ttl":                 "24h",
+			"token_default_audiences":       []string{"foobar"},
 		}
 		expectedRoleResponse := map[string]interface{}{
 			"allowed_kubernetes_namespaces":         []interface{}{"test"},
@@ -80,6 +81,7 @@ func TestCreds_wal_rollback(t *testing.T) {
 			"service_account_name":                  "",
 			"token_max_ttl":                         oneDay,
 			"token_default_ttl":                     oneHour,
+			"token_default_audiences":               []interface{}{"foobar"},
 		}
 
 		_, err := client.Logical().Write(mountPath+"/roles/walrole", roleConfig)
@@ -138,6 +140,7 @@ func TestCreds_wal_rollback(t *testing.T) {
 			"kubernetes_role_type":                  "ClusterRole",
 			"token_default_ttl":                     "1h",
 			"token_max_ttl":                         "24h",
+			"token_default_audiences":               []string{"foobar"},
 		}
 		expectedRoleResponse := map[string]interface{}{
 			"allowed_kubernetes_namespaces":         interface{}(nil),
@@ -152,6 +155,7 @@ func TestCreds_wal_rollback(t *testing.T) {
 			"service_account_name":                  "",
 			"token_max_ttl":                         oneDay,
 			"token_default_ttl":                     oneHour,
+			"token_default_audiences":               []interface{}{"foobar"},
 		}
 
 		_, err := client.Logical().Write(mountPath+"/roles/walrolebinding", roleConfig)

path_creds.go

@@ -216,6 +216,11 @@ func (b *backend) createCreds(ctx context.Context, req *logical.Request, role *r
 		theTTL = b.System().MaxLeaseTTL()
 	}
 
+	theAudiences := role.TokenDefaultAudiences
+	if len(reqPayload.Audiences) != 0 {
+		theAudiences = reqPayload.Audiences
+	}
+
 	// These are created items to save internally and/or return to the caller
 	token := ""
 	serviceAccountName := ""
@@ -228,7 +233,7 @@ func (b *backend) createCreds(ctx context.Context, req *logical.Request, role *r
 	switch {
 	case role.ServiceAccountName != "":
 		// Create token for existing service account
-		status, err := client.createToken(ctx, reqPayload.Namespace, role.ServiceAccountName, theTTL, reqPayload.Audiences)
+		status, err := client.createToken(ctx, reqPayload.Namespace, role.ServiceAccountName, theTTL, theAudiences)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create a service account token for %s/%s: %s", reqPayload.Namespace, role.ServiceAccountName, err)
 		}
@@ -250,7 +255,7 @@ func (b *backend) createCreds(ctx context.Context, req *logical.Request, role *r
 			return nil, err
 		}
 
-		status, err := client.createToken(ctx, reqPayload.Namespace, genName, theTTL, reqPayload.Audiences)
+		status, err := client.createToken(ctx, reqPayload.Namespace, genName, theTTL, theAudiences)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create a service account token for %s/%s: %s", reqPayload.Namespace, genName, err)
 		}
@@ -277,7 +282,7 @@ func (b *backend) createCreds(ctx context.Context, req *logical.Request, role *r
 			return nil, err
 		}
 
-		status, err := client.createToken(ctx, reqPayload.Namespace, genName, theTTL, reqPayload.Audiences)
+		status, err := client.createToken(ctx, reqPayload.Namespace, genName, theTTL, theAudiences)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create a service account token for %s/%s: %s", reqPayload.Namespace, genName, err)
 		}

path_roles.go

@@ -22,18 +22,19 @@ const (
 )
 
 type roleEntry struct {
-	Name                 string            `json:"name" mapstructure:"name"`
-	K8sNamespaces        []string          `json:"allowed_kubernetes_namespaces" mapstructure:"allowed_kubernetes_namespaces"`
-	K8sNamespaceSelector string            `json:"allowed_kubernetes_namespace_selector" mapstructure:"allowed_kubernetes_namespace_selector"`
-	TokenMaxTTL          time.Duration     `json:"token_max_ttl" mapstructure:"token_max_ttl"`
-	TokenDefaultTTL      time.Duration     `json:"token_default_ttl" mapstructure:"token_default_ttl"`
-	ServiceAccountName   string            `json:"service_account_name" mapstructure:"service_account_name"`
-	K8sRoleName          string            `json:"kubernetes_role_name" mapstructure:"kubernetes_role_name"`
-	K8sRoleType          string            `json:"kubernetes_role_type" mapstructure:"kubernetes_role_type"`
-	RoleRules            string            `json:"generated_role_rules" mapstructure:"generated_role_rules"`
-	NameTemplate         string            `json:"name_template" mapstructure:"name_template"`
-	ExtraLabels          map[string]string `json:"extra_labels" mapstructure:"extra_labels"`
-	ExtraAnnotations     map[string]string `json:"extra_annotations" mapstructure:"extra_annotations"`
+	Name                  string            `json:"name" mapstructure:"name"`
+	K8sNamespaces         []string          `json:"allowed_kubernetes_namespaces" mapstructure:"allowed_kubernetes_namespaces"`
+	K8sNamespaceSelector  string            `json:"allowed_kubernetes_namespace_selector" mapstructure:"allowed_kubernetes_namespace_selector"`
+	TokenMaxTTL           time.Duration     `json:"token_max_ttl" mapstructure:"token_max_ttl"`
+	TokenDefaultTTL       time.Duration     `json:"token_default_ttl" mapstructure:"token_default_ttl"`
+	TokenDefaultAudiences []string          `json:"token_default_audiences" mapstructure:"token_default_audiences"`
+	ServiceAccountName    string            `json:"service_account_name" mapstructure:"service_account_name"`
+	K8sRoleName           string            `json:"kubernetes_role_name" mapstructure:"kubernetes_role_name"`
+	K8sRoleType           string            `json:"kubernetes_role_type" mapstructure:"kubernetes_role_type"`
+	RoleRules             string            `json:"generated_role_rules" mapstructure:"generated_role_rules"`
+	NameTemplate          string            `json:"name_template" mapstructure:"name_template"`
+	ExtraLabels           map[string]string `json:"extra_labels" mapstructure:"extra_labels"`
+	ExtraAnnotations      map[string]string `json:"extra_annotations" mapstructure:"extra_annotations"`
 }
 
 func (r *roleEntry) toResponseData() (map[string]interface{}, error) {
@@ -78,6 +79,11 @@ func (b *backend) pathRoles() []*framework.Path {
 					Description: "The default ttl for generated Kubernetes service account tokens. If not set or set to 0, will use system default.",
 					Required:    false,
 				},
+				"token_default_audiences": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "The default audiences for generated Kubernetes service account tokens. If not set or set to \"\", will use k8s cluster setup.",
+					Required:    false,
+				},
 				"service_account_name": {
 					Type:        framework.TypeString,
 					Description: "The pre-existing service account to generate tokens for. Mutually exclusive with all role parameters. If set, only a Kubernetes service account token will be created.",
@@ -206,6 +212,9 @@ func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *f
 	if tokenTTLRaw, ok := d.GetOk("token_default_ttl"); ok {
 		entry.TokenDefaultTTL = time.Duration(tokenTTLRaw.(int)) * time.Second
 	}
+	if tokenAudiencesRaw, ok := d.GetOk("token_default_audiences"); ok {
+		entry.TokenDefaultAudiences = strutil.RemoveDuplicates(tokenAudiencesRaw.([]string), true)
+	}
 	if svcAccount, ok := d.GetOk("service_account_name"); ok {
 		entry.ServiceAccountName = svcAccount.(string)
 	}