search

amperity / vault-clj

Clojure client for Hashicorp's Vault secret management system.
Other
70 stars 17 forks source link

Add Kubernetes auth method #90

Closed brendonjwong closed 1 year ago

brendonjwong commented 1 year ago

Implemented the Kubernetes auth's login method. This should resolve https://github.com/amperity/vault-clj/issues/81.

Similar to https://github.com/amperity/vault-clj/pull/89, I'm not sure it makes sense to write an integration test for this just yet due to the amount of setup it requires, but it's not impossible either. I did run a K8s cluster locally, configured to use my local Vault server and was able to validate the login method using a JWT from a local K8s service account.

Steps to validate:

  1. Follow all the steps in https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault
    • Instead of starting a vault server how they suggest, I modified dev/server to run the Vault server at http://0.0.0.0:8200 with the token root and then started the server by calling dev/server.
  2. Get the JWT from the service account with kubectl create token internal-app

  3. Login with the REPL:

    vault.repl=> (def client (http/http-client "http://0.0.0.0:8200"))
#'vault.repl/client

vault.repl=> (require '[vault.auth.kubernetes :as k8s])
nil

vault.repl=> (k8s/login client {:role "devweb-app" :jwt "<jwt>"})
{:accessor "<redacted>",
 :client-token "<redacted>",
 :entity-id "<redacted>",
 :lease-duration 86400,
 :metadata {:role "devweb-app",
            :service-account-name "internal-app",
            :service-account-namespace "default",
            :service-account-secret-name "",
            :service-account-uid "7a994837-1605-48ca-9aa6-f314d311e0a7"},
 :mfa-requirement nil,
 :num-uses 0,
 :orphan true,
 :policies ["default" "devwebapp"],
 :renewable true,
 :token-policies ["default" "devwebapp"],
 :token-type "service"}
codecov-commenter commented 1 year ago

Codecov Report

:exclamation: No coverage uploaded for pull request base (vault-2.x-rewrite@841ced8). Click here to learn what that means. Patch has no changes to coverable lines.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## vault-2.x-rewrite #90 +/- ## ==================================================== Coverage ? 57.16% ==================================================== Files ? 17 Lines ? 1396 Branches ? 31 ==================================================== Hits ? 798 Misses ? 567 Partials ? 31 ``` Help us with your feedback. Take ten seconds to tell us [how you rate us](https://about.codecov.io/nps?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=amperity). Have a feature suggestion? [Share it here.](https://app.codecov.io/gh/feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=amperity)

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.