add k8s auth to lookup hashi_vault - operator

plugins/doc_fragments/auth.py

@@ -27,6 +27,7 @@ class ModuleDocFragment(object):
           - jwt
           - cert
           - none
+          - kubernetes
         default: token
         type: str
       mount_point:
@@ -72,6 +73,15 @@ class ModuleDocFragment(object):
       jwt:
         description: The JSON Web Token (JWT) to use for JWT authentication to Vault.
         type: str
+      kubernetes_token:
+        description: The Kubernetes Token (JWT) to use for Kubernetes authentication to Vault.
+        type: str
+        version_added: 2.4.0
+      kubernetes_token_path:
+        description: If no kubernetes_token is specified, will try to read the token from this path.
+        default: '/var/run/secrets/kubernetes.io/serviceaccount/token'
+        type: str
+        version_added: 2.4.0
       aws_profile:
         description: The AWS profile
         type: str
@@ -245,4 +255,17 @@ class ModuleDocFragment(object):
         ini:
           - section: hashi_vault_collection
             key: cert_auth_private_key
+      kubernetes_token:
+        env:
+          - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN
+        vars:
+          - name: ansible_hashi_vault_kubernetes_token
+      kubernetes_token_path:
+        env:
+          - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN_PATH
+        ini:
+          - section: hashi_vault_collection
+            key: kubernetes_token_path
+        vars:
+          - name: ansible_hashi_vault_kubernetes_token_path
     '''

plugins/module_utils/_auth_method_k8s.py

@@ -0,0 +1,57 @@
+# -*- coding: utf-8 -*-
+# Copyright (c) 2021 FERREIRA Christophe (@chris93111)
+# Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
+
+'''Python versions supported: >=3.6'''
+
+# FOR INTERNAL COLLECTION USE ONLY
+# The interfaces in this file are meant for use within the community.hashi_vault collection
+# and may not remain stable to outside uses. Changes may be made in ANY release, even a bugfix release.
+# See also: https://github.com/ansible/community/issues/539#issuecomment-780839686
+# Please open an issue if you have questions about this.
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase, HashiVaultValueError
+import os
+
+
+class HashiVaultAuthMethodKubernetes(HashiVaultAuthMethodBase):
+    '''HashiVault option group class for auth: k8s'''
+
+    NAME = 'kubernetes'
+    OPTIONS = ['kubernetes_token', 'kubernetes_token_path', 'role_id', 'mount_point']
+
+    def __init__(self, option_adapter, warning_callback):
+        super(HashiVaultAuthMethodKubernetes, self).__init__(option_adapter, warning_callback)
+
+    def validate(self):
+        self.validate_by_required_fields('role_id')
+
+        if self._options.get_option('kubernetes_token') is None and self._options.get_option('kubernetes_token_path') is not None:
+            token_filename = self._options.get_option('kubernetes_token_path')
+            if os.path.exists(token_filename):
+                if not os.path.isfile(token_filename):
+                    raise HashiVaultValueError("The Kubernetes token file '%s' was found but is not a file." % token_filename)
+                with open(token_filename) as token_file:
+                    self._options.set_option('kubernetes_token', token_file.read().strip())
+
+        if self._options.get_option('kubernetes_token') is None:
+            raise HashiVaultValueError(self._options.get_option_default('kubernetes_token_path') + 
+                                       " No Kubernetes Token specified or discovered.")
+
+    def authenticate(self, client, use_token=True):
+        origin_params = self._options.get_filled_options(*self.OPTIONS)
+        params = {"role": origin_params.get('role_id'),
+                  "jwt": origin_params.get('kubernetes_token'),
+                  "mount_point": origin_params.get('mount_point'),
+                  "use_token": use_token}
+
+        try:
+            response = client.auth.kubernetes.login(**params)
+        except (NotImplementedError, AttributeError):
+            self.warn("Kubernetes authentication requires HVAC version 1.0.0 or higher. Deprecated method 'auth_kubernetes' will be used.")
+            response = client.auth_kubernetes(**params)
+
+        return response

plugins/module_utils/_authenticator.py

@@ -22,6 +22,7 @@
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_none import HashiVaultAuthMethodNone
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_token import HashiVaultAuthMethodToken
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_userpass import HashiVaultAuthMethodUserpass
+from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_k8s import HashiVaultAuthMethodKubernetes
 
 
 class HashiVaultAuthenticator():
@@ -36,6 +37,7 @@ class HashiVaultAuthenticator():
             'jwt',
             'cert',
             'none',
+            'kubernetes',
         ]),
         mount_point=dict(type='str'),
         token=dict(type='str', no_log=True, default=None),
@@ -47,6 +49,8 @@ class HashiVaultAuthenticator():
         role_id=dict(type='str'),
         secret_id=dict(type='str', no_log=True),
         jwt=dict(type='str', no_log=True),
+        kubernetes_token=dict(type='str', no_log=True),
+        kubernetes_token_path=dict(type='str', default='/var/run/secrets/kubernetes.io/serviceaccount/token', no_log=False),
         aws_profile=dict(type='str', aliases=['boto_profile']),
         aws_access_key=dict(type='str', aliases=['aws_access_key_id'], no_log=False),
         aws_secret_key=dict(type='str', aliases=['aws_secret_access_key'], no_log=True),
@@ -66,6 +70,7 @@ def __init__(self, option_adapter, warning_callback):
             'aws_iam': HashiVaultAuthMethodAwsIam(option_adapter, warning_callback),
             'cert': HashiVaultAuthMethodCert(option_adapter, warning_callback),
             'jwt': HashiVaultAuthMethodJwt(option_adapter, warning_callback),
+            'kubernetes': HashiVaultAuthMethodKubernetes(option_adapter, warning_callback),
             'ldap': HashiVaultAuthMethodLdap(option_adapter, warning_callback),
             'none': HashiVaultAuthMethodNone(option_adapter, warning_callback),
             'token': HashiVaultAuthMethodToken(option_adapter, warning_callback),