search

hashicorp / vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
https://www.vaultproject.io/docs/auth/kubernetes.html
Mozilla Public License 2.0
205 stars 62 forks source link

indicate that token reviewer jwt is set on config read #221

Closed thyton closed 6 months ago

thyton commented 7 months ago

Overview

The read config endpoint does not expose the token_reviewer_jwt field for security reasons. Indication if it is set or not can save users from the kubernetes login route to verify.

Design of Change

Add a key value pair to the response data on config read to indicate that the token reviewer jwt is set.

Related Issues/Pull Requests

[ ] Issue #68

Contributor Checklist

[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet My Docs PR Link

[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)

~/go/src/github.com/hashicorp/vault-plugin-auth-kubernetes (VAULT-1664-indicate-token-reviewer-jwt-set) $ make integration-test
cd integrationtest && INTEGRATION_TESTS=true CGO_ENABLED=0 KUBE_CONTEXT="kind-vault-plugin-auth-kubernetes" go test '-test.v' -count=1 -timeout=20m ./...
?       github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest/k8s   [no test files]
=== RUN   TestSuccess
--- PASS: TestSuccess (0.14s)
=== RUN   TestSuccessWithTokenReviewerJwt
--- PASS: TestSuccessWithTokenReviewerJwt (0.09s)
=== RUN   TestSuccessWithNamespaceLabels
--- PASS: TestSuccessWithNamespaceLabels (0.09s)
=== RUN   TestFailWithMismatchNamespaceLabels
--- PASS: TestFailWithMismatchNamespaceLabels (0.09s)
=== RUN   TestFailWithBadTokenReviewerJwt
--- PASS: TestFailWithBadTokenReviewerJwt (0.08s)
=== RUN   TestUnauthorizedServiceAccountErrorCode
--- PASS: TestUnauthorizedServiceAccountErrorCode (0.08s)
=== RUN   TestAudienceValidation
=== RUN   TestAudienceValidation/config:_a,_JWT:_b
=== RUN   TestAudienceValidation/config:_unset,_JWT:_default
=== RUN   TestAudienceValidation/config:_unset,_JWT:_a
=== RUN   TestAudienceValidation/config:_default,_JWT:_default
=== RUN   TestAudienceValidation/config:_default,_JWT:_a
=== RUN   TestAudienceValidation/config:_a,_JWT:_a
--- PASS: TestAudienceValidation (0.46s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_b (0.07s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_default (0.08s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_a (0.08s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_default (0.08s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_a (0.07s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_a (0.08s)
PASS
ok      github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest   2.180s

[ ] Backwards compatible

thyton commented 6 months ago

Thank you for the feedback, @benashz! I've addressed all the comments. It's ready when you have a chance.