This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 59
/
vault_secret_manager.go
95 lines (79 loc) · 3.73 KB
/
vault_secret_manager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package webhook
import (
"context"
"fmt"
"os"
"path/filepath"
coreIdl "github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core"
"github.com/flyteorg/flyteplugins/go/tasks/pluginmachinery/utils"
"github.com/flyteorg/flytepropeller/pkg/webhook/config"
"github.com/flyteorg/flytestdlib/logger"
corev1 "k8s.io/api/core/v1"
)
var (
VaultSecretPathPrefix = []string{string(os.PathSeparator), "etc", "flyte", "secrets"}
)
// VaultSecretManagerInjector allows injecting of secrets into pods by leveraging an existing deployment of Vault Agent
// Vault Agent functions as an additional webhook that is triggered through annotations and then retrieves and mounts
// the requested secrets from Vault. This injector parses a secret Request into vault annotations, interpreting the secret
// Group as the vault secret path and the secret Key as the key for which to extract a value from a Vault secret.
// It supports adding multiple secrets. (The common annotations will simply be overwritten if added several times)
// Note that you need to configure the Vault role that this injector will try to use and add Vault policies for
// the service account and namespaces that your workflows run under.
// Files will be mounted at /etc/flyte/secrets/<SecretGroup>/<SecretKey>
type VaultSecretManagerInjector struct {
cfg config.VaultSecretManagerConfig
}
func (i VaultSecretManagerInjector) Type() config.SecretManagerType {
return config.SecretManagerTypeVault
}
func (i VaultSecretManagerInjector) Inject(ctx context.Context, secret *coreIdl.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error) {
if len(secret.Group) == 0 || len(secret.Key) == 0 {
return nil, false, fmt.Errorf("Vault Secrets Webhook requires both key and group to be set. "+
"Secret: [%v]", secret)
}
switch secret.MountRequirement {
case coreIdl.Secret_ANY:
fallthrough
case coreIdl.Secret_FILE:
// Set environment variable to let the container know where to find the mounted files.
defaultDirEnvVar := corev1.EnvVar{
Name: SecretPathDefaultDirEnvVar,
Value: filepath.Join(VaultSecretPathPrefix...),
}
p.Spec.InitContainers = AppendEnvVars(p.Spec.InitContainers, defaultDirEnvVar)
p.Spec.Containers = AppendEnvVars(p.Spec.Containers, defaultDirEnvVar)
// Sets an empty prefix to let the containers know the file names will match the secret keys as-is.
prefixEnvVar := corev1.EnvVar{
Name: SecretPathFilePrefixEnvVar,
Value: "",
}
p.Spec.InitContainers = AppendEnvVars(p.Spec.InitContainers, prefixEnvVar)
p.Spec.Containers = AppendEnvVars(p.Spec.Containers, prefixEnvVar)
commonVaultAnnotations := map[string]string{
"vault.hashicorp.com/agent-inject": "true",
"vault.hashicorp.com/secret-volume-path": filepath.Join(VaultSecretPathPrefix...),
"vault.hashicorp.com/role": i.cfg.Role,
"vault.hashicorp.com/agent-pre-populate-only": "true",
}
secretVaultAnnotations, err := CreateVaultAnnotationsForSecret(secret, i.cfg.KVVersion)
// Creating annotations can break with an unsupported KVVersion
if err != nil {
return p, false, err
}
p.ObjectMeta.Annotations = utils.UnionMaps(p.ObjectMeta.Annotations, commonVaultAnnotations)
p.ObjectMeta.Annotations = utils.UnionMaps(p.ObjectMeta.Annotations, secretVaultAnnotations)
case coreIdl.Secret_ENV_VAR:
return p, false, fmt.Errorf("Env_Var is not a supported mount requirement for Vault Secret Manager")
default:
err := fmt.Errorf("unrecognized mount requirement [%v] for secret [%v]", secret.MountRequirement.String(), secret.Key)
logger.Error(ctx, err)
return p, false, err
}
return p, true, nil
}
func NewVaultSecretManagerInjector(cfg config.VaultSecretManagerConfig) VaultSecretManagerInjector {
return VaultSecretManagerInjector{
cfg: cfg,
}
}