Part 7/n - Add kubernetes auth plugin #105
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Start work on kuberentes auth * Add vendoring and further work on the plugin * Add test and fix jwt parsing * comment * Allow configuration of many Certs * Use service account name for binding instead of UID * Add lookup in kuberenetes * Add better error handling to the kubernetes call * Added examples directory * Update vendoring * Use the TokenReview API to validate the JWT * Fix vendoring * Update basic example and rename it * Add a sidecar example * Remove extra file * fix renewals * Validate the JWT before calling into the TokenReview API * Add comments and don't export the backend object * Add tests and fix up some role parsing * Add tests for configuration of the backend * Add tests for loging in * Update the help text * More help text * Make it easier to read and store certificates * Fix locking and add additional login tests * Add more login tests * Remove examples * Add build scripts * Add license * Fix a few issues * a few fixes from code review * Some minor fixes * Make mismatched JWT errors a little more clear * Add comments about the review factory settings * Update deps * Rename certificates to publick keys and clean up the PEM parsing logic * A few small fixes from code review * Add persona lookahead function * Use rest client for fewer dependencies * Don't use the kubernetes client (#2) * Don't use the kubernetes client * Fix bearer token * Remove some debug code * Add comments * Fix unmarshaling of json * Fix a few of the path descriptions * No need to lock on config update/read * Fix vet issue
* Make the PEM Signing Keys Optional * Make ca cert or pem keys required * Fix issue where the service account was not being returned * Add more tests * Update path_login.go
…penbao#9) * Add a separate Token Reviewer token to use with the kubernetes API * Add the token reviewer to the config read response * Add a note about falling back to the login JWT
Update the vault dep to pull in Alias changes
* Update Deps and add context * Add deps
Plumb context through paths and funcs that touch storage
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
* workflows: add bulk dep update job * update reviewer team
Co-authored-by: Andriy Binetsky <abinet@gmail.com>
Build with go 1.21.3, and update related packages. Pin github actions to latest trusted versions, and test with k8s 1.24-1.28 and Vault 1.15.0.
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.57.0 to 1.57.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.57.0...v1.57.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
…mpatible (openbao#214) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.5+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.5...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md) - [Commits](go-jose/go-jose@v3.0.0...v3.0.1) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md) - [Commits](go-jose/go-jose@v3.0.0...v3.0.1) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](golang/crypto@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…penbao#224) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](golang/crypto@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--------- Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Cherry-pick of 918e4c6. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
This switches all references to the Kubernetes plugin to use the new internal location for the plugin over the external, HashiCorp owned plugin. Cherry-pick of 3bd3c9f. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
force-pushed
the
add-kubernetes-auth-plugin
branch
from
48ee82d
to
dd6535a
Compare
|
@naphelps Updated, thanks! |
naphelps
approved these changes
Feb 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This imports the Kubernetes auth plugin as discussed in #64, bringing it in-tree with history.
This is part of #68, broken up to make review easier.
@naphelps When it comes time for merge, I'd suggest making this one a rebase merge if you can to preserve history. Thanks!