Merge pull request #107 from cipherboy/add-kubernetes-secret-plugin

Part 9/n - Add kubernetes secret plugin

builtin/logical/kubernetes/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,24 @@
+# Overview
+
+A high level description of the contribution, including:
+Who the change affects or is for (stakeholders)?
+What is the change?
+Why is the change needed?
+How does this change affect the user experience (if at all)?
+
+# Design of Change
+
+How was this change implemented?
+
+# Related Issues/Pull Requests
+
+[ ] [Issue #1234](https://github.com/hashicorp/vault/issues/1234)
+[ ] [PR #1234](https://github.com/hashicorp/vault/pr/1234)
+
+# Contributor Checklist
+
+[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
+[My Docs PR Link](link)
+[Example](https://github.com/hashicorp/vault/commit/2715f5cec982aabc7b7a6ae878c547f6f475bba6)
+[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
+[ ] Backwards compatible

builtin/logical/kubernetes/.github/workflows/bulk-dep-upgrades.yaml

@@ -0,0 +1,17 @@
+name: Upgrade dependencies
+on:
+  workflow_dispatch:
+  schedule:
+    # Runs 12:00AM on the first of every month
+    - cron: '0 0 1 * *'
+jobs:
+  upgrade:
+    # using `main` as the ref will keep your workflow up-to-date
+    uses: hashicorp/vault-workflows-common/.github/workflows/bulk-dependency-updates.yaml@main
+    secrets:
+      VAULT_ECO_GITHUB_TOKEN: ${{ secrets.VAULT_ECO_GITHUB_TOKEN }}
+    with:
+      # either hashicorp/vault-ecosystem-applications or hashicorp/vault-ecosystem-foundations
+      reviewer-team: hashicorp/vault-ecosystem-foundations
+      repository: ${{ github.repository }}
+      run-id: ${{ github.run_id }}

builtin/logical/kubernetes/.github/workflows/jira.yaml

@@ -0,0 +1,17 @@
+name: Jira Sync
+on:
+  issues:
+    types: [opened, closed, deleted, reopened]
+  pull_request_target:
+    types: [opened, closed, reopened]
+  issue_comment: # Also triggers when commenting on a PR from the conversation view
+    types: [created]
+jobs:
+  sync:
+    uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main
+    secrets:
+      JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }}
+      JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }}
+      JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }}
+    with:
+      teams-array: '["ecosystem", "foundations-eco"]'

builtin/logical/kubernetes/.github/workflows/tests.yaml

@@ -0,0 +1,54 @@
+name: Tests
+
+on: [push, workflow_dispatch]
+
+jobs:
+  fmtcheck:
+    runs-on: ubuntu-latest
+    env:
+      GOFUMPT_VERSION: 0.3.1
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: .go-version
+      - run: |
+          go install "mvdan.cc/gofumpt@v${GOFUMPT_VERSION}"
+          make fmtcheck
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: .go-version
+      - run: make test
+
+  integrationTest:
+    runs-on: ubuntu-latest
+    needs: [fmtcheck, test]
+    strategy:
+      fail-fast: false
+      matrix:
+        kind-k8s-version: [1.24.15, 1.25.11, 1.26.6, 1.27.3, 1.28.0]
+        enterprise: ["", "-ent"]
+    name: Integration test ${{ matrix.enterprise }} kind ${{ matrix.kind-k8s-version }}
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Create K8s Kind Cluster
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        with:
+          version: v0.20.0
+          cluster_name: vault-plugin-secrets-kubernetes
+          config: integrationtest/kind/config.yaml
+          node_image: kindest/node:v${{ matrix.kind-k8s-version }}
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: .go-version
+      - env:
+          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
+        run: make setup-integration-test${{ matrix.enterprise }}
+      - env:
+          INTEGRATION_TESTS: true
+        run: make integration-test TESTARGS="-v"

builtin/logical/kubernetes/.gitignore

@@ -0,0 +1,5 @@
+.DS_Store
+.idea
+.vscode
+pkg/*
+bin/*

builtin/logical/kubernetes/.go-version

@@ -0,0 +1 @@
+1.21.3

builtin/logical/kubernetes/CHANGELOG.md

@@ -0,0 +1,114 @@
+## Unreleased
+
+### Changes
+
+* Building with go 1.21.3
+* Testing with k8s 1.24-1.28
+* Dependency updates
+  * golang.org/x/crypto v0.13.0 -> v0.14.0
+  * golang.org/x/net v0.15.0 -> v0.17.0
+  * golang.org/x/sys v0.12.0 -> v0.13.0
+  * golang.org/x/term v0.12.0 -> v0.13.0
+  * github.com/docker/docker v24.0.5 -> v24.0.7
+  * github.com/hashicorp/vault/sdk v0.10.0 -> v0.10.2
+  * k8s.io/api v0.28.1 -> v0.28.3
+  * k8s.io/apimachinery v0.28.1 -> v0.28.3
+  * k8s.io/client-go v0.28.1 -> v0.28.3
+  * github.com/go-jose/go-jose/v3 v3.0.0 -> v3.0.1
+
+## 0.6.0 (September 6th, 2023)
+
+### Features:
+
+* update dependencies [GH-35](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/35)
+  * github.com/hashicorp/vault/api v1.10.0
+  * github.com/hashicorp/vault/sdk v0.10.0
+  * github.com/stretchr/testify v1.8.4
+  *	k8s.io/api v0.28.1
+  * k8s.io/apimachinery v0.28.1
+  * k8s.io/client-go v0.28.1
+  * golang.org/x/net v0.15.0
+
+### Changes
+
+* Testing with K8s versions 1.23-1.27
+* Building with Go 1.20.5
+
+## 0.5.0 (May 25, 2023)
+
+### Features:
+
+* allow omitting `kubernetes_namespace` on token create for single namespace Vault roles [GH-27](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/27)
+* update dependencies [GH-196](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/30)
+  * github.com/hashicorp/vault/api v1.9.1
+  * github.com/stretchr/testify v1.8.3
+  * k8s.io/api v0.27.2
+  * k8s.io/apimachinery v0.27.2
+  * k8s.io/client-go v0.27.2
+
+## 0.4.0 (March 30, 2023)
+
+### Features:
+
+* add `audiences` option to set audiences for the k8s token created from the TokenRequest API, and add `token_default_audiences`
+option to set the default audiences on role write [GH-24](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/24)
+
+### Changes:
+
+* enable plugin multiplexing [GH-23](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/23)
+* update dependencies
+   * `github.com/hashicorp/vault/api` v1.9.0
+   * `github.com/hashicorp/vault/sdk` v0.8.1
+   * `github.com/hashicorp/go-hclog` v1.3.1 -> v1.5.0
+   * `github.com/stretchr/testify` v1.8.1 -> v1.8.2
+   * `k8s.io/api` v0.25.3 -> v0.26.3
+   * `k8s.io/apimachinery` v0.25.3 -> v0.26.3
+   * `k8s.io/client-go` v0.25.3 -> v0.26.3
+
+## 0.3.0 (February 9, 2023)
+
+* Add `/check` endpoint to determine if environment variables are set [GH-18](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/18)
+
+### Changes
+
+* Update to Go 1.19 [GH-15](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/15)
+* Update dependencies [GH-15](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/15):
+|             MODULE              | VERSION | NEW VERSION | DIRECT | VALID TIMESTAMPS |
+|---------------------------------|---------|-------------|--------|------------------|
+| github.com/cenkalti/backoff/v3  | v3.0.0  | v3.2.2      | true   | true             |
+| github.com/hashicorp/go-hclog   | v0.16.2 | v1.3.1      | true   | true             |
+| github.com/hashicorp/go-version | v1.2.0  | v1.6.0      | true   | true             |
+| github.com/hashicorp/vault/api  | v1.7.2  | v1.8.2      | true   | true             |
+| github.com/hashicorp/vault/sdk  | v0.5.3  | v0.6.1      | true   | true             |
+| github.com/stretchr/testify     | v1.8.0  | v1.8.1      | true   | true             |
+| gopkg.in/square/go-jose.v2      | v2.5.1  | v2.6.0      | true   | true             |
+| k8s.io/api                      | v0.22.2 | v0.25.3     | true   | true             |
+| k8s.io/apimachinery             | v0.22.2 | v0.25.3     | true   | true             |
+| k8s.io/client-go                | v0.22.2 | v0.25.3     | true   | true             |
+
+## 0.2.0 (September 15, 2022)
+
+### Changes
+
+* Test against k8s versions 1.22-25, vault-helm 0.22.0, and Vault 1.11.3 [[GH-14](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/14)]
+* Use go 1.19.1 [[GH-14](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/14)]
+
+### Improvements
+
+* Test against Vault Enterprise [[GH-11](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/11)]
+* Role namespace configuration possible via LabelSelector [[GH-10](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/10)]
+* Update golang dependencies to avoid CVEs [[GH-14](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/14)]
+  * golang.org/x/crypto@v0.0.0-20220314234659-1baeb1ce4c0b
+  * golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c
+  * golang.org/x/sys@v0.0.0-20220728004956-3c1f35247d10
+  * github.com/stretchr/testify@v1.8.0
+
+## 0.1.1 (May 26th, 2022)
+
+### Changes
+
+* Split `additional_metadata` into `extra_annotations` and `extra_labels` parameters [[GH-7](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/7)]
+
+## 0.1.0 (May 20th, 2022)
+
+Initial implementation [[GH-2](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/2)][[GH-3](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/3)][[GH-4](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/pull/4)]