Skip to content

Commit

Permalink
auth/kubernetes: add support for use_annotations_as_alias_metadata fi…
Browse files Browse the repository at this point in the history
…eld (#2226)

* auth/kubernetes: add support for use_annotations_as_alias_metadata field

* changelog

* update data source and docs

* add version check to tests
  • Loading branch information
fairclothjm authored Nov 4, 2024
1 parent 3f3edeb commit 3418cb7
Show file tree
Hide file tree
Showing 7 changed files with 96 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ FEATURES:
* Update `vault_database_secret_backend_connection` to support inline TLS config for PostgreSQL ([#2339](https://github.com/hashicorp/terraform-provider-vault/pull/2339))
* Update `vault_database_secret_backend_connection` to support skip_verification config for Cassandra ([#2346](https://github.com/hashicorp/terraform-provider-vault/pull/2346))
* Update `vault_approle_auth_backend_role_secret_id` to support `num_uses` and `ttl` fields ([#2345](https://github.com/hashicorp/terraform-provider-vault/pull/2345))
* Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2206](https://github.com/hashicorp/terraform-provider-vault/pull/2206))

## 4.4.0 (Aug 7, 2024)

Expand Down
13 changes: 13 additions & 0 deletions vault/data_source_kubernetes_auth_backend_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ func kubernetesAuthBackendConfigDataSource() *schema.Resource {
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
fieldUseAnnotationsAsAliasMetadata: {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Use annotations from the client token's associated service account as alias metadata for the Vault entity.",
},
},
}
}
Expand Down Expand Up @@ -105,5 +111,12 @@ func kubernetesAuthBackendConfigDataSourceRead(d *schema.ResourceData, meta inte
d.Set(consts.FieldDisableISSValidation, resp.Data[consts.FieldDisableISSValidation])
d.Set(consts.FieldDisableLocalCAJWT, resp.Data[consts.FieldDisableLocalCAJWT])

if provider.IsAPISupported(meta, provider.VaultVersion116) {
err := d.Set(fieldUseAnnotationsAsAliasMetadata, resp.Data[fieldUseAnnotationsAsAliasMetadata])
if err != nil {
return err
}
}

return nil
}
13 changes: 13 additions & 0 deletions vault/data_source_kubernetes_auth_backend_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
"github.com/hashicorp/terraform-provider-vault/testutil"
)

Expand Down Expand Up @@ -62,6 +63,7 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
issuer := "kubernetes/serviceaccount"
disableIssValidation := true
disableLocalCaJwt := true
useAnnotationsAsAliasMetadata := true

resource.Test(t, resource.TestCase{
PreCheck: func() { testutil.TestAccPreCheck(t) },
Expand Down Expand Up @@ -115,6 +117,17 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
consts.FieldDisableLocalCAJWT, strconv.FormatBool(disableLocalCaJwt)),
),
},
{
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
return !meta.IsAPISupported(provider.VaultVersion116), nil
},
Config: testAccKubernetesAuthBackendConfig_useAnnotations(backend, jwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
fieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(useAnnotationsAsAliasMetadata)),
),
},
},
})
}
Expand Down
25 changes: 25 additions & 0 deletions vault/resource_kubernetes_auth_backend_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ import (
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

const fieldUseAnnotationsAsAliasMetadata = "use_annotations_as_alias_metadata"

var (
kubernetesAuthBackendConfigFromPathRegex = regexp.MustCompile("^auth/(.+)/config$")
// overrideKubernetesFieldsMap maps resource IDs to a slice of strings containing
Expand Down Expand Up @@ -82,6 +84,12 @@ func kubernetesAuthBackendConfigResource() *schema.Resource {
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
fieldUseAnnotationsAsAliasMetadata: {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Use annotations from the client token's associated service account as alias metadata for the Vault entity.",
},
}
return &schema.Resource{
Create: kubernetesAuthBackendConfigCreate,
Expand Down Expand Up @@ -177,6 +185,13 @@ func kubernetesAuthBackendConfigCreate(d *schema.ResourceData, meta interface{})
if v, ok := d.GetOk(consts.FieldDisableLocalCAJWT); ok {
data[consts.FieldDisableLocalCAJWT] = v
}

if provider.IsAPISupported(meta, provider.VaultVersion116) {
if v := d.Get(fieldUseAnnotationsAsAliasMetadata); v != nil {
data[fieldUseAnnotationsAsAliasMetadata] = v
}
}

_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error writing Kubernetes auth backend config %q: %s", path, err)
Expand Down Expand Up @@ -243,9 +258,13 @@ func kubernetesAuthBackendConfigRead(d *schema.ResourceData, meta interface{}) e
consts.FieldDisableISSValidation,
consts.FieldDisableLocalCAJWT,
consts.FieldPEMKeys,
fieldUseAnnotationsAsAliasMetadata,
}

for _, k := range params {
if k == fieldUseAnnotationsAsAliasMetadata && !provider.IsAPISupported(meta, provider.VaultVersion116) {
continue
}
v := resp.Data[k]
if err := d.Set(k, v); err != nil {
return err
Expand Down Expand Up @@ -302,6 +321,12 @@ func kubernetesAuthBackendConfigUpdate(d *schema.ResourceData, meta interface{})
setData(consts.FieldDisableLocalCAJWT, v)
}

if provider.IsAPISupported(meta, provider.VaultVersion116) {
if v := d.Get(fieldUseAnnotationsAsAliasMetadata); v != nil {
data[fieldUseAnnotationsAsAliasMetadata] = v
}
}

_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error updating Kubernetes auth backend config %q: %s", path, err)
Expand Down
54 changes: 36 additions & 18 deletions vault/resource_kubernetes_auth_backend_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) {
backend := acctest.RandomWithPrefix("kubernetes")
jwt := kubernetesJWT
issuer := "api"
testResource := "vault_kubernetes_auth_backend_config.config"

resource.Test(t, resource.TestCase{
PreCheck: func() { testutil.TestAccPreCheck(t) },
Expand All @@ -237,24 +238,25 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) {
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
true, true, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldKubernetesHost, "http://example.com:443"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldKubernetesCACert, kubernetesCAcert),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"token_reviewer_jwt", jwt),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"pem_keys.#", "1"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldIssuer, "api"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableISSValidation, strconv.FormatBool(true)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(true)),
resource.TestCheckResourceAttr(testResource, "backend", backend),
resource.TestCheckResourceAttr(testResource, consts.FieldKubernetesHost, "http://example.com:443"),
resource.TestCheckResourceAttr(testResource, consts.FieldKubernetesCACert, kubernetesCAcert),
resource.TestCheckResourceAttr(testResource, "token_reviewer_jwt", jwt),
resource.TestCheckResourceAttr(testResource, "pem_keys.#", "1"),
resource.TestCheckResourceAttr(testResource, "pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr(testResource, consts.FieldIssuer, "api"),
resource.TestCheckResourceAttr(testResource, consts.FieldDisableISSValidation, strconv.FormatBool(true)),
resource.TestCheckResourceAttr(testResource, consts.FieldDisableLocalCAJWT, strconv.FormatBool(true)),
),
},
{
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
return !meta.IsAPISupported(provider.VaultVersion116), nil
},
Config: testAccKubernetesAuthBackendConfig_useAnnotations(backend, jwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(testResource, fieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(true)),
),
},
},
Expand Down Expand Up @@ -428,6 +430,22 @@ resource "vault_kubernetes_auth_backend_config" "config" {
return config + "}"
}

func testAccKubernetesAuthBackendConfig_useAnnotations(backend, jwt string) string {
return fmt.Sprintf(`
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = "%s"
}
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "http://example.com:443"
token_reviewer_jwt = %q
use_annotations_as_alias_metadata = true
}
`, backend, jwt)
}

func testAccKubernetesAuthBackendConfigConfig_full(backend, caCert, jwt, issuer string,
disableIssValidation, disableLocalCaJwt, omitCA bool,
) string {
Expand Down
6 changes: 6 additions & 0 deletions website/docs/d/kubernetes_auth_backend_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,9 @@ In addition to the above arguments, the following attributes are exported:
* `pem_keys` - Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

* `issuer` - Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.

* `disable_iss_validation` - (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

* `disable_local_ca_jwt` - (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

* `use_annotations_as_alias_metadata` - (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
2 changes: 2 additions & 0 deletions website/docs/r/kubernetes_auth_backend_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ The following arguments are supported:

* `disable_local_ca_jwt` - (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

* `use_annotations_as_alias_metadata` - (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`


## Attributes Reference

Expand Down

0 comments on commit 3418cb7

Please sign in to comment.