creds endpoint

[tvoran]

Overview

Implementation of the creds endpoint for generating the credentials for the service account.

Design of Change

The creds endpoint has these parameters:

• name (string: <required>): The name of the role.
• kubernetes_namespace (string: <required>): The name of the Kubernetes namespace in which to generate the service account.
• cluster_role_binding (bool: false): If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace. Requires the Vault role to have kubernetes_role_type set to ClusterRole.
• ttl (string: ""): The ttl of the generated Kubernetes service account.

Other notes:

• all created objects have a set of standard labels applied:

	"app.kubernetes.io/managed-by": "HashiCorp-Vault",
	"app.kubernetes.io/created-by": "vault-plugin-secrets-kubernetes",

• The wal rollback integration test take about 5 minutes to run; it can be skipped by setting SKIP_WAL_TEST in the env:

make setup-integration-test integration-test TESTARGS="-v" SKIP_WAL_TEST=yes

• When the creds create fails in the wal tests, something retries the path_creds request a couple time, so three sets of orphaned objects are created. They all are cleaned up properly by the WAL, but I'm not sure what's retrying the path_creds call. Nevermind, this is probably just the built-in retries in the vault client we're using in the tests.

Testing examples

The integration tests can be run as described in the README.

Manual testing:

# setup a k8s cluster preloaded with service accounts and roles and a vault pod with the built k8s secrets plugin
make setup-kind setup-integration-test

# get a shell on the vault pod that has the plugin available and configure it
kubectl exec -it -n test vault-0 -- /bin/sh
vault secrets enable kubernetes-dev
vault write -f kubernetes-dev/config

# configure roles (in the vault container)
vault write kubernetes-dev/roles/existing-role \
  kubernetes_role_name=test-role-list-pods  \
  allowed_kubernetes_namespaces='default' \
  allowed_kubernetes_namespaces=test \
  token_max_ttl=80h \
  token_default_ttl=1h

vault write kubernetes-dev/roles/my-role \
  service_account_name=sample-app \
  allowed_kubernetes_namespaces='test' \
  token_max_ttl=80h \
  token_default_ttl=1h

vault write kubernetes-dev/roles/rules \
  allowed_kubernetes_namespaces=default \
  allowed_kubernetes_namespaces=test \
  token_max_ttl=80h \
  token_default_ttl=1h \
  generated_role_rules="rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list"

# generate service account tokens (in the vault container)
vault write kubernetes-dev/creds/my-role kubernetes_namespace=test

vault write kubernetes-dev/creds/existing-role kubernetes_namespace=test ttl=30m

vault write kubernetes-dev/creds/rules kubernetes_namespace=test ttl=7h

# use the creds (in a local terminal)
export KUBE_HOST=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')

export TEST_TOKEN=<service_account_token>
curl -k $KUBE_HOST/api/v1/namespaces/test/pods --header "Authorization: Bearer $TEST_TOKEN"

You can also configure this with Vault running outside kubernetes, something like this:

make setup-kind setup-integration-test

./scripts/local_dev.sh

# then in a new terminal
export KUBE_HOST=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')
export KUBE_CA_CERT=$(kubectl get secret -n test $(kubectl get serviceaccount -n test test-token-create -o jsonpath='{.secrets[0].name}') -o jsonpath='{ .data.ca\.crt }' | base64 --decode)
export TOKEN=$(kubectl get secret -n test $(kubectl get serviceaccount -n test test-token-create -o jsonpath='{.secrets[0].name}') -o jsonpath='{ .data.token }' | base64 --decode)

export VAULT_DEV_ROOT_TOKEN_ID="root" VAULT_TOKEN="root" VAULT_ADDR="http://127.0.0.1:8200"
vault write kube-secrets/config kubernetes_host=$KUBE_HOST service_account_jwt=$TOKEN kubernetes_ca_cert=$KUBE_CA_CERT

# then similar configure roles and generate creds as above

[tomhjp]

Looking good - I've still got the integration tests and path_creds.go to look at, sorry for the partial review.

[tomhjp]

It's possible the the k8s API may give us back a token with a TTL different from what we requested: https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/#TokenRequestSpec

e.g. IIRC the minimum token TTL is 10 minutes. And there is also a kube-apiserver flag --service-account-max-token-expiration.

I haven't thought through how we should handle that too much, but we should at least add a warning to the response if there's a disparity.

If the returned TTL is longer, we can still effectively revoke early if there is a service account or role binding to delete, but we're a bit stuck if we're only generating a token.

If the returned TTL is shorter, we should probably pin the Vault lease down to the shorter TTL as well?

[tvoran]

Yep, good points. I added the warnings and set the Vault lease if the token TTL is shorter in c3e9ee6.

When requesting a token, apparently we could also tie it to a k8s object via the boundObjectRef. So in the future perhaps we could create a simple Secret or something that is bound to the token, and would allow us to "revoke" the token in the existing service account case.

[tomhjp]

I love that idea, I just tested it out and it works perfectly:

kubectl create secret generic foo
kubectl create token default --bound-object-kind Secret --bound-object-name foo
# The `foo` secret is still empty - no data attached.

kubectl proxy &
curl --silent http://127.0.0.1:8001/apis/authentication.k8s.io/v1/tokenreviews -H "Content-Type: application/json"   -X POST   -d '{"apiVersion": "authentication.k8s.io/v1", "kind": "TokenReview", "spec": {"token":"<JWT>"}}' | jq
# Authenticated

kubectl delete secret foo
# Repeating the TokenReview request now returns an error

Not in this PR, but we should definitely implement that.

[tomhjp]

Would it maybe make sense to allow omitting kubernetes_namespace if there is only one namespace specified? It could simplify the UX in that case, but maybe it also has potential to make things more confusing. In any case, this definitely doesn't need addressing in this PR, as it's easy to relax the rule later.

[tvoran]

Yeah! I think that would be sensible default behavior.

[calvn]

👍 Other than the open suggestions from others, and a follow up to Christopher's comment I didn't find much else to add.

[tomhjp]

AFAICT I think it's currently possible for createCreds and walRollback to run simultaneously, which could result in walRollback revoking some credentials that are part way through being provisioned.

[tvoran]

That is mitigated somewhat by the WALRollbackMinAge, which defaults to 10 minutes: https://github.com/hashicorp/vault/blob/ab0944d9653f41df7c8091adbbf3b8e516a2f58e/sdk/framework/backend.go#L577-L582
i.e. credentials/objects in K8s need to have been created for at least 10 minutes before they'll start being processed in walRollback. This is also why the integration test takes ~10 minutes to run since there's a rollback test.

[tomhjp]

Ahh cool, I missed that. Sounds fine then. Although on another note, maybe it would be good to try and bring that integration test time down in a future PR.

[calvn]

Ohh, I didn't realize that reverting to the default value also delays the test by that amount. Is there a way to just reduce the min age for the test?

[tvoran]

Yeah we'll have to look into changing that for the integration tests. Perhaps with some compile flags or something.

[tomhjp]

🎉 No blockers from me