vault kubernetes auth support

[fcrespofastly]

Status

READY

Migrations

NO

Description

Enables Vault Kubernetes Authentication. This is a fairly common scenario for other similar tools like vault-secrets-webhook or vault-k8s. It's the method we enable for pods to talk to Vault.

Type of change

Please delete options that are not relevant.

• [x] New feature (non-breaking change which adds functionality)
• [x] This change requires a documentation update

How Has This Been Tested?

• Added unit test for vaultKubernetesLogin
• Tested in our k8s clusters.

You can also reproduce it by enabling k8s auth and creating a role, bound to the secrets-manager vault policy, service account and namespace.

Checklist:

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [x] I have commented my code, particularly in hard-to-understand areas
• [x] I have made corresponding changes to the documentation
• [x] My changes generate no new warnings
• [x] I have added tests that prove my fix is effective or that my feature works
• [x] New and existing unit tests pass locally with my changes
• [x] Any dependent changes have been merged and published in downstream modules

[codecov-io]

Codecov Report

Merging #72 (f2940e1) into master (065580f) will decrease coverage by 3.16%. The diff coverage is 60.00%.

@@            Coverage Diff             @@
##           master      #72      +/-   ##
==========================================
- Coverage   85.25%   82.08%   -3.17%     
==========================================
  Files           8        8              
  Lines         434      402      -32     
==========================================
- Hits          370      330      -40     
- Misses         47       54       +7     
- Partials       17       18       +1     

Impacted Files	Coverage Δ
backend/backend.go	100.00% <ø> (ø)
backend/vault.go	73.71% <60.00%> (-3.75%)	:arrow_down:
backend/vault_engine.go	84.61% <0.00%> (-2.89%)	:arrow_down:
controllers/secretdefinition_controller.go	76.03% <0.00%> (-1.91%)	:arrow_down:
errors/errors.go	100.00% <0.00%> (ø)
backend/decoder.go	100.00% <0.00%> (ø)
controllers/metrics.go	100.00% <0.00%> (ø)
backend/vault_metrics.go	100.00% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 065580f...f2940e1. Read the comment docs.

[fcrespofastly]

Hey folks!!

It's been a while! I hope it's all good there!

We heavily use Vault at Fastly internally and we have some use cases where secrets-manager fits. We rely on Vault kubernetes authentication for anything running on kubernetes, so this PR will enable secrets-manager to use its own serviceAccount token instead of appRole.

I think this is good use case as other similar tools like vault-secrets-webhook or vault-k8s use it as well and one of the advantages is that you don't need an extra secret to place the roleID and the secretID for secrets-manager

Let me know what you think :)

cc @eduardogr

[eduardogr]

LGTM,

Thanks a lot @fcgravalos. It's nice to see you again around here :)

[fcrespofastly]

LGTM,

Thanks a lot @fcgravalos. It's nice to see you again around here :)

same here dude!