From ca930f51b91ff7c6967c520d5f24e8ba8c83c088 Mon Sep 17 00:00:00 2001 From: Pierce Bartine Date: Thu, 25 Feb 2021 06:18:06 -0800 Subject: [PATCH] Add support for all Auth Methods via annotations (#213) * Generalize Agent Auto Auth to allow all methods No fail if Role not specified unless K8s auth Add tests Signed-off-by: Pierce Bartine * Fix merge conflict * Tweak test conditions * Default Auto-Auth type and validation --- agent-inject/agent/agent.go | 18 +++- agent-inject/agent/agent_test.go | 26 +++++- agent-inject/agent/annotations.go | 37 ++++++++- agent-inject/agent/annotations_test.go | 86 +++++++++++++++++--- agent-inject/agent/config.go | 6 +- agent-inject/agent/config_test.go | 16 ++-- agent-inject/agent/container_sidecar_test.go | 8 +- agent-inject/handler.go | 2 + subcommand/injector/command.go | 4 +- subcommand/injector/flags.go | 11 ++- 10 files changed, 176 insertions(+), 38 deletions(-) diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index 6c8bc380..d9c91769 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -15,6 +15,7 @@ import ( const ( DefaultVaultImage = "vault:1.6.2" + DefaultVaultAuthType = "kubernetes" DefaultVaultAuthPath = "auth/kubernetes" DefaultAgentRunAsUser = 100 DefaultAgentRunAsGroup = 1000 @@ -163,9 +164,15 @@ type Vault struct { // ProxyAddress is the proxy service address to use when talking to the Vault service. ProxyAddress string - // AuthPath is the Mount Path of Vault Kubernetes Auth Method. + // AuthType is type of Vault Auth Method to use. + AuthType string + + // AuthPath is the Mount Path of Vault Auth Method. AuthPath string + // AuthConfig is the Auto Auth Method configuration. + AuthConfig map[string]interface{} + // CACert is the name of the Certificate Authority certificate // to use when validating Vault's server certificates. CACert string @@ -248,6 +255,7 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro Vault: Vault{ Address: pod.Annotations[AnnotationVaultService], ProxyAddress: pod.Annotations[AnnotationProxyAddress], + AuthType: pod.Annotations[AnnotationVaultAuthType], AuthPath: pod.Annotations[AnnotationVaultAuthPath], CACert: pod.Annotations[AnnotationVaultCACert], CAKey: pod.Annotations[AnnotationVaultCAKey], @@ -266,6 +274,7 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro var err error agent.Secrets = agent.secrets() + agent.Vault.AuthConfig = agent.authConfig() agent.Inject, err = agent.inject() if err != nil { return agent, err @@ -508,7 +517,12 @@ func (a *Agent) Validate() error { } if a.ConfigMapName == "" { - if a.Vault.Role == "" { + if a.Vault.AuthType == "" { + return errors.New("no Vault Auth Type found") + } + + if a.Vault.AuthType == DefaultVaultAuthType && + a.Vault.Role == "" && a.Annotations[fmt.Sprintf("%s-role", AnnotationVaultAuthConfig)] == "" { return errors.New("no Vault role found") } diff --git a/agent-inject/agent/agent_test.go b/agent-inject/agent/agent_test.go index 5718e9d9..5972df49 100644 --- a/agent-inject/agent/agent_test.go +++ b/agent-inject/agent/agent_test.go @@ -83,6 +83,7 @@ func TestValidate(t *testing.T) { Role: "test", Address: "https://foobar.com:8200", AuthPath: "test", + AuthType: "kubernetes", }, }, true, }, @@ -129,8 +130,9 @@ func TestValidate(t *testing.T) { ServiceAccountName: "foobar", ImageName: "test", Vault: Vault{ - Role: "", - Address: "https://foobar.com:8200", + Role: "", + Address: "https://foobar.com:8200", + AuthType: "kubernetes", }, }, false, }, @@ -141,8 +143,9 @@ func TestValidate(t *testing.T) { ServiceAccountName: "foobar", ImageName: "test", Vault: Vault{ - Role: "test", - Address: "", + Role: "test", + Address: "", + AuthType: "kubernetes", }, }, false, }, @@ -156,6 +159,21 @@ func TestValidate(t *testing.T) { Role: "test", Address: "https://foobar.com:8200", AuthPath: "", + AuthType: "kubernetes", + }, + }, false, + }, + { + Agent{ + Namespace: "test", + ServiceAccountPath: "foobar", + ServiceAccountName: "foobar", + ImageName: "test", + Vault: Vault{ + Role: "test", + Address: "https://foobar.com:8200", + AuthPath: "test", + AuthType: "", }, }, false, }, diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go index 77599d4b..ac29aab4 100644 --- a/agent-inject/agent/annotations.go +++ b/agent-inject/agent/annotations.go @@ -175,10 +175,17 @@ const ( // method. AnnotationVaultRole = "vault.hashicorp.com/role" - // AnnotationVaultAuthPath specifies the mount path to be used for the Kubernetes auto-auth - // method. + // AnnotationVaultAuthType specifies the auto-auth method type to be used. + AnnotationVaultAuthType = "vault.hashicorp.com/auth-type" + + // AnnotationVaultAuthPath specifies the mount path to be used for the auto-auth method. AnnotationVaultAuthPath = "vault.hashicorp.com/auth-path" + // AnnotationVaultAuthConfig specifies the Auto Auth Method configuration parameters. + // The name of the parameter is any unique string after "vault.hashicorp.com/auth-config-", + // such as "vault.hashicorp.com/auth-config-foobar". + AnnotationVaultAuthConfig = "vault.hashicorp.com/auth-config" + // AnnotationVaultSecretVolumePath specifies where the secrets are to be // Mounted after fetching. AnnotationVaultSecretVolumePath = "vault.hashicorp.com/secret-volume-path" @@ -207,6 +214,7 @@ const ( type AgentConfig struct { Image string Address string + AuthType string AuthPath string Namespace string RevokeOnShutdown bool @@ -250,6 +258,13 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error { pod.ObjectMeta.Annotations[AnnotationVaultService] = cfg.Address } + if _, ok := pod.ObjectMeta.Annotations[AnnotationVaultAuthType]; !ok { + if cfg.AuthType == "" { + cfg.AuthType = DefaultVaultAuthType + } + pod.ObjectMeta.Annotations[AnnotationVaultAuthType] = cfg.AuthType + } + if _, ok := pod.ObjectMeta.Annotations[AnnotationVaultAuthPath]; !ok { pod.ObjectMeta.Annotations[AnnotationVaultAuthPath] = cfg.AuthPath } @@ -534,3 +549,21 @@ func (a *Agent) agentCacheEnable() (bool, error) { return strconv.ParseBool(raw) } + +func (a *Agent) authConfig() map[string]interface{} { + authConfig := make(map[string]interface{}) + + prefix := fmt.Sprintf("%s-", AnnotationVaultAuthConfig) + for annotation, value := range a.Annotations { + if strings.HasPrefix(annotation, prefix) { + param := strings.TrimPrefix(annotation, prefix) + param = strings.ReplaceAll(param, "-", "_") + authConfig[param] = value + } + } + if a.Vault.Role != "" { + authConfig["role"] = a.Vault.Role + } + + return authConfig +} diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go index 5b56ad6b..8467e519 100644 --- a/agent-inject/agent/annotations_test.go +++ b/agent-inject/agent/annotations_test.go @@ -19,7 +19,7 @@ func TestInitCanSet(t *testing.T) { pod := testPod(annotations) agentConfig := AgentConfig{ - "foobar-image", "http://foobar:8200", "test", "test", true, "100", "1000", + "foobar-image", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "http://proxy:3128", } err := Init(pod, agentConfig) @@ -56,7 +56,7 @@ func TestInitDefaults(t *testing.T) { pod := testPod(annotations) agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "", "", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "", "", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -90,7 +90,7 @@ func TestInitError(t *testing.T) { pod := testPod(annotations) agentConfig := AgentConfig{ - "image", "", "authPath", "namespace", true, "100", "1000", + "image", "", DefaultVaultAuthType, "authPath", "namespace", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -154,7 +154,7 @@ func TestSecretAnnotationsWithPreserveCaseSensitivityFlagOff(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "100", "1000", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -205,7 +205,7 @@ func TestSecretAnnotationsWithPreserveCaseSensitivityFlagOn(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "100", "1000", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -292,7 +292,7 @@ func TestSecretLocationFileAnnotations(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "100", "1000", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -377,7 +377,7 @@ func TestSecretTemplateAnnotations(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "100", "1000", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -437,7 +437,7 @@ func TestTemplateShortcuts(t *testing.T) { t.Run(tt.name, func(t *testing.T) { pod := testPod(tt.annotations) agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "100", "1000", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -497,7 +497,7 @@ func TestSecretCommandAnnotations(t *testing.T) { for _, tt := range tests { pod := testPod(tt.annotations) agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "100", "1000", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -630,7 +630,7 @@ func TestCouldErrorAnnotations(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "", "http://foobar:8200", "test", "test", true, "100", "1000", + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -651,7 +651,7 @@ func TestInitEmptyPod(t *testing.T) { var pod *corev1.Pod agentConfig := AgentConfig{ - "foobar-image", "http://foobar:8200", "test", "test", true, "100", "1000", + "foobar-image", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -680,7 +680,7 @@ func TestVaultNamespaceAnnotation(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "foobar-image", "http://foobar:8200", "test", "test", true, "100", "1000", + "foobar-image", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -794,3 +794,65 @@ func Test_runAsSameID(t *testing.T) { }) } } + +func TestAuthConfigAnnotations(t *testing.T) { + tests := []struct { + annotations map[string]string + expectedAuthConfig map[string]interface{} + }{ + { + map[string]string{ + "vault.hashicorp.com/role": "backwardscompat", + }, + map[string]interface{}{ + "role": "backwardscompat", + }, + }, + { + map[string]string{ + "vault.hashicorp.com/role": "backwardscompat", + "vault.hashicorp.com/auth-config-role": "lowerprio", + }, + map[string]interface{}{ + "role": "backwardscompat", + }, + }, + { + map[string]string{ + "vault.hashicorp.com/auth-config-name": "foo", + "vault.hashicorp.com/auth-config-ca-cert": "bar", + "vault.hashicorp.com/auth-config-client_cert": "baz", + "vault.hashicorp.com/auth-config-credential_poll_interval": "1", + "vault.hashicorp.com/auth-config-remove_secret_id_file_after_reading": "false", + }, + map[string]interface{}{ + "name": "foo", + "ca_cert": "bar", // param name dashes converted to underscores for ease + "client_cert": "baz", + "credential_poll_interval": "1", // string->int conversion left up to consuming app HCL parser + "remove_secret_id_file_after_reading": "false", // string->bool, same as above + }, + }, + } + + for _, tt := range tests { + pod := testPod(tt.annotations) + var patches []*jsonpatch.JsonPatchOperation + + agentConfig := AgentConfig{ + "", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", + DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", + } + err := Init(pod, agentConfig) + if err != nil { + t.Errorf("got error, shouldn't have: %s", err) + } + + agent, err := New(pod, patches) + if err != nil { + t.Errorf("got error, shouldn't have: %s", err) + } + + require.Equal(t, agent.Vault.AuthConfig, tt.expectedAuthConfig, "expected AuthConfig %v, got %v", tt.expectedAuthConfig, agent.Vault.AuthConfig) + } +} diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go index c503954e..540af1a7 100644 --- a/agent-inject/agent/config.go +++ b/agent-inject/agent/config.go @@ -128,12 +128,10 @@ func (a *Agent) newConfig(init bool) ([]byte, error) { }, AutoAuth: &AutoAuth{ Method: &Method{ - Type: "kubernetes", + Type: a.Vault.AuthType, Namespace: a.Vault.Namespace, MountPath: a.Vault.AuthPath, - Config: map[string]interface{}{ - "role": a.Vault.Role, - }, + Config: a.Vault.AuthConfig, }, Sinks: []*Sink{ { diff --git a/agent-inject/agent/config_test.go b/agent-inject/agent/config_test.go index 819304d6..0a25f1b8 100644 --- a/agent-inject/agent/config_test.go +++ b/agent-inject/agent/config_test.go @@ -42,7 +42,7 @@ func TestNewConfig(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "foobar-image", "http://foobar:8200", "test", "test", true, "100", "1000", + "foobar-image", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "http://proxy:3128", } err := Init(pod, agentConfig) @@ -93,14 +93,14 @@ func TestNewConfig(t *testing.T) { t.Errorf("client_key: expected %s, got %s", annotations[AnnotationVaultClientKey], config.Vault.ClientKey) } - if config.AutoAuth.Method.Type != "kubernetes" { - t.Error("expected auto_auth method to be kubernetes, it wasn't") - } - if config.AutoAuth.Method.Config["role"] != annotations[AnnotationVaultRole] { t.Errorf("auto_auth role: expected role to be %s, got %s", annotations[AnnotationVaultRole], config.AutoAuth.Method.Config["role"]) } + if config.AutoAuth.Method.Type != annotations[AnnotationVaultAuthType] { + t.Errorf("auto_auth mount type: expected type to be %s, got %s", annotations[AnnotationVaultAuthType], config.AutoAuth.Method.Type) + } + if config.AutoAuth.Method.MountPath != annotations[AnnotationVaultAuthPath] { t.Errorf("auto_auth mount path: expected path to be %s, got %s", annotations[AnnotationVaultAuthPath], config.AutoAuth.Method.MountPath) } @@ -208,7 +208,7 @@ func TestFilePathAndName(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "foobar-image", "http://foobar:8200", "test", "test", true, "100", "1000", + "foobar-image", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -240,7 +240,7 @@ func TestConfigVaultAgentCacheNotEnabledByDefault(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "foobar-image", "http://foobar:8200", "test", "test", true, "100", "1000", + "foobar-image", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) @@ -279,7 +279,7 @@ func TestConfigVaultAgentCache(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - "foobar-image", "http://foobar:8200", "test", "test", true, "100", "1000", + "foobar-image", "http://foobar:8200", DefaultVaultAuthType, "test", "test", true, "100", "1000", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "", } err := Init(pod, agentConfig) diff --git a/agent-inject/agent/container_sidecar_test.go b/agent-inject/agent/container_sidecar_test.go index 167acd58..331dc7b2 100644 --- a/agent-inject/agent/container_sidecar_test.go +++ b/agent-inject/agent/container_sidecar_test.go @@ -39,7 +39,7 @@ func TestContainerSidecarVolume(t *testing.T) { pod := testPod(annotations) var patches []*jsonpatch.JsonPatchOperation - err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", "test", "test", true, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, ""}) + err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", DefaultVaultAuthType, "test", "test", true, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, ""}) if err != nil { t.Errorf("got error, shouldn't have: %s", err) } @@ -100,7 +100,7 @@ func TestContainerSidecar(t *testing.T) { pod := testPod(annotations) var patches []*jsonpatch.JsonPatchOperation - err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", "test", "test", false, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "http://proxy:3128"}) + err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", DefaultVaultAuthType, "test", "test", false, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, "http://proxy:3128"}) if err != nil { t.Errorf("got error, shouldn't have: %s", err) } @@ -213,7 +213,7 @@ func TestContainerSidecarRevokeHook(t *testing.T) { pod := testPod(annotations) var patches []*jsonpatch.JsonPatchOperation - err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", "test", "test", tt.revokeFlag, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, ""}) + err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", DefaultVaultAuthType, "test", "test", tt.revokeFlag, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, ""}) if err != nil { t.Errorf("got error, shouldn't have: %s", err) } @@ -262,7 +262,7 @@ func TestContainerSidecarConfigMap(t *testing.T) { pod := testPod(annotations) var patches []*jsonpatch.JsonPatchOperation - err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", "test", "test", true, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, ""}) + err := Init(pod, AgentConfig{"foobar-image", "http://foobar:1234", DefaultVaultAuthType, "test", "test", true, "1000", "100", DefaultAgentRunAsSameUser, DefaultAgentSetSecurityContext, ""}) if err != nil { t.Errorf("got error, shouldn't have: %s", err) } diff --git a/agent-inject/handler.go b/agent-inject/handler.go index ffab3de8..e0361e5f 100644 --- a/agent-inject/handler.go +++ b/agent-inject/handler.go @@ -37,6 +37,7 @@ type Handler struct { // If this is false, injection is default. RequireAnnotation bool VaultAddress string + VaultAuthType string VaultAuthPath string ProxyAddress string ImageVault string @@ -144,6 +145,7 @@ func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionRespon cfg := agent.AgentConfig{ Image: h.ImageVault, Address: h.VaultAddress, + AuthType: h.VaultAuthType, AuthPath: h.VaultAuthPath, ProxyAddress: h.ProxyAddress, Namespace: req.Namespace, diff --git a/subcommand/injector/command.go b/subcommand/injector/command.go index d6110947..5418d0be 100644 --- a/subcommand/injector/command.go +++ b/subcommand/injector/command.go @@ -42,7 +42,8 @@ type Command struct { flagVaultService string // Name of the Vault service flagProxyAddress string // HTTP proxy address used to talk to the Vault service flagVaultImage string // Name of the Vault Image to use - flagVaultAuthPath string // Mount Path of the Vault Kubernetes Auth Method + flagVaultAuthType string // Type of Vault Auth Method to use + flagVaultAuthPath string // Mount path of the Vault Auth Method flagRevokeOnShutdown bool // Revoke Vault Token on pod shutdown flagRunAsUser string // User (uid) to run Vault agent as flagRunAsGroup string // Group (gid) to run Vault agent as @@ -144,6 +145,7 @@ func (c *Command) Run(args []string) int { // Build the HTTP handler and server injector := agentInject.Handler{ VaultAddress: c.flagVaultService, + VaultAuthType: c.flagVaultAuthType, VaultAuthPath: c.flagVaultAuthPath, ProxyAddress: c.flagProxyAddress, ImageVault: c.flagVaultImage, diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go index 5080cb29..7411afab 100644 --- a/subcommand/injector/flags.go +++ b/subcommand/injector/flags.go @@ -51,6 +51,9 @@ type Specification struct { // VaultImage is the AGENT_INJECT_VAULT_IMAGE environment variable. VaultImage string `split_words:"true"` + // VaultAuthType is the AGENT_INJECT_VAULT_AUTH_TYPE environment variable. + VaultAuthType string `split_words:"true"` + // VaultAuthPath is the AGENT_INJECT_VAULT_AUTH_PATH environment variable. VaultAuthPath string `split_words:"true"` @@ -97,8 +100,10 @@ func (c *Command) init() { "Address of the Vault server.") c.flagSet.StringVar(&c.flagProxyAddress, "proxy-address", "", "HTTP proxy address used to talk to the Vault service.") + c.flagSet.StringVar(&c.flagVaultAuthType, "vault-auth-type", agent.DefaultVaultAuthType, + fmt.Sprintf("Type of Vault Auth Method to use. Defaults to %q.", agent.DefaultVaultAuthType)) c.flagSet.StringVar(&c.flagVaultAuthPath, "vault-auth-path", agent.DefaultVaultAuthPath, - fmt.Sprintf("Mount Path of the Vault Kubernetes Auth Method. Defaults to %q.", agent.DefaultVaultAuthPath)) + fmt.Sprintf("Mount path of the Vault Auth Method. Defaults to %q.", agent.DefaultVaultAuthPath)) c.flagSet.BoolVar(&c.flagRevokeOnShutdown, "revoke-on-shutdown", false, "Automatically revoke Vault Token on Pod termination.") c.flagSet.StringVar(&c.flagRunAsUser, "run-as-user", strconv.Itoa(agent.DefaultAgentRunAsUser), @@ -188,6 +193,10 @@ func (c *Command) parseEnvs() error { c.flagProxyAddress = envs.ProxyAddr } + if envs.VaultAuthType != "" { + c.flagVaultAuthType = envs.VaultAuthType + } + if envs.VaultAuthPath != "" { c.flagVaultAuthPath = envs.VaultAuthPath }