feat(storage/vault) add support for kubernetes auth (#37)

UXabre · web-flow · commit 93c212132a5d · 2021-05-11T19:09:18.000+08:00
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -74,6 +74,13 @@ jobs:
         docker logs vault
         docker run -d -v /usr/share/ca-certificates/:/etc/ssl/certs -p 4001:4001 -p 2380:2380 -p 2379:2379  --name etcd quay.io/coreos/etcd:v2.3.8  -name etcd0  -advertise-client-urls http://${HostIP}:2379,http://${HostIP}:4001  -listen-client-urls http://0.0.0.0:2379,http://0.0.0.0:4001  -initial-advertise-peer-urls http://${HostIP}:2380  -listen-peer-urls http://0.0.0.0:2380  -initial-cluster-token etcd-cluster-1  -initial-cluster etcd0=http://${HostIP}:2380  -initial-cluster-state new
         docker logs etcd
+        
+    - name: Prepare vault for JWT auth
+      run: |
+        curl 'https://localhost:8210/v1/sys/auth/kubernetes.test' -k -X POST -H 'X-Vault-Token: root' -H 'Content-Type: application/json; charset=utf-8' --data-raw '{"path":"kubernetes.test","type":"jwt","config":{}}'
+        curl 'https://localhost:8210/v1/auth/kubernetes.test/config' -k -X PUT -H 'X-Vault-Token: root' -H 'content-type: application/json; charset=utf-8' --data-raw '{"jwt_validation_pubkeys":["-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtMCbmrsltFKqStOoxl8V\nK5ZlrIMb8d+W62yoXW1DKdg+cPNq0vGD94cxl9NjjRzlSR/NVZq6Q34c1lkbenPw\nf3CYfmbQupOKTJKhBdn9sFCCbW0gi6gQv0BaU3Pa8iGfVcZPctAtdbwmNKVd26hW\nmvnoJYhyewhY+j3ooLdnmh55cZU9w1VO0PaSf2zGSmCUeIao77jWcnkEauK2RrYv\nq5yB6w54Q71+lp2jZil9e4IJP/WqcS1CtmKgiWLoZuWNJXDWaa8LbcgQfsxudn3X\nsgHaYnAdZJOaCsDS/ablKmUOLIiI3TBM6dkUlBUMK9OgAsu+wBdX521rK3u+NNVX\n3wIDAQAB\n-----END PUBLIC KEY-----"],"default_role":"root","namespace_in_state":false,"provider_config":{}}'
+        curl 'https://localhost:8210/v1/auth/kubernetes.test/role/root' -k -X POST -H 'X-Vault-Token: root' -H 'content-type: application/json; charset=utf-8' --data-raw '{"token_policies":["acme"],"role_type":"jwt","user_claim":"kubernetes.io/serviceaccount/service-account.uid","bound_subject":"system:serviceaccount:kong:gateway-kong"}'
+        curl 'https://localhost:8210/v1/sys/policies/acl/acme' -k -X PUT -H 'X-Vault-Token: root' -H 'Content-Type: application/json; charset=utf-8' --data-raw '{"name":"acme","policy":"path \"secret/*\" {\n  capabilities = [\"create\", \"read\", \"update\", \"delete\"]\n}"}'
 
     - name: Setup tools
       run: |
diff --git a/README.md b/README.md
@@ -553,8 +553,6 @@ storage_config = {
     port = 8200,
     -- secrets kv prefix path
     kv_path = "acme",
-    -- Vault token
-    token = nil,
     -- timeout in ms
     timeout = 2000,
     -- use HTTPS
@@ -563,6 +561,16 @@ storage_config = {
     tls_verify = true
     -- SNI used in request, default to host if omitted
     tls_server_name = nil,
+    -- Auth Method, default to token, can be "token" or "kubernetes"
+    auth_method = "token"
+    -- Vault token
+    token = nil,
+    -- Vault's authentication path to use
+    auth_path =  "kubernetes",
+    -- The role to try and assign
+    auth_role = nil,
+    -- The path to the JWT
+    jwt_path = "/var/run/secrets/kubernetes.io/serviceaccount/token",
 }
 ```
 
diff --git a/lib/resty/acme/storage/vault.lua b/lib/resty/acme/storage/vault.lua
@@ -3,6 +3,7 @@ local cjson = require "cjson.safe"
 
 local _M = {}
 local mt = {__index = _M}
+local auth
 
 local function valid_vault_key(key)
   local newstr, _ = ngx.re.gsub(key, [=[[/]]=], "-")
@@ -37,6 +38,10 @@ function _M.new(conf)
     {
       host = conf.host or "127.0.0.1",
       port = conf.port or 8200,
+      auth_method = string.lower(conf.auth_method or "token"),
+      auth_path = conf.auth_path or "kubernetes",
+      auth_role = conf.auth_role,
+      jwt_path = conf.jwt_path or "/var/run/secrets/kubernetes.io/serviceaccount/token",
       https = conf.https,
       tls_verify = tls_verify,
       tls_server_name = conf.tls_server_name,
@@ -47,9 +52,16 @@ function _M.new(conf)
     mt
   )
 
+  local token, err = auth(self, conf)
+
+  if err then
+    return nil, err
+  end
+
   self.headers = {
-    ["X-Vault-Token"] = conf.token,
+    ["X-Vault-Token"] = token
   }
+
   if self.https then
     if not self.tls_server_name then
       self.tls_server_name = self.host
@@ -114,6 +126,38 @@ local function api(self, method, uri, payload)
   return decoded, err
 end
 
+function auth(self, conf)
+  if self.auth_method == "token" then
+    return conf.token, nil
+  elseif self.auth_method ~= "kubernetes" then
+    return nil, "Unknown authentication method"
+  end
+
+  local file, err = io.open(self.jwt_path, "r")
+
+  if err then 
+    return nil, err
+  end
+
+  local token = file:read("*all")
+  file:close()
+
+  local response, err = api(self, "POST", "/v1/auth/" .. self.auth_path .. "/login", {
+    role = self.auth_role,
+    jwt = token
+  })
+
+  if err then 
+    return nil, err
+  end
+
+  if not response["auth"] or not response["auth"]["client_token"] then
+    return nil, "Could not authenticate"  
+  end
+
+  return response["auth"]["client_token"]
+end
+
 local function set_cas(self, k, v, cas, ttl)
   if ttl then
     if ttl > 0 and ttl < 1 then
diff --git a/t/storage/serviceaccount.jwt b/t/storage/serviceaccount.jwt
@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE1MTYyMzkwMjIsImV4cCI6OTk5OTk5OTk5OSwiaXNzIjoia3ViZXJuZXRlcy9zZXJ2aWNlYWNjb3VudCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvbmFtZXNwYWNlIjoia29uZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJnYXRld2F5LWtvbmctdG9rZW4tNWw5YmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZ2F0ZXdheS1rb25nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZWJkOTlkYmUtMWJlZC00NDlmLWIzNzktMjBmNWY1ZDY5MjJhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omtvbmc6Z2F0ZXdheS1rb25nIn0.qitzPG8qtC-tTj4z6kdUo6g8sWO_94KIhFrafeuaziM3hdi_5bzKiCBKJkxiimN05VQ_4IoSgn0pZrwU8nwPu9Vzv9lRmI1guXiPifJeJzKu1vyZR_9OqnKb-RqRGlVmjibosuTfXe5de6MtCM5cm6NLfLUtVTeLRdFHkT4ZLvU1IlR0CnsD0szgjh8AjvJvXfWddvJ8EFShvlrsvCS_1SolTgF5Fkl4b7iQA5ToaOetC9Rq6XQNp2Qp2-Vw5pCIJ6kpAtU7FNc9Ufq6tuVIqvBxDDpanKIQJ5j_90Ytlh-xOlug8ObaRN2UqRZdogMPHsrb36U3iTnr7gaNuraIzw
diff --git a/t/storage/vault_kubernetes.t b/t/storage/vault_kubernetes.t
@@ -0,0 +1,108 @@
+# vim:set ft= ts=4 sw=4 et fdm=marker:
+
+use Test::Nginx::Socket::Lua 'no_plan';
+use Cwd qw(cwd);
+
+
+my $pwd = cwd();
+
+our $HttpConfig = qq{
+    lua_package_path "$pwd/lib/?.lua;$pwd/lib/?/init.lua;$pwd/../lib/?.lua;$pwd/../lib/?/init.lua;;";
+    init_by_lua_block {
+        _G.test_lib = require("resty.acme.storage.vault")
+    }
+};
+
+
+run_tests();
+
+__DATA__
+=== TEST 1: Vault authentication failed if no token or jwt provided
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            local st = test_lib.new({
+                https = true,
+                tls_verify = false,
+                port = 8210,
+                kv_path = "secret/acme",
+            })
+            local err = st:set("keyssl1", "1")
+            ngx.say(err)
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"errors from vault: \\[\"missing client token\"\\]
+"
+--- no_error_log
+[error]
+
+
+=== TEST 2: Vault authenticate using kubernetes
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            local st = test_lib.new({
+                https = true,
+                tls_verify = false,
+                auth_method = "kubernetes",
+                auth_path = "kubernetes.test",
+                jwt_path = "t/storage/serviceaccount.jwt",
+                auth_role = "root",
+                port = 8210,
+                kv_path = "secret/acme",
+            })
+            local err = st:set("keyssl2", "2")
+            ngx.say(err)
+            local v, err = st:get("keyssl2")
+            ngx.say(err)
+            ngx.say(v)
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"nil
+nil
+2
+"
+--- no_error_log
+[error]
+
+
+=== TEST 3: Vault authenticate using kubernetes (case-insensitivity test)
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            local st = test_lib.new({
+                https = true,
+                tls_verify = false,
+                auth_method = "KuBeRnEtEs",
+                auth_path = "kubernetes.test",
+                jwt_path = "t/storage/serviceaccount.jwt",
+                auth_role = "root",
+                port = 8210,
+                kv_path = "secret/acme",
+            })
+            local err = st:set("keyssl3", "3")
+            ngx.say(err)
+            local v, err = st:get("keyssl3")
+            ngx.say(err)
+            ngx.say(v)
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"nil
+nil
+3
+"
+--- no_error_log
+[error]
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+eyJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE1MTYyMzkwMjIsImV4cCI6OTk5OTk5OTk5OSwiaXNzIjoia3ViZXJuZXRlcy9zZXJ2aWNlYWNjb3VudCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvbmFtZXNwYWNlIjoia29uZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJnYXRld2F5LWtvbmctdG9rZW4tNWw5YmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZ2F0ZXdheS1rb25nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZWJkOTlkYmUtMWJlZC00NDlmLWIzNzktMjBmNWY1ZDY5MjJhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omtvbmc6Z2F0ZXdheS1rb25nIn0.qitzPG8qtC-tTj4z6kdUo6g8sWO_94KIhFrafeuaziM3hdi_5bzKiCBKJkxiimN05VQ_4IoSgn0pZrwU8nwPu9Vzv9lRmI1guXiPifJeJzKu1vyZR_9OqnKb-RqRGlVmjibosuTfXe5de6MtCM5cm6NLfLUtVTeLRdFHkT4ZLvU1IlR0CnsD0szgjh8AjvJvXfWddvJ8EFShvlrsvCS_1SolTgF5Fkl4b7iQA5ToaOetC9Rq6XQNp2Qp2-Vw5pCIJ6kpAtU7FNc9Ufq6tuVIqvBxDDpanKIQJ5j_90Ytlh-xOlug8ObaRN2UqRZdogMPHsrb36U3iTnr7gaNuraIzw