From 400da099fbd0b0d778a1dd29d6c224af09396689 Mon Sep 17 00:00:00 2001 From: Flavio Lemos Date: Thu, 12 May 2022 09:47:39 +0100 Subject: [PATCH 1/2] Added support to configure default vault namespace on the agent config --- agent-inject/agent/annotations.go | 5 +++++ agent-inject/agent/annotations_test.go | 18 +++++++++++------- agent-inject/handler.go | 2 ++ subcommand/injector/command.go | 2 ++ subcommand/injector/flags.go | 8 ++++++++ subcommand/injector/flags_test.go | 1 + 6 files changed, 29 insertions(+), 7 deletions(-) diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go index 9954a7a8..9bd2f20c 100644 --- a/agent-inject/agent/annotations.go +++ b/agent-inject/agent/annotations.go @@ -278,6 +278,7 @@ type AgentConfig struct { Address string AuthType string AuthPath string + VaultNamespace string Namespace string RevokeOnShutdown bool UserID string @@ -340,6 +341,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error { pod.ObjectMeta.Annotations[AnnotationVaultAuthPath] = cfg.AuthPath } + if _, ok := pod.ObjectMeta.Annotations[AnnotationVaultNamespace]; !ok { + pod.ObjectMeta.Annotations[AnnotationVaultNamespace] = cfg.VaultNamespace + } + if _, ok := pod.ObjectMeta.Annotations[AnnotationProxyAddress]; !ok { pod.ObjectMeta.Annotations[AnnotationProxyAddress] = cfg.ProxyAddress } diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go index 815828a7..1c11e585 100644 --- a/agent-inject/agent/annotations_test.go +++ b/agent-inject/agent/annotations_test.go @@ -778,14 +778,17 @@ func TestInitEmptyPod(t *testing.T) { func TestVaultNamespaceAnnotation(t *testing.T) { tests := []struct { - key string - value string - expectedValue string + key string + value string + agentVaultNamespaceConfig string + expectedValue string }{ - {"", "", ""}, - {"vault.hashicorp.com/namespace", "", ""}, - {"vault.hashicorp.com/namespace", "foobar", "foobar"}, - {"vault.hashicorp.com/namespace", "fooBar", "fooBar"}, + {"", "", "", ""}, + {"", "", "test-namespace", "test-namespace"}, + {"vault.hashicorp.com/namespace", "", "", ""}, + {"vault.hashicorp.com/namespace", "foobar", "", "foobar"}, + {"vault.hashicorp.com/namespace", "foobar", "test-namespace", "foobar"}, + {"vault.hashicorp.com/namespace", "fooBar", "", "fooBar"}, } for _, tt := range tests { @@ -796,6 +799,7 @@ func TestVaultNamespaceAnnotation(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := basicAgentConfig() + agentConfig.VaultNamespace = tt.agentVaultNamespaceConfig err := Init(pod, agentConfig) if err != nil { t.Errorf("got error, shouldn't have: %s", err) diff --git a/agent-inject/handler.go b/agent-inject/handler.go index 411e8954..3e4c3f28 100644 --- a/agent-inject/handler.go +++ b/agent-inject/handler.go @@ -48,6 +48,7 @@ type Handler struct { VaultAddress string VaultAuthType string VaultAuthPath string + VaultNamespace string ProxyAddress string ImageVault string Clientset *kubernetes.Clientset @@ -182,6 +183,7 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi Address: h.VaultAddress, AuthType: h.VaultAuthType, AuthPath: h.VaultAuthPath, + VaultNamespace: h.VaultNamespace, ProxyAddress: h.ProxyAddress, Namespace: req.Namespace, RevokeOnShutdown: h.RevokeOnShutdown, diff --git a/subcommand/injector/command.go b/subcommand/injector/command.go index 88e6e64a..e56934a0 100644 --- a/subcommand/injector/command.go +++ b/subcommand/injector/command.go @@ -54,6 +54,7 @@ type Command struct { flagVaultImage string // Name of the Vault Image to use flagVaultAuthType string // Type of Vault Auth Method to use flagVaultAuthPath string // Mount path of the Vault Auth Method + flagVaultNamespace string // Vault enterprise namespace flagRevokeOnShutdown bool // Revoke Vault Token on pod shutdown flagRunAsUser string // User (uid) to run Vault agent as flagRunAsGroup string // Group (gid) to run Vault agent as @@ -186,6 +187,7 @@ func (c *Command) Run(args []string) int { VaultAddress: c.flagVaultService, VaultAuthType: c.flagVaultAuthType, VaultAuthPath: c.flagVaultAuthPath, + VaultNamespace: c.flagVaultNamespace, ProxyAddress: c.flagProxyAddress, ImageVault: c.flagVaultImage, Clientset: clientset, diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go index 55d529fe..db5c3ff8 100644 --- a/subcommand/injector/flags.go +++ b/subcommand/injector/flags.go @@ -69,6 +69,9 @@ type Specification struct { // VaultAuthPath is the AGENT_INJECT_VAULT_AUTH_PATH environment variable. VaultAuthPath string `split_words:"true"` + // VaultNamespace is the AGENT_INJECT_VAULT_NAMESPACE environment variable. + VaultNamespace string `split_words:"true"` + // RevokeOnShutdown is AGENT_INJECT_REVOKE_ON_SHUTDOWN environment variable. RevokeOnShutdown string `split_words:"true"` @@ -147,6 +150,7 @@ func (c *Command) init() { fmt.Sprintf("Type of Vault Auth Method to use. Defaults to %q.", agent.DefaultVaultAuthType)) c.flagSet.StringVar(&c.flagVaultAuthPath, "vault-auth-path", agent.DefaultVaultAuthPath, fmt.Sprintf("Mount path of the Vault Auth Method. Defaults to %q.", agent.DefaultVaultAuthPath)) + c.flagSet.StringVar(&c.flagVaultNamespace, "vault-namespace", "", "Vault enterprise namespace.") c.flagSet.BoolVar(&c.flagRevokeOnShutdown, "revoke-on-shutdown", false, "Automatically revoke Vault Token on Pod termination.") c.flagSet.StringVar(&c.flagRunAsUser, "run-as-user", strconv.Itoa(agent.DefaultAgentRunAsUser), @@ -282,6 +286,10 @@ func (c *Command) parseEnvs() error { c.flagVaultAuthPath = envs.VaultAuthPath } + if envs.VaultNamespace != "" { + c.flagVaultNamespace = envs.VaultNamespace + } + if envs.RevokeOnShutdown != "" { c.flagRevokeOnShutdown, err = strconv.ParseBool(envs.RevokeOnShutdown) if err != nil { diff --git a/subcommand/injector/flags_test.go b/subcommand/injector/flags_test.go index 080f7a6b..bad0f1a6 100644 --- a/subcommand/injector/flags_test.go +++ b/subcommand/injector/flags_test.go @@ -116,6 +116,7 @@ func TestCommandEnvs(t *testing.T) { {env: "AGENT_INJECT_PROXY_ADDR", value: "http://proxy:3128", cmdPtr: &cmd.flagProxyAddress}, {env: "AGENT_INJECT_VAULT_AUTH_PATH", value: "auth-path-test", cmdPtr: &cmd.flagVaultAuthPath}, {env: "AGENT_INJECT_VAULT_IMAGE", value: "hashicorp/vault:1.10.3", cmdPtr: &cmd.flagVaultImage}, + {env: "AGENT_INJECT_VAULT_NAMESPACE", value: "test-namespace", cmdPtr: &cmd.flagVaultNamespace}, {env: "AGENT_INJECT_TLS_KEY_FILE", value: "server.key", cmdPtr: &cmd.flagKeyFile}, {env: "AGENT_INJECT_TLS_CERT_FILE", value: "server.crt", cmdPtr: &cmd.flagCertFile}, {env: "AGENT_INJECT_TLS_AUTO_HOSTS", value: "foobar.com", cmdPtr: &cmd.flagAutoHosts}, From 56551d154a44fabace07b56b99b123d5491ea9c1 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Fri, 24 Jun 2022 16:32:22 -0700 Subject: [PATCH 2/2] changelog++ --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79e4b10b..3d4c6055 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Added support to configure default vault namespace on the agent config [GH-345](https://github.com/hashicorp/vault-k8s/pull/345) + Bugs: * Properly return admission errors [GH-363](https://github.com/hashicorp/vault-k8s/pull/363)