K8s Auth non-default mount points (#147)

* Kubernetes Vault mount path support * README updates
jonasvinther · Feb 1, 2024 · 248313d · 248313d
1 parent c6f2ba4
commit 248313d
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -312,13 +312,14 @@ Available Commands:
   version     Print the version number of Medusa
 
 Flags:
-  -a, --address string     Address of the Vault server
-  -h, --help               help for medusa
-  -k, --insecure           Allow insecure server connections when using SSL
-      --kubernetes         Authenticate using the Kubernetes JWT token
-  -n, --namespace string   Namespace within the Vault server (Enterprise only)
-  -r, --role string        Vault role for Kubernetes JWT authentication
-  -t, --token string       Vault authentication token
-
-Use "medusa [command] --help" for more information about a command
+  -a, --address string                Address of the Vault server
+  -h, --help                          help for medusa
+  -k, --insecure                      Allow insecure server connections when using SSL
+      --kubernetes                    Authenticate using the Kubernetes JWT token
+      --kubernetes-auth-path string   Authentication mount point within Vault for Kubernetes
+  -n, --namespace string              Namespace within the Vault server (Enterprise only)
+  -r, --role string                   Vault role for Kubernetes JWT authentication
+  -t, --token string                  Vault authentication token
+
+Use "medusa [command] --help" for more information about a command.
 ``` 
diff --git a/cmd/cmd.go b/cmd/cmd.go
@@ -82,6 +82,7 @@ func init() {
 	rootCmd.PersistentFlags().StringP("token", "t", "", "Vault authentication token")
 	rootCmd.PersistentFlags().StringP("role", "r", "", "Vault role for Kubernetes JWT authentication")
 	rootCmd.PersistentFlags().BoolP("kubernetes", "", false, "Authenticate using the Kubernetes JWT token")
+	rootCmd.PersistentFlags().StringP("kubernetes-auth-path", "", "", "Authentication mount point within Vault for Kubernetes")
 	rootCmd.PersistentFlags().BoolP("insecure", "k", false, "Allow insecure server connections when using SSL")
 	rootCmd.PersistentFlags().StringP("namespace", "n", "", "Namespace within the Vault server (Enterprise only)")
 

diff --git a/cmd/delete.go b/cmd/delete.go
@@ -27,12 +27,13 @@ var deleteCmd = &cobra.Command{
 		insecure, _ := cmd.Flags().GetBool("insecure")
 		vaultRole, _ := cmd.Flags().GetString("role")
 		kubernetes, _ := cmd.Flags().GetBool("kubernetes")
+		authPath, _ := cmd.Flags().GetString("kubernetes-auth-path")
 		namespace, _ := cmd.Flags().GetString("namespace")
 		engineType, _ := cmd.Flags().GetString("engine-type")
 		isApproved, _ := cmd.Flags().GetBool("auto-approve")
 
 		// Setup Vault client
-		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes)
+		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath)
 		engine, path, err := client.MountpathSplitPrefix(path)
 		if err != nil {
 			fmt.Println(err)

diff --git a/cmd/export.go b/cmd/export.go
@@ -30,14 +30,15 @@ var exportCmd = &cobra.Command{
 		vaultToken, _ := cmd.Flags().GetString("token")
 		vaultRole, _ := cmd.Flags().GetString("role")
 		kubernetes, _ := cmd.Flags().GetBool("kubernetes")
+		authPath, _ := cmd.Flags().GetString("kubernetes-auth-path")
 		insecure, _ := cmd.Flags().GetBool("insecure")
 		namespace, _ := cmd.Flags().GetString("namespace")
 		engineType, _ := cmd.Flags().GetString("engine-type")
 		doEncrypt, _ := cmd.Flags().GetBool("encrypt")
 		exportFormat, _ := cmd.Flags().GetString("format")
 		output, _ := cmd.Flags().GetString("output")
 
-		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes)
+		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath)
 		engine, path, err := client.MountpathSplitPrefix(path)
 		if err != nil {
 			fmt.Println(err)

diff --git a/cmd/import.go b/cmd/import.go
@@ -33,12 +33,13 @@ var importCmd = &cobra.Command{
 		insecure, _ := cmd.Flags().GetBool("insecure")
 		vaultRole, _ := cmd.Flags().GetString("role")
 		kubernetes, _ := cmd.Flags().GetBool("kubernetes")
+		authPath, _ := cmd.Flags().GetString("kubernetes-auth-path")
 		namespace, _ := cmd.Flags().GetString("namespace")
 		engineType, _ := cmd.Flags().GetString("engine-type")
 		doDecrypt, _ := cmd.Flags().GetBool("decrypt")
 		privateKey, _ := cmd.Flags().GetString("private-key")
 
-		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes)
+		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath)
 		engine, prefix, err := client.MountpathSplitPrefix(path)
 		if err != nil {
 			fmt.Println(err)

diff --git a/docs/examples/kubernetes/cronjob/README.md b/docs/examples/kubernetes/cronjob/README.md
@@ -133,6 +133,8 @@ medusa-1615982160-4b527   0/1     Completed   0          9s
 
 ### Using Kubernetes authentication
 If you are using the kubernetes authentication method in Vault, it is also possible to use the kubernetes provided JWT token inside a Pod and auth role in order to authenticate.
+If your authentication mount point is different from the default of `kubernetes`, for example if your vault instance is supporting multiple clusters, this can be changed with the
+`--kubernetes-auth-path` option.
 
 ```yaml
 command: ["./medusa", "export", "$(VAULT_PATH)", "--kubernetes", "--role=default", "-o", "/backup/backup.vault"]

diff --git a/pkg/vaultengine/vaultclient.go b/pkg/vaultengine/vaultclient.go
@@ -18,19 +18,21 @@ type Client struct {
 	engineType string
 	role       string
 	kubernetes bool
+	authPath   string
 	insecure   bool
 	vc         *vault.Client
 }
 
 // NewClient creates a instance of the VaultClient struct
-func NewClient(addr, token string, insecure bool, namespace string, role string, kubernetes bool) *Client {
+func NewClient(addr, token string, insecure bool, namespace string, role string, kubernetes bool, authPath string) *Client {
 	client := &Client{
 		token:      token,
 		addr:       addr,
 		insecure:   insecure,
 		namespace:  namespace,
 		role:       role,
 		kubernetes: kubernetes,
+		authPath:   authPath,
 	}
 
 	client.newVaultClient()
@@ -107,13 +109,22 @@ func (client *Client) newVaultClient() error {
 	}
 
 	// Authenticate using Kubernetes JWT if kubernetes flag is set
+	var authPath string
+
 	if client.kubernetes {
-		kubernetesAuth, err := auth.NewKubernetesAuth(client.role)
+		if client.authPath != "" {
+			authPath = client.authPath
+		} else {
+			authPath = "kubernetes"
+		}
+
+		kubernetesAuth, err := auth.NewKubernetesAuth(client.role, auth.WithMountPath(authPath))
 		if err != nil {
 			return err
 		}
 
 		authInfo, err := vc.Auth().Login(context.Background(), kubernetesAuth)
+
 		if err != nil {
 			return err
 		}