Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add oidc login to vault #249

Merged
merged 3 commits into from
Jan 30, 2022
Merged

Add oidc login to vault #249

merged 3 commits into from
Jan 30, 2022

Conversation

sudo-bmitch
Copy link
Contributor

Signed-off-by: Brandon Mitchell git@bmitch.net

Summary

This adds the ability to login to vault using OIDC to get a token, and removes dependencies on environment variables.

I'm using this with Spire+OIDC to use Vault as a KMS without hard coding credentials in CI. Here's what that code looks like:

...
	kmsOpts := []signature.RPCOption{}
	rpcAuth := options.RPCAuth{
		Address: cfg.Auth.Address,
		OIDC: options.RPCAuthOIDC{
			Role: cfg.Auth.Role,
			Path: cfg.Auth.Path,
		},
	}
	jwtSource, err := workloadapi.NewJWTSource(
		ctx,
		workloadapi.WithClientOptions(workloadapi.WithAddr(cfg.Auth.Spire.Sock)),
	)
	if err != nil {
		return err
	}
	svid, err := jwtSource.FetchJWTSVID(ctx, jwtsvid.Params{Audience: cfg.Auth.Spire.Audience})
	if err != nil {
		return err
	}
	rpcAuth.OIDC.Token = svid.Marshal()
	kmsOpts = append(kmsOpts, options.WithRPCAuthOpts(rpcAuth))
	k, err := kms.Get(context.Background(), cfg.KMSRef, crypto.SHA256, kmsOpts...)
	if err != nil {
		return err
	}
...

Ticket Link

Fixes

Release Note

Adding ability to login to Vault using OIDC

@sudo-bmitch
Add oidc login to vault
c1d6eb1 
Signed-off-by: Brandon Mitchell <git@bmitch.net>
@sudo-bmitch
Copy link
Contributor Author

Test cases are in the works for this. I've got them done for passing the vault token, address, and transit path. Just doing a bit more research on the oidc side to see if that can be easily added to the e2e tests.

@hectorj2f
Copy link
Contributor

@sudo-bmitch golangci-lint is complaining here https://github.com/sigstore/sigstore/runs/4951957521?check_suite_focus=true.

@sudo-bmitch
Copy link
Contributor Author

@hectorj2f yup, I got those fixed in c1d6eb1. Sorry for missing that in the first pass, I know better. I'll have another commit later today for e2e testing, so no need to rerun CI just yet.

@sudo-bmitch
Adding test cases for vault kms options
fbc9287 
Signed-off-by: Brandon Mitchell <git@bmitch.net>
@sudo-bmitch
Copy link
Contributor Author

Test cases added for the easy parts. I went down the path of trying to get a JWT out of Dex programmatically and started to hit a wall. If anyone has some go or shell code for that, I can add more tests for OIDC auth into vault.

This should be ready for CI @dlorenc

hectorj2f
hectorj2f reviewed Jan 28, 2022
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@sudo-bmitch
Linting fix
9d7cb03 
Signed-off-by: Brandon Mitchell <git@bmitch.net>
@sudo-bmitch
Copy link
Contributor Author

Double ack. I've now installed golint-ci so I can stop messing up that CI job.

@dlorenc dlorenc merged commit bae9b66 into sigstore:main Jan 30, 2022
@sudo-bmitch sudo-bmitch mentioned this pull request Feb 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorj2f hectorj2f hectorj2f left review comments

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sudo-bmitch @hectorj2f @dlorenc