Use token from CSI TokenRequests

Makefile

@@ -17,7 +17,7 @@ LDFLAGS?="-X '$(PKG).BuildVersion=$(VERSION)' \
 	-X '$(PKG).BuildDate=$(BUILD_DATE)' \
 	-X '$(PKG).GoVersion=$(shell go version)'"
 K8S_VERSION?=v1.22.2
-CSI_DRIVER_VERSION=1.0.0
+CSI_DRIVER_VERSION=1.1.2
 VAULT_HELM_VERSION=0.16.1
 CI_TEST_ARGS?=
 
@@ -68,7 +68,8 @@ e2e-setup:
 		--wait --timeout=5m \
 		--namespace=csi \
 		--set linux.image.pullPolicy="IfNotPresent" \
-		--set syncSecret.enabled=true
+		--set syncSecret.enabled=true \
+		--set tokenRequests[0].audience="vault"
 	helm install vault-bootstrap test/bats/configs/vault \
 		--namespace=csi
 	helm install vault https://github.com/hashicorp/vault-helm/archive/v$(VAULT_HELM_VERSION).tar.gz \

internal/config/config.go

@@ -74,10 +74,11 @@ type Parameters struct {
 }
 
 type PodInfo struct {
-	Name               string
-	UID                types.UID
-	Namespace          string
-	ServiceAccountName string
+	Name                string
+	UID                 types.UID
+	Namespace           string
+	ServiceAccountName  string
+	ServiceAccountToken string
 }
 
 type Secret struct {
@@ -148,6 +149,29 @@ func parseParameters(parametersStr string) (Parameters, error) {
 		return Parameters{}, err
 	}
 
+	tokensJSON := params["csi.storage.k8s.io/serviceAccount.tokens"]
+	if tokensJSON != "" {
+		// The csi.storage.k8s.io/serviceAccount.tokens field is a JSON object
+		// marshalled into a string. The object keys are audience name (string)
+		// and the values are embedded objects with "token" and
+		// "expirationTimestamp" fields for the corresponding audience.
+		var tokens map[string]struct {
+			Token               string `json:"token"`
+			ExpirationTimestamp string `json:"expirationTimestamp"`
+		}
+		if err := json.Unmarshal([]byte(tokensJSON), &tokens); err != nil {
+			return Parameters{}, fmt.Errorf("failed to unmarshal service account tokens: %w", err)
+		}
+
+		audience := "vault"
+		if parameters.Audience != "" {
+			audience = parameters.Audience
+		}
+		if token, ok := tokens[audience]; ok {
+			parameters.PodInfo.ServiceAccountToken = token.Token
+		}
+	}
+
 	return parameters, nil
 }
 

internal/config/config_test.go

@@ -142,22 +142,23 @@ func TestParseConfig(t *testing.T) {
 			name:       "set all options",
 			targetPath: targetPath,
 			parameters: map[string]string{
-				"roleName":                               "example-role",
-				"vaultSkipTLSVerify":                     "true",
-				"vaultAddress":                           "my-vault-address",
-				"vaultNamespace":                         "my-vault-namespace",
-				"vaultKubernetesMountPath":               "my-mount-path",
-				"vaultCACertPath":                        "my-ca-cert-path",
-				"vaultCADirectory":                       "my-ca-directory",
-				"vaultTLSServerName":                     "mytls-server-name",
-				"vaultTLSClientCertPath":                 "my-tls-client-cert-path",
-				"vaultTLSClientKeyPath":                  "my-tls-client-key-path",
-				"csi.storage.k8s.io/pod.name":            "my-pod-name",
-				"csi.storage.k8s.io/pod.uid":             "my-pod-uid",
-				"csi.storage.k8s.io/pod.namespace":       "my-pod-namespace",
-				"csi.storage.k8s.io/serviceAccount.name": "my-pod-sa-name",
-				"objects":                                objects,
-				"audience":                               "my-aud",
+				"roleName":                                 "example-role",
+				"vaultSkipTLSVerify":                       "true",
+				"vaultAddress":                             "my-vault-address",
+				"vaultNamespace":                           "my-vault-namespace",
+				"vaultKubernetesMountPath":                 "my-mount-path",
+				"vaultCACertPath":                          "my-ca-cert-path",
+				"vaultCADirectory":                         "my-ca-directory",
+				"vaultTLSServerName":                       "mytls-server-name",
+				"vaultTLSClientCertPath":                   "my-tls-client-cert-path",
+				"vaultTLSClientKeyPath":                    "my-tls-client-key-path",
+				"csi.storage.k8s.io/pod.name":              "my-pod-name",
+				"csi.storage.k8s.io/pod.uid":               "my-pod-uid",
+				"csi.storage.k8s.io/pod.namespace":         "my-pod-namespace",
+				"csi.storage.k8s.io/serviceAccount.name":   "my-pod-sa-name",
+				"csi.storage.k8s.io/serviceAccount.tokens": `{"my-aud": {"token": "my-pod-sa-token", "expirationTimestamp": "bar"}, "other-aud": {"token": "unused-token"}}`,
+				"objects":                                  objects,
+				"audience":                                 "my-aud",
 			},
 			expected: Config{
 				TargetPath:     targetPath,
@@ -183,6 +184,7 @@ func TestParseConfig(t *testing.T) {
 						"my-pod-uid",
 						"my-pod-namespace",
 						"my-pod-sa-name",
+						"my-pod-sa-token",
 					},
 					Audience: "my-aud",
 				},

internal/provider/provider.go

@@ -81,19 +81,24 @@ func (p *provider) createJWTToken(ctx context.Context, podInfo config.PodInfo, a
 func (p *provider) login(ctx context.Context, client *api.Client, params config.Parameters) error {
 	p.logger.Debug("performing vault login")
 
-	jwt, err := p.createJWTToken(ctx, params.PodInfo, params.Audience)
-	if err != nil {
-		return err
+	jwt := params.PodInfo.ServiceAccountToken
+	if jwt == "" {
+		p.logger.Debug("no suitable token found in mount request, falling back to generating service account JWT")
+		var err error
+		jwt, err = p.createJWTToken(ctx, params.PodInfo, params.Audience)
+		if err != nil {
+			return err
+		}
 	}
 
 	req := client.NewRequest(http.MethodPost, "/v1/auth/"+params.VaultKubernetesMountPath+"/login")
-	err = req.SetJSONBody(map[string]string{
+	if err := req.SetJSONBody(map[string]string{
 		"role": params.VaultRoleName,
 		"jwt":  jwt,
-	})
-	if err != nil {
+	}); err != nil {
 		return err
 	}
+
 	secret, err := vaultclient.Do(ctx, client, req)
 	if err != nil {
 		return fmt.Errorf("failed to login: %w", err)

main.go

@@ -72,7 +72,6 @@ func realMain(logger hclog.Logger) error {
 		grpc.UnaryInterceptor(func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 			startTime := time.Now()
 			serverLogger.Info("Processing unary gRPC call", "grpc.method", info.FullMethod)
-			serverLogger.Debug("Request contents", "req", req)
 			resp, err := handler(ctx, req)
 			serverLogger.Info("Finished unary gRPC call", "grpc.method", info.FullMethod, "grpc.time", time.Since(startTime), "grpc.code", status.Code(err), "err", err)
 			return resp, err

test/bats/provider.bats

@@ -43,11 +43,13 @@ setup(){
     kubectl --namespace=csi exec vault-0 -- vault write auth/kubernetes/role/db-role \
         bound_service_account_names=nginx-db \
         bound_service_account_namespaces=test \
+        audience=vault \
         policies=db-policy \
         ttl=20m
     kubectl --namespace=csi exec vault-0 -- vault write auth/kubernetes/role/kv-role \
         bound_service_account_names=nginx-kv \
         bound_service_account_namespaces=test \
+        audience=vault \
         policies=kv-policy \
         ttl=20m
     kubectl --namespace=csi exec vault-0 -- vault write auth/kubernetes/role/kv-custom-audience-role \
@@ -59,16 +61,19 @@ setup(){
     kubectl --namespace=csi exec vault-0 -- vault write -namespace=acceptance auth/kubernetes/role/kv-namespace-role \
         bound_service_account_names=nginx-kv-namespace \
         bound_service_account_namespaces=test \
+        audience=vault \
         policies=kv-namespace-policy \
         ttl=20m
     kubectl --namespace=csi exec vault-0 -- vault write auth/kubernetes/role/pki-role \
         bound_service_account_names=nginx-pki \
         bound_service_account_namespaces=test \
+        audience=vault \
         policies=pki-policy \
         ttl=20m
     kubectl --namespace=csi exec vault-0 -- vault write auth/kubernetes/role/all-role \
         bound_service_account_names=nginx-all \
         bound_service_account_namespaces=test \
+        audience=vault \
         policies=db-policy,kv-policy,pki-policy \
         ttl=20m