From 6d2afc59b623d4b82f807fa579d762f298e4263b Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 16 Feb 2021 17:57:12 -0800 Subject: [PATCH] Backport 1.6.x: Kubernetes Auth #104 (#10930) * Backport 1.6.x: Kubernetes Auth #104 * Add changelog file --- changelog/10930.txt | 4 ++++ go.mod | 2 +- go.sum | 2 ++ .../vault-plugin-auth-kubernetes/path_login.go | 6 +++--- .../vault-plugin-auth-kubernetes/token_review.go | 13 +++++++++---- vendor/modules.txt | 2 +- 6 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 changelog/10930.txt diff --git a/changelog/10930.txt b/changelog/10930.txt new file mode 100644 index 000000000000..6c41e9e94064 --- /dev/null +++ b/changelog/10930.txt @@ -0,0 +1,4 @@ +```release-note:bug +auth/kubernetes: Cancel API calls to TokenReview endpoint when request context +is closed +``` diff --git a/go.mod b/go.mod index 9a81381c8aa6..616478adf791 100644 --- a/go.mod +++ b/go.mod @@ -80,7 +80,7 @@ require ( github.com/hashicorp/vault-plugin-auth-gcp v0.8.0 github.com/hashicorp/vault-plugin-auth-jwt v0.8.1 github.com/hashicorp/vault-plugin-auth-kerberos v0.2.0 - github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0 + github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.1 github.com/hashicorp/vault-plugin-auth-oci v0.6.0 github.com/hashicorp/vault-plugin-database-couchbase v0.2.1 github.com/hashicorp/vault-plugin-database-elasticsearch v0.6.1 diff --git a/go.sum b/go.sum index ab210b01a7aa..9eccb5198736 100644 --- a/go.sum +++ b/go.sum @@ -640,6 +640,8 @@ github.com/hashicorp/vault-plugin-auth-kerberos v0.2.0 h1:7ct50ngVFTeO7EJ3N9PvPH github.com/hashicorp/vault-plugin-auth-kerberos v0.2.0/go.mod h1:IM/n7LY1rIM4MVzOfSH6cRmY/C2rGkrjGrEr0B/yO9c= github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0 h1:v1jOqR70chxRxONey7g/v0/57MneP05z2dfw6qmlE+8= github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc= +github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.1 h1:gUQPCgHu0yvdOSzX9i0YNm3jpeueGNxScwDnYWB+rVI= +github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.1/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc= github.com/hashicorp/vault-plugin-auth-oci v0.6.0 h1:ag69AcGbWvFADQ0TQxiJiJAztCiY5/CXMItF02oi5oY= github.com/hashicorp/vault-plugin-auth-oci v0.6.0/go.mod h1:Cn5cjR279Y+snw8LTaiLTko3KGrbigRbsQPOd2D5xDw= github.com/hashicorp/vault-plugin-database-couchbase v0.2.1 h1:WIxp5tCiDZqmd01h9WCcD+wMum+A9KKi/4qIebrxWD8= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go index 504700d8a8a8..9f3fc7ce01fe 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go @@ -103,7 +103,7 @@ func (b *kubeAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d } // look up the JWT token in the kubernetes API - err = serviceAccount.lookup(jwtStr, b.reviewFactory(config)) + err = serviceAccount.lookup(ctx, jwtStr, b.reviewFactory(config)) if err != nil { b.Logger().Error(`login unauthorized due to: ` + err.Error()) return nil, logical.ErrPermissionDenied @@ -350,8 +350,8 @@ type projectedServiceAccountPod struct { // lookup calls the TokenReview API in kubernetes to verify the token and secret // still exist. -func (s *serviceAccount) lookup(jwtStr string, tr tokenReviewer) error { - r, err := tr.Review(jwtStr, s.Audience) +func (s *serviceAccount) lookup(ctx context.Context, jwtStr string, tr tokenReviewer) error { + r, err := tr.Review(ctx, jwtStr, s.Audience) if err != nil { return err } diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/token_review.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/token_review.go index 75e86e093cc7..6b36a95a6dc8 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/token_review.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/token_review.go @@ -2,6 +2,7 @@ package kubeauth import ( "bytes" + "context" "crypto/tls" "crypto/x509" "encoding/json" @@ -28,7 +29,7 @@ type tokenReviewResult struct { // This exists so we can use a mock TokenReview when running tests type tokenReviewer interface { - Review(string, []string) (*tokenReviewResult, error) + Review(context.Context, string, []string) (*tokenReviewResult, error) } type tokenReviewFactory func(*kubeConfig) tokenReviewer @@ -44,7 +45,7 @@ func tokenReviewAPIFactory(config *kubeConfig) tokenReviewer { } } -func (t *tokenReviewAPI) Review(jwt string, aud []string) (*tokenReviewResult, error) { +func (t *tokenReviewAPI) Review(ctx context.Context, jwt string, aud []string) (*tokenReviewResult, error) { client := cleanhttp.DefaultClient() @@ -75,7 +76,7 @@ func (t *tokenReviewAPI) Review(jwt string, aud []string) (*tokenReviewResult, e // Build the request to the token review API url := fmt.Sprintf("%s/apis/authentication.k8s.io/v1/tokenreviews", strings.TrimSuffix(t.config.Host, "/")) - req, err := http.NewRequest("POST", url, bytes.NewBuffer(trJSON)) + req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewBuffer(trJSON)) if err != nil { return nil, err } @@ -188,7 +189,11 @@ func mockTokenReviewFactory(name, namespace, UID string) tokenReviewFactory { } } -func (t *mockTokenReview) Review(jwt string, aud []string) (*tokenReviewResult, error) { +func (t *mockTokenReview) Review(ctx context.Context, cjwt string, aud []string) (*tokenReviewResult, error) { + if ctx.Err() != nil { + return nil, ctx.Err() + } + return &tokenReviewResult{ Name: t.saName, Namespace: t.saNamespace, diff --git a/vendor/modules.txt b/vendor/modules.txt index 2fa17945d38f..d3baed01546d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -519,7 +519,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache github.com/hashicorp/vault-plugin-auth-jwt # github.com/hashicorp/vault-plugin-auth-kerberos v0.2.0 github.com/hashicorp/vault-plugin-auth-kerberos -# github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.0 +# github.com/hashicorp/vault-plugin-auth-kubernetes v0.8.1 github.com/hashicorp/vault-plugin-auth-kubernetes # github.com/hashicorp/vault-plugin-auth-oci v0.6.0 github.com/hashicorp/vault-plugin-auth-oci