Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Part 9/n - Add kubernetes secret plugin #107

Merged
merged 45 commits into from
Feb 2, 2024

Conversation

cipherboy
Copy link
Member

This imports the Kubernetes secrets plugin as discussed in #64, bringing it in-tree with history.


This is part of #68, broken up to make review easier.

@naphelps When it comes time for merge, I'd suggest making this one a rebase merge if you can to preserve history. Thanks!

tvoran and others added 30 commits April 6, 2022 14:44
Adds license, readme, basic secrets plugin skeleton, and CI tests and
integration tests. Most of the non-code parts were copied from
hashicorp/vault-plugin-auth-kubernetes and s/auth/secrets/. Notable
changes include using gofumpt instead of gofmt (like hashicorp/vault
does), and an additional local_dev.sh script.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
And updating fileutil, and the integration test's vault version

Co-authored-by: Christopher Swenson <swenson@swenson.io>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
Generates k8s service accounts for the three operation modes: existing
service account, existing role, and creating all objects from given
role rules. Includes a WAL-based rollback to cleanup create failures.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Split additional_metadata into extra_labels and extra_annotations
* Reduce WAL integration test time
* Speed up WAL tests by a further 3x, delete unused test code, tidy test type conversions a little
* Check service account isn't created, port across some doc tweaks

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Update the CI tests to use kubernetes 1.24, and drop 1.20. Remove
unused KUBERNETES_JWT env.
Test against Vault Enterprise

We run the tests again but overwrite the `vault:dev` image with the
Enterprise image and ensure that the license is loaded.
* add new parameter allowed_kubernetes_namespace_selector to
  external plugin api
* add logic to handle a namespace label selector if configured in
  role
* change validation that both namespace parameters can be
  supplied on roles, add integration tests for
  allowed_kubernetes_namespace_selector
test with k8s 1.22-25, vault 1.11.3, vault-helm 0.22.0, and go 1.19.1

gofumpt format fixes, and updated dependencies to avoid CVEs:
- golang.org/x/crypto@v0.0.0-20220314234659-1baeb1ce4c0b
- golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c
- golang.org/x/sys@v0.0.0-20220728004956-3c1f35247d10
- github.com/stretchr/testify@v1.8.0

updated vault/api and vault/sdk
- github.com/hashicorp/vault/api@v1.7.2
- github.com/hashicorp/vault/sdk@v0.5.3
By running:

```sh
go list -u -m -json all | jq -r 'select(.Indirect != true and .Update != null) | .Path+"@"+.Update.Version' | xargs -L1 go get
go mod tidy
```
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Adds a `/check` endpoint that will return a 204 if the
required environment variables are present, and otherwise
returns a 400 with a list of what variables are missing.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
* enable plugin multiplexing

- the plugin will be multiplexed when run as an external plugin
  against vault versions that support plugin multiplexing
- we continue to set the TLSProviderFunc to maintain backwards
  compatibility with vault versions that don't support AutoMTLS (< 1.12)

* update changelog and readme
Use go 1.20.2, and update x/net to v0.8.0:

golang.org/x/net v0.5.0 => v0.8.0
golang.org/x/sys v0.4.0 => v0.6.0
golang.org/x/term v0.4.0 => v0.6.0
golang.org/x/text v0.6.0 => v0.8.0

Update k8s versions and add 1.26.2. Use known GHA SHAs in the test
workflow, update helm/kind-action's version and remove
azure/setup-kubectl in favor of the kubectl_version option on
helm/kind-action.

Removes the extra caching steps in favor of setup-go@v3's built-in
caching support.
Co-authored-by: hashicorp-tsccr[bot] <hashicorp-tsccr[bot]@users.noreply.github.com>
* update dependencies

* update go-version; update changelog
fairclothjm and others added 15 commits May 25, 2023 16:52
Use the common jira-sync with the correct team name, update actions to
latest trusted versions, test with k8s 1.23-1.27 and vault 1.13.3, use
go 1.20.5.
* workflows: add bulk dep update job

* update reviewer team
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.41.0 to 1.53.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.41.0...v1.53.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Update deps

* update changelog
Build with go 1.21.3, and update related packages. Pin github actions
to the latest trusted versions, and test with k8s 1.24-1.28 and Vault
1.15.0.
* Bump google.golang.org/grpc from 1.57.0 to 1.57.1

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.57.0 to 1.57.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.57.0...v1.57.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…mpatible (openbao#39)

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.5+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v24.0.5...v24.0.7)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: indirect
...

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md)
- [Commits](go-jose/go-jose@v3.0.0...v3.0.1)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: indirect
...

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
…364a098f4e3870b085'

git-subtree-dir: builtin/logical/kubernetes
git-subtree-mainline: 3f07265
git-subtree-split: d3d8789
Cherry-pick of d0dbf8b.

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
…bernetes

Cherry-pick of f63514f
             + 93c9508.

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
@cipherboy
Copy link
Member Author

@naphelps Updated :-)

@naphelps naphelps merged commit 08b6818 into openbao:main Feb 2, 2024
2 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet