From caeaebcdf0c7223fe4139dfbf214b72595313c26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Roche?= Date: Tue, 29 Sep 2020 21:56:31 +0200 Subject: [PATCH] Enable Vault to review kube tokens when using external Vault We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. We also improve the visibility of the options we move the serviceAccount options from the server into the global section. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs #376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes --- templates/_helpers.tpl | 14 +++++++------- templates/server-clusterrolebinding.yaml | 2 -- templates/server-serviceaccount.yaml | 4 +--- test/unit/server-clusterrolebinding.bats | 4 ++-- test/unit/server-serviceaccount.bats | 10 +++++----- test/unit/server-statefulset.bats | 12 ++++++------ values.yaml | 24 +++++++++++++----------- 7 files changed, 34 insertions(+), 36 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 66bc3535e..3e6052b4e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -301,10 +301,10 @@ Sets extra ui service annotations Create the name of the service account to use */}} {{- define "vault.serviceAccount.name" -}} -{{- if .Values.server.serviceAccount.create -}} - {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} +{{- if .Values.global.serviceAccount.create -}} + {{ default (include "vault.fullname" .) .Values.global.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.server.serviceAccount.name }} + {{ default "default" .Values.global.serviceAccount.name }} {{- end -}} {{- end -}} @@ -312,13 +312,13 @@ Create the name of the service account to use Sets extra service account annotations */}} {{- define "vault.serviceAccount.annotations" -}} - {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} + {{- if and (ne .mode "dev") .Values.global.serviceAccount.annotations }} annotations: - {{- $tp := typeOf .Values.server.serviceAccount.annotations }} + {{- $tp := typeOf .Values.global.serviceAccount.annotations }} {{- if eq $tp "string" }} - {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- tpl .Values.global.serviceAccount.annotations . | nindent 4 }} {{- else }} - {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} + {{- toYaml .Values.global.serviceAccount.annotations | nindent 4 }} {{- end }} {{- end }} {{- end -}} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index 1fcdc0a20..c3080ba2e 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -1,5 +1,4 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -19,4 +18,3 @@ subjects: name: {{ template "vault.serviceAccount.name" . }} namespace: {{ .Release.Namespace }} {{ end }} -{{ end }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index f92dbb246..e63e9246a 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -1,7 +1,6 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} -{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }} +{{- if (eq (.Values.global.serviceAccount.create | toString) "true" ) }} apiVersion: v1 kind: ServiceAccount metadata: @@ -15,4 +14,3 @@ metadata: {{ template "vault.serviceAccount.annotations" . }} {{ end }} {{ end }} -{{ end }} diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index d0d2acf8a..bf0a4d858 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -61,12 +61,12 @@ load _helpers [ "${actual}" = "false" ] } -@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" { +@test "server/ClusterRoleBinding: also deploy with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-clusterrolebinding.yaml \ --set 'injector.externalVaultAddr=http://vault-outside' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] } diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 29e18b56f..1d2c4bb37 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -8,7 +8,7 @@ load _helpers local actual=$( (helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ - --set 'server.serviceAccount.create=false' \ + --set 'global.serviceAccount.create=false' \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -16,7 +16,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ - --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'global.serviceAccount.name=user-defined-ksa' \ . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) [ "${actual}" = "user-defined-ksa" ] @@ -35,7 +35,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.dev.enabled=true' \ - --set 'server.serviceAccount.annotations=foo: bar' \ + --set 'global.serviceAccount.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "null" ] @@ -43,7 +43,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.serviceAccount.annotations=foo: bar' \ + --set 'global.serviceAccount.annotations=foo: bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] @@ -51,7 +51,7 @@ load _helpers local actual=$(helm template \ --show-only templates/server-serviceaccount.yaml \ --set 'server.ha.enabled=true' \ - --set 'server.serviceAccount.annotations.foo=bar' \ + --set 'global.serviceAccount.annotations.foo=bar' \ . | tee /dev/stderr | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) [ "${actual}" = "bar" ] diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 0b9f243a5..f1af30aed 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -1407,16 +1407,16 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=false' \ - --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'global.serviceAccount.create=false' \ + --set 'global.serviceAccount.name=user-defined-ksa' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "user-defined-ksa" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=true' \ - --set 'server.serviceAccount.name=user-defined-ksa' \ + --set 'global.serviceAccount.create=true' \ + --set 'global.serviceAccount.name=user-defined-ksa' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "user-defined-ksa" ] @@ -1427,14 +1427,14 @@ load _helpers local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=false' \ + --set 'global.serviceAccount.create=false' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "default" ] local actual=$(helm template \ --show-only templates/server-statefulset.yaml \ - --set 'server.serviceAccount.create=true' \ + --set 'global.serviceAccount.create=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr) [ "${actual}" = "RELEASE-NAME-vault" ] diff --git a/values.yaml b/values.yaml index a9570520e..c2d56f5ef 100644 --- a/values.yaml +++ b/values.yaml @@ -22,6 +22,19 @@ global: apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # Definition of the serviceAccount used to run Vault. + # These options are also used when using an external Vault server to validate + # Kubernetes tokens. + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} injector: # True if you want to enable vault agent injection. @@ -526,17 +539,6 @@ server: # replicas. If you'd like a custom value, you can specify an override here. maxUnavailable: null - # Definition of the serviceAccount used to run Vault. - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # Extra annotations for the serviceAccount definition. This can either be - # YAML or a YAML-formatted multi-line templated string map of the - # annotations to apply to the serviceAccount. - annotations: {} # Settings for the statefulSet used to run Vault. statefulSet: