make kubernetes_ca_cert optional

[thyton]

Overview

Users want to make kubernetes_ca_cert optional. Since the CA cert is used only for establishing a TLS connection Kubernetes api, we can default to use the system's trust store with no harm as mentioned in #62.

Design of Change

The config write handler removes non-nil kubernetes_ca_cert enforcement.

When kubernetes_ca_cert is not given:

• If disable_local_default_ca_jwt is false, set the local CA to caCertBytes.
• If caCertBytes is empty, assign the default TLS config to transport.TLSClientConfig and return early.

Related Issues/Pull Requests

• Issue #62
• Closes PR #150

Contributor Checklist

• [x] vault docs PR #25963
• [x] manual tests

The self-signed kubernetes host CA is in the host’s trust store

2024-03-19T15:35:11.286Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=started
2024-03-19T15:35:11.311Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=finished err=<nil> took=24.570041ms
2024-03-19T15:35:11.311Z [DEBUG] identity: creating a new entity: alias="id:\"153b12e0-7d31-9c7d-a022-c2ad17a0d5b3\"  canonical_id:\"de0043a8-5f9b-9d19-ee52-0183d2110157\"  mount_type:\"vault-plugin-auth-kubernetes\"  mount_accessor:\"auth_vault-plugin-auth-kubernetes_2996fdb6\"  mount_path:\"auth/kubernetes/\"  metadata:{key:\"service_account_name\"  value:\"default\"}  metadata:{key:\"service_account_namespace\"  value:\"default\"}  metadata:{key:\"service_account_secret_name\"  value:\"\"}  metadata:{key:\"service_account_uid\"  value:\"6ac6361a-722a-4b11-8c4f-d1e4c5fdfaae\"}  name:\"6ac6361a-722a-4b11-8c4f-d1e4c5fdfaae\"  creation_time:{seconds:1710862511  nanos:311625256}  last_update_time:{seconds:1710862511  nanos:311625256}  namespace_id:\"root\"  local_bucket_key:\"packer/local-aliases/buckets/248\""
2024-03-19T15:35:11.313Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: type: transport=gRPC status=started
2024-03-19T15:35:11.314Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: type: transport=gRPC status=finished took=1.367708ms

The self-signed kubernetes host CA is not in the host’s trust store

2024-03-19T15:47:33.196Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2e239732.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=started
2024-03-19T15:47:33.211Z [DEBUG] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2e239732.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: login unauthorized: err="Post \"https://192.168.1.95:60815/apis/authentication.k8s.io/v1/tokenreviews\": tls: failed to verify certificate: x509: certificate signed by unknown authority" timestamp=2024-03-19T15:47:33.211Z
2024-03-19T15:47:33.212Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2e239732.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=finished err="permission denied" took=15.917208ms

Invalid kubernetes_ca_cert

$ cat scratch/invalid-ca-bundble.pem 
bad
$ scr
atch/test-ca-bundle.sh scratch/invalid-ca-bundble.pem
Error writing data to auth/kubernetes/config: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/auth/kubernetes/config
Code: 400. Errors:

* Configured CA PEM data contains no valid certificates, TLS verification will fail

Correctly formatted kubernetes_ca_cert but not the kubernetes host's CA

$ scratch/test-ca-bundle.sh scratch/non-k8s-valid-ca-bundle.pem
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Error writing data to auth/kubernetes/login: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/auth/kubernetes/login
Code: 403. Errors:

* permission denied

2024-03-20T16:17:15.288Z [DEBUG] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_a119c08e.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: login unauthorized: err="Post \"https://192.168.1.95:60815/apis/authentication.k8s.io/v1/tokenreviews\": tls: failed to verify certificate: x509: certificate signed by unknown authority" timestamp=2024-03-20T16:17:15.288Z
2024-03-20T16:17:15.288Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_a119c08e.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=finished err="permission denied" took=14.4695ms

Valid kubernetes_ca_cert

Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESIIFdnVdpvlFfXeR2uqyDgVCJaUInEcw_BC2ufWzOdnmaGh4KHGh2cy5CMGF2ZVp4RVJ1dWdlcDhDOFZpd1AzcXk
.....

Switching from system cert pool to kubernetes_ca_cert

[24/03/20 09:35:04] ~/go/src/github.com/hashicorp/vault-plugin-auth-kubernetes (VAULT-1729-make-kubernetes-ca-cert-optional) $ scratch/test-system.sh
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESILLOEjFnCBbx6ZJ-Q-BLwWLQLXou9LwWp2n5KoT-7NkNGh4KHGh2cy5mMHpsVWVTQU91d1NsZUttZURKbW1BbHE
token_accessor                            NIELmHYd6Hv9vDSQay0sRllP
...
[24/03/20 09:35:23] ~/go/src/github.com/hashicorp/vault-plugin-auth-kubernetes (VAULT-1729-make-kubernetes-ca-cert-optional) $ scratch/test-ca-bundle.sh scratch/valid-ca-cert.pem                                                                
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESINIGC0y-q0iJ_iBFcnaPJyQw0E-C7tijilW_K2TEO_30Gh4KHGh2cy4xV2hTbzU1bVlhamNFVGQ3T3VFN3FNelE
token_accessor                            GPE0XTcNZA9ZQnhn2THFs0P6
token_duration                            1h

2024-03-20T16:35:31.307Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=started
2024-03-20T16:35:31.310Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: Root CA certificate pool has changed, updating the client's transport: timestamp=2024-03-20T16:35:31.310Z
2024-03-20T16:35:31.312Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=finished err=<nil> took=5.18775ms

Switching back to system cert pool from kubernetes_ca_cert

[24/03/20 09:36:18] ~/go/src/github.com/hashicorp/vault-plugin-auth-kubernetes (VAULT-1729-make-kubernetes-ca-cert-optional) $ scratch/test-system.sh
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESICgVKj0Kk_vppYBKtoJpyGVoOax90DJO4GJ-GckInnwbGh4KHGh2cy5tZUplNDVRRlF0TTJqMkNHTWVLMGszUlg
...

2024-03-20T16:39:07.523Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=started
2024-03-20T16:39:07.525Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: Root CA certificate pool has changed, updating the client's transport: timestamp=2024-03-20T16:39:07.525Z
2024-03-20T16:39:07.526Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=finished err=<nil> took=3.289667ms

• [x] Backwards compatible

[thyton]

Thank you for your feedback!