From bfd798a2f0f201daa9d4255cae2486d64d91cf8e Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 15:22:20 +0100 Subject: [PATCH 01/32] Create _auth_method_k8s.py --- plugins/module_utils/_auth_method_k8s.py | 46 ++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 plugins/module_utils/_auth_method_k8s.py diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py new file mode 100644 index 000000000..8773a9ae5 --- /dev/null +++ b/plugins/module_utils/_auth_method_k8s.py @@ -0,0 +1,46 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2021 FERREIRA Christophe (@chris93111) +# Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) + +'''Python versions supported: all controller-side versions, all remote-side versions except 2.6''' + +# FOR INTERNAL COLLECTION USE ONLY +# The interfaces in this file are meant for use within the community.hashi_vault collection +# and may not remain stable to outside uses. Changes may be made in ANY release, even a bugfix release. +# See also: https://github.com/ansible/community/issues/539#issuecomment-780839686 +# Please open an issue if you have questions about this. + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase + + +class HashiVaultAuthMethodK8S(HashiVaultAuthMethodBase): + '''HashiVault option group class for auth: k8s''' + + NAME = 'k8s' + OPTIONS = ['jwt', 'role', 'mount_point'] + + def __init__(self, option_adapter, warning_callback): + super(HashiVaultAuthMethodK8S, self).__init__(option_adapter, warning_callback) + + def validate(self): + self.validate_by_required_fields('role') + + def authenticate(self, client, use_token=True): + params = self._options.get_filled_options(*self.OPTIONS) + if not params['jwt']: + # Mode in cluster fetch jwt in pods + try: + f = open('/var/run/secrets/kubernetes.io/serviceaccount/token') + jwt = f.read() + params['jwt'] = jwt + except: + raise NotImplementedError("Can't read jwt in /var/run/secrets/kubernetes.io/serviceaccount/token") + try: + response = client.auth_kubernetes(**params) + except (NotImplementedError, AttributeError): + raise NotImplementedError("K8S authentication requires HVAC version 0.8.0 or higher.") + + return response From f06534505ebafe2e7b5b949e0673fc69ca09604b Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 20:45:39 +0100 Subject: [PATCH 02/32] add k8s auth --- plugins/module_utils/_authenticator.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plugins/module_utils/_authenticator.py b/plugins/module_utils/_authenticator.py index 0a6786de8..d73e72c4a 100644 --- a/plugins/module_utils/_authenticator.py +++ b/plugins/module_utils/_authenticator.py @@ -22,6 +22,7 @@ from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_none import HashiVaultAuthMethodNone from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_token import HashiVaultAuthMethodToken from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_userpass import HashiVaultAuthMethodUserpass +from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_k8s import HashiVaultAuthMethodK8S class HashiVaultAuthenticator(): @@ -36,6 +37,7 @@ class HashiVaultAuthenticator(): 'jwt', 'cert', 'none', + 'k8s', ]), mount_point=dict(type='str'), token=dict(type='str', no_log=True, default=None), @@ -55,6 +57,7 @@ class HashiVaultAuthenticator(): aws_iam_server_id=dict(type='str'), cert_auth_private_key=dict(type='path', no_log=False), cert_auth_public_key=dict(type='path'), + role=dict(type='str'), ) def __init__(self, option_adapter, warning_callback): @@ -66,6 +69,7 @@ def __init__(self, option_adapter, warning_callback): 'aws_iam': HashiVaultAuthMethodAwsIam(option_adapter, warning_callback), 'cert': HashiVaultAuthMethodCert(option_adapter, warning_callback), 'jwt': HashiVaultAuthMethodJwt(option_adapter, warning_callback), + 'k8s': HashiVaultAuthMethodK8S(option_adapter, warning_callback), 'ldap': HashiVaultAuthMethodLdap(option_adapter, warning_callback), 'none': HashiVaultAuthMethodNone(option_adapter, warning_callback), 'token': HashiVaultAuthMethodToken(option_adapter, warning_callback), From 4a5e2457c4119636dab470bfe6ec59155643585b Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 20:47:33 +0100 Subject: [PATCH 03/32] Add role params for k8s auth --- plugins/lookup/hashi_vault.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/plugins/lookup/hashi_vault.py b/plugins/lookup/hashi_vault.py index 8d35d2f1b..7815f73f4 100644 --- a/plugins/lookup/hashi_vault.py +++ b/plugins/lookup/hashi_vault.py @@ -181,6 +181,18 @@ - section: hashi_vault_collection key: token_validate version_added: 1.4.0 + role: + ini: + - section: lookup_hashi_vault + key: role + deprecated: + why: collection-wide config section + version: 3.0.0 + collection_name: community.hashi_vault + alternatives: use section [hashi_vault_collection] + - section: hashi_vault_collection + key: role + version_added: 2.3.0 role_id: ini: - section: lookup_hashi_vault From e1d3581948191da90d74e6650688b24c7f92a15e Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 20:49:11 +0100 Subject: [PATCH 04/32] Update auth.py --- plugins/doc_fragments/auth.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index c64e6fe98..35c2f2f6e 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -27,6 +27,7 @@ class ModuleDocFragment(object): - jwt - cert - none + - k8s default: token type: str mount_point: From 1355f7d907c06bf73d9d6f526310c48667ae681c Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 20:49:49 +0100 Subject: [PATCH 05/32] use role_id --- plugins/lookup/hashi_vault.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/plugins/lookup/hashi_vault.py b/plugins/lookup/hashi_vault.py index 7815f73f4..8d35d2f1b 100644 --- a/plugins/lookup/hashi_vault.py +++ b/plugins/lookup/hashi_vault.py @@ -181,18 +181,6 @@ - section: hashi_vault_collection key: token_validate version_added: 1.4.0 - role: - ini: - - section: lookup_hashi_vault - key: role - deprecated: - why: collection-wide config section - version: 3.0.0 - collection_name: community.hashi_vault - alternatives: use section [hashi_vault_collection] - - section: hashi_vault_collection - key: role - version_added: 2.3.0 role_id: ini: - section: lookup_hashi_vault From 1c344ef261c622cea0845ff727a9968082620cb5 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 20:53:03 +0100 Subject: [PATCH 06/32] use role_id --- plugins/module_utils/_auth_method_k8s.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 8773a9ae5..9b677ee06 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -20,13 +20,13 @@ class HashiVaultAuthMethodK8S(HashiVaultAuthMethodBase): '''HashiVault option group class for auth: k8s''' NAME = 'k8s' - OPTIONS = ['jwt', 'role', 'mount_point'] + OPTIONS = ['jwt', 'role_id', 'mount_point'] def __init__(self, option_adapter, warning_callback): super(HashiVaultAuthMethodK8S, self).__init__(option_adapter, warning_callback) def validate(self): - self.validate_by_required_fields('role') + self.validate_by_required_fields('role_id') def authenticate(self, client, use_token=True): params = self._options.get_filled_options(*self.OPTIONS) @@ -38,6 +38,8 @@ def authenticate(self, client, use_token=True): params['jwt'] = jwt except: raise NotImplementedError("Can't read jwt in /var/run/secrets/kubernetes.io/serviceaccount/token") + params['role'] = params.pop('role_id') + try: response = client.auth_kubernetes(**params) except (NotImplementedError, AttributeError): From 86293c0c6e178d6a9e2184d06b820c320a446ff1 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 20:53:24 +0100 Subject: [PATCH 07/32] Update _authenticator.py --- plugins/module_utils/_authenticator.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/module_utils/_authenticator.py b/plugins/module_utils/_authenticator.py index d73e72c4a..b685edd2d 100644 --- a/plugins/module_utils/_authenticator.py +++ b/plugins/module_utils/_authenticator.py @@ -57,7 +57,6 @@ class HashiVaultAuthenticator(): aws_iam_server_id=dict(type='str'), cert_auth_private_key=dict(type='path', no_log=False), cert_auth_public_key=dict(type='path'), - role=dict(type='str'), ) def __init__(self, option_adapter, warning_callback): From 38c583386978bfb349cbfde918f8d2dee96d1a1a Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 20:58:23 +0100 Subject: [PATCH 08/32] swith to role_id --- plugins/module_utils/_auth_method_k8s.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 9b677ee06..a19b15d86 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -30,7 +30,7 @@ def validate(self): def authenticate(self, client, use_token=True): params = self._options.get_filled_options(*self.OPTIONS) - if not params['jwt']: + if not params.get('jwt'): # Mode in cluster fetch jwt in pods try: f = open('/var/run/secrets/kubernetes.io/serviceaccount/token') From 6a41d728e0be45b62360f56b1c7fe4b94b9132c0 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 22:58:38 +0100 Subject: [PATCH 09/32] Update plugins/module_utils/_auth_method_k8s.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> --- plugins/module_utils/_auth_method_k8s.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index a19b15d86..e375d1ec9 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -2,7 +2,7 @@ # Copyright (c) 2021 FERREIRA Christophe (@chris93111) # Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) -'''Python versions supported: all controller-side versions, all remote-side versions except 2.6''' +'''Python versions supported: >=3.6''' # FOR INTERNAL COLLECTION USE ONLY # The interfaces in this file are meant for use within the community.hashi_vault collection From 19df02fd3240745062235dd7f5770d4fbaf49708 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 23:03:49 +0100 Subject: [PATCH 10/32] change k8s to kubernetes --- plugins/module_utils/_auth_method_k8s.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index e375d1ec9..46b64f573 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -16,26 +16,26 @@ from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase -class HashiVaultAuthMethodK8S(HashiVaultAuthMethodBase): +class HashiVaultAuthMethodKubernetes(HashiVaultAuthMethodBase): '''HashiVault option group class for auth: k8s''' - NAME = 'k8s' - OPTIONS = ['jwt', 'role_id', 'mount_point'] + NAME = 'kubernetes' + OPTIONS = ['kubernetes_token', 'role_id', 'mount_point'] def __init__(self, option_adapter, warning_callback): - super(HashiVaultAuthMethodK8S, self).__init__(option_adapter, warning_callback) + super(HashiVaultAuthMethodKubernetes, self).__init__(option_adapter, warning_callback) def validate(self): self.validate_by_required_fields('role_id') def authenticate(self, client, use_token=True): params = self._options.get_filled_options(*self.OPTIONS) - if not params.get('jwt'): + if not params.get('kubernetes_token'): # Mode in cluster fetch jwt in pods try: f = open('/var/run/secrets/kubernetes.io/serviceaccount/token') jwt = f.read() - params['jwt'] = jwt + params['kubernetes_token'] = jwt except: raise NotImplementedError("Can't read jwt in /var/run/secrets/kubernetes.io/serviceaccount/token") params['role'] = params.pop('role_id') @@ -43,6 +43,6 @@ def authenticate(self, client, use_token=True): try: response = client.auth_kubernetes(**params) except (NotImplementedError, AttributeError): - raise NotImplementedError("K8S authentication requires HVAC version 0.8.0 or higher.") + raise NotImplementedError("Kubernetes authentication requires HVAC version 0.8.0 or higher.") return response From 24c960f7f02538e82358ac79c58bbbdcccf1bbca Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 23:06:45 +0100 Subject: [PATCH 11/32] kubernetes_token --- plugins/doc_fragments/auth.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index 35c2f2f6e..3b6d69d03 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -27,7 +27,7 @@ class ModuleDocFragment(object): - jwt - cert - none - - k8s + - kubernetes default: token type: str mount_point: @@ -73,6 +73,9 @@ class ModuleDocFragment(object): jwt: description: The JSON Web Token (JWT) to use for JWT authentication to Vault. type: str + kubernetes_token: + description: The Kubernetes Token (JWT) to use for Kubernetes authentication to Vault. + type: str aws_profile: description: The AWS profile type: str From ecb09ae5e3a577c869a19cf7c4ce741ee54aa1ca Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 23:08:06 +0100 Subject: [PATCH 12/32] k8s to kubernetes + kubernetes_token --- plugins/module_utils/_authenticator.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/plugins/module_utils/_authenticator.py b/plugins/module_utils/_authenticator.py index b685edd2d..dfe6b2740 100644 --- a/plugins/module_utils/_authenticator.py +++ b/plugins/module_utils/_authenticator.py @@ -22,7 +22,7 @@ from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_none import HashiVaultAuthMethodNone from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_token import HashiVaultAuthMethodToken from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_userpass import HashiVaultAuthMethodUserpass -from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_k8s import HashiVaultAuthMethodK8S +from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_k8s import HashiVaultAuthMethodKubernetes class HashiVaultAuthenticator(): @@ -37,7 +37,7 @@ class HashiVaultAuthenticator(): 'jwt', 'cert', 'none', - 'k8s', + 'kubernetes', ]), mount_point=dict(type='str'), token=dict(type='str', no_log=True, default=None), @@ -49,6 +49,7 @@ class HashiVaultAuthenticator(): role_id=dict(type='str'), secret_id=dict(type='str', no_log=True), jwt=dict(type='str', no_log=True), + kubernetes_token=dict(type='str', no_log=True), aws_profile=dict(type='str', aliases=['boto_profile']), aws_access_key=dict(type='str', aliases=['aws_access_key_id'], no_log=False), aws_secret_key=dict(type='str', aliases=['aws_secret_access_key'], no_log=True), @@ -68,7 +69,7 @@ def __init__(self, option_adapter, warning_callback): 'aws_iam': HashiVaultAuthMethodAwsIam(option_adapter, warning_callback), 'cert': HashiVaultAuthMethodCert(option_adapter, warning_callback), 'jwt': HashiVaultAuthMethodJwt(option_adapter, warning_callback), - 'k8s': HashiVaultAuthMethodK8S(option_adapter, warning_callback), + 'kubernetes': HashiVaultAuthMethodKubernetes(option_adapter, warning_callback), 'ldap': HashiVaultAuthMethodLdap(option_adapter, warning_callback), 'none': HashiVaultAuthMethodNone(option_adapter, warning_callback), 'token': HashiVaultAuthMethodToken(option_adapter, warning_callback), From 6c62724006029980918eec91019325a2c826f511 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 23:26:43 +0100 Subject: [PATCH 13/32] add same validate of token auth --- plugins/module_utils/_auth_method_k8s.py | 26 ++++++++++++++---------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 46b64f573..62ddfc13e 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -20,25 +20,29 @@ class HashiVaultAuthMethodKubernetes(HashiVaultAuthMethodBase): '''HashiVault option group class for auth: k8s''' NAME = 'kubernetes' - OPTIONS = ['kubernetes_token', 'role_id', 'mount_point'] + OPTIONS = ['kubernetes_token', 'kubernetes_token_path', 'role_id', 'mount_point'] def __init__(self, option_adapter, warning_callback): super(HashiVaultAuthMethodKubernetes, self).__init__(option_adapter, warning_callback) def validate(self): self.validate_by_required_fields('role_id') - + + if self._options.get_option_default('kubernetes_token') is None and self._options.get_option_default('kubernetes_token_path') is not None: + token_filename = self._options.get_option('kubernetes_token_path') + if os.path.exists(token_filename): + if not os.path.isfile(token_filename): + raise HashiVaultValueError("The Kubernetes token file '%s' was found but is not a file." % token_filename) + with open(token_filename) as token_file: + self._options.set_option('kubernetes_token', token_file.read().strip()) + + if self._options.get_option_default('kubernetes_token') is None: + raise HashiVaultValueError("No Kubernetes Token specified or discovered.") + + params['role'] = params.pop('role_id') + def authenticate(self, client, use_token=True): params = self._options.get_filled_options(*self.OPTIONS) - if not params.get('kubernetes_token'): - # Mode in cluster fetch jwt in pods - try: - f = open('/var/run/secrets/kubernetes.io/serviceaccount/token') - jwt = f.read() - params['kubernetes_token'] = jwt - except: - raise NotImplementedError("Can't read jwt in /var/run/secrets/kubernetes.io/serviceaccount/token") - params['role'] = params.pop('role_id') try: response = client.auth_kubernetes(**params) From 835233717c6e2d606e614bcf4fca675795aab796 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 23:33:20 +0100 Subject: [PATCH 14/32] add doc on params kubernetes_token_path --- plugins/doc_fragments/auth.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index 3b6d69d03..dca93ff4e 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -76,6 +76,10 @@ class ModuleDocFragment(object): kubernetes_token: description: The Kubernetes Token (JWT) to use for Kubernetes authentication to Vault. type: str + kubernetes_token_path + description: If no kubernetes_token is specified, will try to read the token from this path. + default: '/var/run/secrets/kubernetes.io/serviceaccount/token' + type: str aws_profile: description: The AWS profile type: str @@ -249,4 +253,22 @@ class ModuleDocFragment(object): ini: - section: hashi_vault_collection key: cert_auth_private_key + kubernetes_token: + env: + - name: ANSIBLE_HASHI_VAULT_KUBERENTES_TOKEN + version_added: 0.2.3 + vars: + - name: ansible_hashi_vault_kubernetes_token + version_added: 1.2.0 + kubernetes_token_path: + env: + - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN_PATH + version_added: 0.2.3 + ini: + - section: hashi_vault_collection + key: kubernetes_token_path + version_added: 2.3.0 + vars: + - name: ansible_hashi_vault_kubernetes_token_path + version_added: 2.3.0 ''' From ee819aa001db943315d902d9fdf5b5eaf0ac0c1c Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 23:44:16 +0100 Subject: [PATCH 15/32] add kubernetes_token_path --- plugins/module_utils/_authenticator.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/module_utils/_authenticator.py b/plugins/module_utils/_authenticator.py index dfe6b2740..07bcaf5e6 100644 --- a/plugins/module_utils/_authenticator.py +++ b/plugins/module_utils/_authenticator.py @@ -50,6 +50,7 @@ class HashiVaultAuthenticator(): secret_id=dict(type='str', no_log=True), jwt=dict(type='str', no_log=True), kubernetes_token=dict(type='str', no_log=True), + kubernetes_token_path=dict(type='str', default='/var/run/secrets/kubernetes.io/serviceaccount/token', no_log=False), aws_profile=dict(type='str', aliases=['boto_profile']), aws_access_key=dict(type='str', aliases=['aws_access_key_id'], no_log=False), aws_secret_key=dict(type='str', aliases=['aws_secret_access_key'], no_log=True), From bb55aedc5570e5ee5dfa4f0927590edcb22621ce Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sun, 13 Feb 2022 23:54:58 +0100 Subject: [PATCH 16/32] add HashiVaultValueError --- plugins/module_utils/_auth_method_k8s.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 62ddfc13e..a375163db 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -13,8 +13,10 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase - +from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import ( + HashiVaultAuthMethodBase, + HashiVaultValueError, +) class HashiVaultAuthMethodKubernetes(HashiVaultAuthMethodBase): '''HashiVault option group class for auth: k8s''' From 0e68f9f586c7f9d3f201953f9892a1108dc1c591 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Mon, 14 Feb 2022 00:20:28 +0100 Subject: [PATCH 17/32] Update hashi_vault.py --- plugins/lookup/hashi_vault.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/plugins/lookup/hashi_vault.py b/plugins/lookup/hashi_vault.py index 8d35d2f1b..099a2b4da 100644 --- a/plugins/lookup/hashi_vault.py +++ b/plugins/lookup/hashi_vault.py @@ -205,6 +205,30 @@ - section: hashi_vault_collection key: aws_iam_server_id version_added: 1.4.0 + kubernetes_token: + ini: + - section: lookup_hashi_vault + key: kubernetes_token + deprecated: + why: collection-wide config section + version: 3.0.0 + collection_name: community.hashi_vault + alternatives: use section [hashi_vault_collection] + - section: hashi_vault_collection + key: kubernetes_token + version_added: 2.3.0 + kubernetes_token_path: + ini: + - section: lookup_hashi_vault + key: kubernetes_token_path + deprecated: + why: collection-wide config section + version: 3.0.0 + collection_name: community.hashi_vault + alternatives: use section [hashi_vault_collection] + - section: hashi_vault_collection + key: token_path + version_added: 2.3.0 """ EXAMPLES = """ From 963417f19e6622df0d0313f07e3ea73d7728eb36 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Mon, 14 Feb 2022 01:35:04 +0100 Subject: [PATCH 18/32] fix --- plugins/module_utils/_auth_method_k8s.py | 25 ++++++++++++------------ 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index a375163db..41174157c 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -13,10 +13,8 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import ( - HashiVaultAuthMethodBase, - HashiVaultValueError, -) +from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase, HashiVaultValueError +import os class HashiVaultAuthMethodKubernetes(HashiVaultAuthMethodBase): '''HashiVault option group class for auth: k8s''' @@ -29,8 +27,8 @@ def __init__(self, option_adapter, warning_callback): def validate(self): self.validate_by_required_fields('role_id') - - if self._options.get_option_default('kubernetes_token') is None and self._options.get_option_default('kubernetes_token_path') is not None: + + if self._options.get_option('kubernetes_token') is None and self._options.get_option('kubernetes_token_path') is not None: token_filename = self._options.get_option('kubernetes_token_path') if os.path.exists(token_filename): if not os.path.isfile(token_filename): @@ -38,14 +36,15 @@ def validate(self): with open(token_filename) as token_file: self._options.set_option('kubernetes_token', token_file.read().strip()) - if self._options.get_option_default('kubernetes_token') is None: - raise HashiVaultValueError("No Kubernetes Token specified or discovered.") - - params['role'] = params.pop('role_id') - + if self._options.get_option('kubernetes_token') is None: + raise HashiVaultValueError(self._options.get_option('kubernetes_token')+self._options.get_option_default('kubernetes_token_path')+"No Kubernetes Token specified or discovered.") + def authenticate(self, client, use_token=True): - params = self._options.get_filled_options(*self.OPTIONS) - + origin_params = self._options.get_filled_options(*self.OPTIONS) + params = {"role": origin_params.get('role_id'), + "jwt": origin_params.get('kubernetes_token'), + "mount_point": origin_params.get('mount_point')} + try: response = client.auth_kubernetes(**params) except (NotImplementedError, AttributeError): From 6f5a77f6685f18865723bfbf8e9677809016b899 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Mon, 14 Feb 2022 01:38:38 +0100 Subject: [PATCH 19/32] fix --- plugins/doc_fragments/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index dca93ff4e..bc874d092 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -76,7 +76,7 @@ class ModuleDocFragment(object): kubernetes_token: description: The Kubernetes Token (JWT) to use for Kubernetes authentication to Vault. type: str - kubernetes_token_path + kubernetes_token_path: description: If no kubernetes_token is specified, will try to read the token from this path. default: '/var/run/secrets/kubernetes.io/serviceaccount/token' type: str From bc662bb1de05ee717c4a7981f68ff9afb6afa66c Mon Sep 17 00:00:00 2001 From: chris93111 Date: Mon, 14 Feb 2022 02:01:13 +0100 Subject: [PATCH 20/32] Update auth.py --- plugins/doc_fragments/auth.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index bc874d092..bdc5dd9bb 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -255,15 +255,15 @@ class ModuleDocFragment(object): key: cert_auth_private_key kubernetes_token: env: - - name: ANSIBLE_HASHI_VAULT_KUBERENTES_TOKEN - version_added: 0.2.3 + - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN + version_added: 2.3.0 vars: - name: ansible_hashi_vault_kubernetes_token - version_added: 1.2.0 + version_added: 2.3.0 kubernetes_token_path: env: - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN_PATH - version_added: 0.2.3 + version_added: 2.3.0 ini: - section: hashi_vault_collection key: kubernetes_token_path From fcc80b3319ef6f22ef45bd8f2af15692ab4d82cd Mon Sep 17 00:00:00 2001 From: chris93111 Date: Wed, 16 Feb 2022 13:39:09 +0100 Subject: [PATCH 21/32] Update plugins/lookup/hashi_vault.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> --- plugins/lookup/hashi_vault.py | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/plugins/lookup/hashi_vault.py b/plugins/lookup/hashi_vault.py index 099a2b4da..8d35d2f1b 100644 --- a/plugins/lookup/hashi_vault.py +++ b/plugins/lookup/hashi_vault.py @@ -205,30 +205,6 @@ - section: hashi_vault_collection key: aws_iam_server_id version_added: 1.4.0 - kubernetes_token: - ini: - - section: lookup_hashi_vault - key: kubernetes_token - deprecated: - why: collection-wide config section - version: 3.0.0 - collection_name: community.hashi_vault - alternatives: use section [hashi_vault_collection] - - section: hashi_vault_collection - key: kubernetes_token - version_added: 2.3.0 - kubernetes_token_path: - ini: - - section: lookup_hashi_vault - key: kubernetes_token_path - deprecated: - why: collection-wide config section - version: 3.0.0 - collection_name: community.hashi_vault - alternatives: use section [hashi_vault_collection] - - section: hashi_vault_collection - key: token_path - version_added: 2.3.0 """ EXAMPLES = """ From 2ad261876445a39ba5bb89bef4f576c74086683a Mon Sep 17 00:00:00 2001 From: chris93111 Date: Wed, 16 Feb 2022 13:39:21 +0100 Subject: [PATCH 22/32] Update plugins/doc_fragments/auth.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> --- plugins/doc_fragments/auth.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index bdc5dd9bb..fc2ae726d 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -76,10 +76,12 @@ class ModuleDocFragment(object): kubernetes_token: description: The Kubernetes Token (JWT) to use for Kubernetes authentication to Vault. type: str + version_added: 2.4.0 kubernetes_token_path: description: If no kubernetes_token is specified, will try to read the token from this path. default: '/var/run/secrets/kubernetes.io/serviceaccount/token' type: str + version_added: 2.4.0 aws_profile: description: The AWS profile type: str From 2ca793b3cc2be4d7ff8b0bfb9e8592154ccd85db Mon Sep 17 00:00:00 2001 From: chris93111 Date: Wed, 16 Feb 2022 13:39:34 +0100 Subject: [PATCH 23/32] Update plugins/doc_fragments/auth.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> --- plugins/doc_fragments/auth.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index fc2ae726d..0e627444a 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -258,19 +258,14 @@ class ModuleDocFragment(object): kubernetes_token: env: - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN - version_added: 2.3.0 vars: - name: ansible_hashi_vault_kubernetes_token - version_added: 2.3.0 kubernetes_token_path: env: - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN_PATH - version_added: 2.3.0 ini: - section: hashi_vault_collection key: kubernetes_token_path - version_added: 2.3.0 vars: - name: ansible_hashi_vault_kubernetes_token_path - version_added: 2.3.0 ''' From 42d7f719fb2ad9016e35da8f3c67d6098281d182 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Wed, 16 Feb 2022 13:48:05 +0100 Subject: [PATCH 24/32] change to auth.kubernetes + switch depracated --- plugins/module_utils/_auth_method_k8s.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 41174157c..28ecfe8c8 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -46,8 +46,9 @@ def authenticate(self, client, use_token=True): "mount_point": origin_params.get('mount_point')} try: - response = client.auth_kubernetes(**params) + response = client.auth.kubernetes(**params) except (NotImplementedError, AttributeError): - raise NotImplementedError("Kubernetes authentication requires HVAC version 0.8.0 or higher.") - + self.warn("Kubernetes authentication requires HVAC version 1.0.0 or higher. Deprecated method 'auth_kubernetes' will be used.") + response = client.auth_kubernetes(**params) + return response From 0bf56f7a3fd92e69aeb5a51876ceb38236c21d70 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Wed, 16 Feb 2022 13:49:32 +0100 Subject: [PATCH 25/32] fix login --- plugins/module_utils/_auth_method_k8s.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 28ecfe8c8..9efd44ee7 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -46,7 +46,7 @@ def authenticate(self, client, use_token=True): "mount_point": origin_params.get('mount_point')} try: - response = client.auth.kubernetes(**params) + response = client.auth.kubernetes.login(**params) except (NotImplementedError, AttributeError): self.warn("Kubernetes authentication requires HVAC version 1.0.0 or higher. Deprecated method 'auth_kubernetes' will be used.") response = client.auth_kubernetes(**params) From 79c21e22d1fe67a102e8764e8b0b39227d516e2c Mon Sep 17 00:00:00 2001 From: chris93111 Date: Wed, 16 Feb 2022 13:53:02 +0100 Subject: [PATCH 26/32] use_token --- plugins/module_utils/_auth_method_k8s.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 9efd44ee7..37c33425f 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -43,7 +43,8 @@ def authenticate(self, client, use_token=True): origin_params = self._options.get_filled_options(*self.OPTIONS) params = {"role": origin_params.get('role_id'), "jwt": origin_params.get('kubernetes_token'), - "mount_point": origin_params.get('mount_point')} + "mount_point": origin_params.get('mount_point'), + "use_token": use_token} try: response = client.auth.kubernetes.login(**params) From d9c856b299b4e1d2da1f4e2cf89d707bf24777f8 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Fri, 4 Mar 2022 11:25:35 +0100 Subject: [PATCH 27/32] lint --- plugins/module_utils/_auth_method_k8s.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 37c33425f..db612a17b 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -16,6 +16,7 @@ from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase, HashiVaultValueError import os + class HashiVaultAuthMethodKubernetes(HashiVaultAuthMethodBase): '''HashiVault option group class for auth: k8s''' @@ -37,7 +38,9 @@ def validate(self): self._options.set_option('kubernetes_token', token_file.read().strip()) if self._options.get_option('kubernetes_token') is None: - raise HashiVaultValueError(self._options.get_option('kubernetes_token')+self._options.get_option_default('kubernetes_token_path')+"No Kubernetes Token specified or discovered.") + raise HashiVaultValueError(self._options.get_option('kubernetes_token') + + self._options.get_option_default('kubernetes_token_path') + + "No Kubernetes Token specified or discovered.") def authenticate(self, client, use_token=True): origin_params = self._options.get_filled_options(*self.OPTIONS) @@ -51,5 +54,5 @@ def authenticate(self, client, use_token=True): except (NotImplementedError, AttributeError): self.warn("Kubernetes authentication requires HVAC version 1.0.0 or higher. Deprecated method 'auth_kubernetes' will be used.") response = client.auth_kubernetes(**params) - + return response From ee611ed9b11f772ff0a568f25bfc5b700f17f5b1 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Fri, 4 Mar 2022 11:43:43 +0100 Subject: [PATCH 28/32] fix error with no token found --- plugins/module_utils/_auth_method_k8s.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index db612a17b..91fe3bb7a 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -38,9 +38,8 @@ def validate(self): self._options.set_option('kubernetes_token', token_file.read().strip()) if self._options.get_option('kubernetes_token') is None: - raise HashiVaultValueError(self._options.get_option('kubernetes_token') + - self._options.get_option_default('kubernetes_token_path') + - "No Kubernetes Token specified or discovered.") + raise HashiVaultValueError(self._options.get_option_default('kubernetes_token_path') + + " No Kubernetes Token specified or discovered.") def authenticate(self, client, use_token=True): origin_params = self._options.get_filled_options(*self.OPTIONS) From f33bcc4f63f3baf5b37fffbb41a4ba37813b7877 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sat, 5 Mar 2022 19:35:14 +0100 Subject: [PATCH 29/32] lint --- plugins/doc_fragments/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index 0e627444a..1619d1f0e 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -26,8 +26,8 @@ class ModuleDocFragment(object): - aws_iam_login - jwt - cert - - none - kubernetes + - none default: token type: str mount_point: From 27f9283701ac171cc753f7a98f4e0bd3615a96f4 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Sat, 5 Mar 2022 19:36:26 +0100 Subject: [PATCH 30/32] lint --- plugins/module_utils/_authenticator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/module_utils/_authenticator.py b/plugins/module_utils/_authenticator.py index 07bcaf5e6..082e762d5 100644 --- a/plugins/module_utils/_authenticator.py +++ b/plugins/module_utils/_authenticator.py @@ -36,8 +36,8 @@ class HashiVaultAuthenticator(): 'aws_iam_login', 'jwt', 'cert', - 'none', 'kubernetes', + 'none', ]), mount_point=dict(type='str'), token=dict(type='str', no_log=True, default=None), From 897fe879229af3fd15669ae00e4e13512169f121 Mon Sep 17 00:00:00 2001 From: chris93111 Date: Fri, 1 Apr 2022 12:56:31 +0200 Subject: [PATCH 31/32] lint --- plugins/module_utils/_auth_method_k8s.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py index 91fe3bb7a..cf8d146b2 100644 --- a/plugins/module_utils/_auth_method_k8s.py +++ b/plugins/module_utils/_auth_method_k8s.py @@ -38,7 +38,7 @@ def validate(self): self._options.set_option('kubernetes_token', token_file.read().strip()) if self._options.get_option('kubernetes_token') is None: - raise HashiVaultValueError(self._options.get_option_default('kubernetes_token_path') + + raise HashiVaultValueError(self._options.get_option_default('kubernetes_token_path') + " No Kubernetes Token specified or discovered.") def authenticate(self, client, use_token=True): From fd99231e94d12d46e43b864540d28ff275bcc531 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Fri, 1 Apr 2022 14:07:22 -0400 Subject: [PATCH 32/32] Bump version_added --- plugins/doc_fragments/auth.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py index 98eb7f22a..f6758621f 100644 --- a/plugins/doc_fragments/auth.py +++ b/plugins/doc_fragments/auth.py @@ -76,12 +76,12 @@ class ModuleDocFragment(object): kubernetes_token: description: The Kubernetes Token (JWT) to use for Kubernetes authentication to Vault. type: str - version_added: 2.4.0 + version_added: 2.5.0 kubernetes_token_path: description: If no kubernetes_token is specified, will try to read the token from this path. default: '/var/run/secrets/kubernetes.io/serviceaccount/token' type: str - version_added: 2.4.0 + version_added: 2.5.0 aws_profile: description: The AWS profile type: str