vault-sidekick/auth_kubernetes.go

package main

import (
	"io/ioutil"
	"os"

	"github.com/hashicorp/vault/api"
)

type authKubernetesPlugin struct {
	client *api.Client
}

type kubernetesLogin struct {
	Role string `json:"role"`
	JWT  string `json:"jwt"`
}

func NewKubernetesPlugin(client *api.Client) AuthInterface {
	return &authKubernetesPlugin{
		client: client,
	}
}

func (p authKubernetesPlugin) Create(cfg *vaultAuthOptions) (string, error) {
	if cfg.RoleID == "" {
		cfg.RoleID = os.Getenv("VAULT_SIDEKICK_K8S_ROLE")
	}
	if cfg.FileName == "" {
		cfg.FileName = os.Getenv("VAULT_SIDEKICK_K8S_TOKEN_FILE")
		// default to the typical location for this
		if cfg.FileName == "" {
			cfg.FileName = "/var/run/secrets/kubernetes.io/serviceaccount/token"
		}
	}

	// read kubernetes serviceaccount token file (a jwt token)
	tokenBytes, err := ioutil.ReadFile(cfg.FileName)
	if err != nil {
		return "", err
	}

	// create token request
	request := p.client.NewRequest("POST", "/v1/auth/kubernetes/login")
	body := kubernetesLogin{Role: cfg.RoleID, JWT: string(tokenBytes)}
	err = request.SetJSONBody(body)
	if err != nil {
		return "", err
	}

	// execute api request
	resp, err := p.client.RawRequest(request)
	if err != nil {
		return "", err
	}
	defer resp.Body.Close()

	// parse secret response
	secret, err := api.ParseSecret(resp.Body)
	if err != nil {
		return "", err
	}

	return secret.Auth.ClientToken, nil
}
add initial kubernetes auth support 2017-11-13 13:40:47 -05:00			`package main`

			`import (`
			`"io/ioutil"`
			`"os"`

			`"github.com/hashicorp/vault/api"`
			`)`

			`type authKubernetesPlugin struct {`
			`client *api.Client`
			`}`

			`type kubernetesLogin struct {`
			Role string `json:"role"`
			JWT string `json:"jwt"`
			`}`

			`func NewKubernetesPlugin(client *api.Client) AuthInterface {`
			`return &authKubernetesPlugin{`
			`client: client,`
			`}`
			`}`

			`func (p authKubernetesPlugin) Create(cfg *vaultAuthOptions) (string, error) {`
			`if cfg.RoleID == "" {`
			`cfg.RoleID = os.Getenv("VAULT_SIDEKICK_K8S_ROLE")`
			`}`
			`if cfg.FileName == "" {`
			`cfg.FileName = os.Getenv("VAULT_SIDEKICK_K8S_TOKEN_FILE")`
			`// default to the typical location for this`
			`if cfg.FileName == "" {`
			`cfg.FileName = "/var/run/secrets/kubernetes.io/serviceaccount/token"`
			`}`
			`}`

			`// read kubernetes serviceaccount token file (a jwt token)`
			`tokenBytes, err := ioutil.ReadFile(cfg.FileName)`
			`if err != nil {`
			`return "", err`
			`}`

			`// create token request`
			`request := p.client.NewRequest("POST", "/v1/auth/kubernetes/login")`
			`body := kubernetesLogin{Role: cfg.RoleID, JWT: string(tokenBytes)}`
			`err = request.SetJSONBody(body)`
			`if err != nil {`
			`return "", err`
			`}`

			`// execute api request`
			`resp, err := p.client.RawRequest(request)`
			`if err != nil {`
			`return "", err`
			`}`
			`defer resp.Body.Close()`

			`// parse secret response`
			`secret, err := api.ParseSecret(resp.Body)`
			`if err != nil {`
			`return "", err`
			`}`

			`return secret.Auth.ClientToken, nil`
			`}`