Skip to content

Commit

Permalink
Added kubernetes mount point to vault adapter
Browse files Browse the repository at this point in the history
  • Loading branch information
mephenor committed Jul 17, 2024
1 parent 3795dcc commit b270766
Show file tree
Hide file tree
Showing 11 changed files with 60 additions and 4 deletions.
2 changes: 1 addition & 1 deletion .pyproject_generation/pyproject_custom.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "fsb"
version = "0.1.1"
version = "0.1.2"
description = "File Services Backend - monorepo housing file services"
dependencies = [
"typer >= 0.12",
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "fsb"
version = "0.1.1"
version = "0.1.2"
description = "File Services Backend - monorepo housing file services"
dependencies = [
"typer >= 0.12",
Expand Down
10 changes: 10 additions & 0 deletions services/ekss/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,16 @@ The service requires the following configuration parameters:
```


- **`vault_kube_mount_point`** *(string)*: Name used to address kubernetes under a custom mount path. Default: `"kubernetes"`.


Examples:

```json
"kubernetes"
```


- **`service_account_token_path`** *(string, format: path)*: Path to service account token used by kube auth adapter. Default: `"/var/run/secrets/kubernetes.io/serviceaccount/token"`.

- **`host`** *(string)*: IP of the host. Default: `"127.0.0.1"`.
Expand Down
9 changes: 9 additions & 0 deletions services/ekss/config_schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,15 @@
],
"title": "Vault Kube Role"
},
"vault_kube_mount_point": {
"default": "kubernetes",
"description": "Name used to address kubernetes under a custom mount path.",
"examples": [
"kubernetes"
],
"title": "Vault Kube Mount Point",
"type": "string"
},
"service_account_token_path": {
"default": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"description": "Path to service account token used by kube auth adapter.",
Expand Down
1 change: 1 addition & 0 deletions services/ekss/example_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ server_public_key: HsKvfHsAFNGykFi/zMssay0xajoHvY30IcYPGDCXrGU=
service_account_token_path: /var/run/secrets/kubernetes.io/serviceaccount/token
service_instance_id: '1'
service_name: encryption_key_store
vault_kube_mount_point: kubernetes
vault_kube_role: dummy-role
vault_path: ekss
vault_role_id: '**********'
Expand Down
5 changes: 4 additions & 1 deletion services/ekss/src/ekss/adapters/outbound/vault/client.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ def __init__(self, config: VaultConfig):
self._client = hvac.Client(url=config.vault_url, verify=config.vault_verify)
self._path = config.vault_path
self._secrets_mount_point = config.vault_secrets_mount_point
self._kube_mount_point = config.vault_kube_mount_point

self._kube_role = config.vault_kube_role
if self._kube_role:
Expand Down Expand Up @@ -63,7 +64,9 @@ def _login(self):
if self._kube_role:
with self._service_account_token_path.open() as token_file:
jwt = token_file.read()
self._kube_adapter.login(role=self._kube_role, jwt=jwt)
self._kube_adapter.login(
role=self._kube_role, jwt=jwt, mount_point=self._kube_mount_point
)

else:
self._client.auth.approle.login(
Expand Down
5 changes: 5 additions & 0 deletions services/ekss/src/ekss/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,11 @@ class VaultConfig(BaseSettings):
examples=["file-ingest-role"],
description="Vault role name used for Kubernetes authentication",
)
vault_kube_mount_point: str = Field(
default="kubernetes",
examples=["kubernetes"],
description="Name used to address kubernetes under a custom mount path.",
)
service_account_token_path: Path = Field(
default="/var/run/secrets/kubernetes.io/serviceaccount/token",
description="Path to service account token used by kube auth adapter.",
Expand Down
10 changes: 10 additions & 0 deletions services/fis/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,16 @@ The service requires the following configuration parameters:
```


- **`vault_kube_mount_point`** *(string)*: Name used to address kubernetes under a custom mount path. Default: `"kubernetes"`.


Examples:

```json
"kubernetes"
```


- **`service_account_token_path`** *(string, format: path)*: Path to service account token used by kube auth adapter. Default: `"/var/run/secrets/kubernetes.io/serviceaccount/token"`.

- **`private_key`** *(string)*: Base64 encoded private key of the keypair whose public key is used to encrypt the payload.
Expand Down
9 changes: 9 additions & 0 deletions services/fis/config_schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,15 @@
],
"title": "Vault Kube Role"
},
"vault_kube_mount_point": {
"default": "kubernetes",
"description": "Name used to address kubernetes under a custom mount path.",
"examples": [
"kubernetes"
],
"title": "Vault Kube Mount Point",
"type": "string"
},
"service_account_token_path": {
"default": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"description": "Path to service account token used by kube auth adapter.",
Expand Down
1 change: 1 addition & 0 deletions services/fis/example_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ source_bucket_id: staging
token_hashes:
- abcdef
- ghijkl
vault_kube_mount_point: kubernetes
vault_kube_role: dummy-role
vault_path: ekss
vault_role_id: '**********'
Expand Down
10 changes: 9 additions & 1 deletion services/fis/src/fis/adapters/outbound/vault/client.py
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ class VaultConfig(BaseSettings):
examples=["file-ingest-role"],
description="Vault role name used for Kubernetes authentication",
)
vault_kube_mount_point: str = Field(
default="kubernetes",
examples=["kubernetes"],
description="Name used to address kubernetes under a custom mount path.",
)
service_account_token_path: Path = Field(
default="/var/run/secrets/kubernetes.io/serviceaccount/token",
description="Path to service account token used by kube auth adapter.",
Expand All @@ -80,6 +85,7 @@ def __init__(self, config: VaultConfig):
self._client = hvac.Client(url=config.vault_url, verify=config.vault_verify)
self._path = config.vault_path
self._secrets_mount_point = config.vault_secrets_mount_point
self._kube_mount_point = config.vault_kube_mount_point

self._kube_role = config.vault_kube_role
if self._kube_role:
Expand All @@ -106,7 +112,9 @@ def _login(self):
if self._kube_role:
with self._service_account_token_path.open() as token_file:
jwt = token_file.read()
self._kube_adapter.login(role=self._kube_role, jwt=jwt)
self._kube_adapter.login(
role=self._kube_role, jwt=jwt, mount_point=self._kube_mount_point
)

else:
self._client.auth.approle.login(
Expand Down

0 comments on commit b270766

Please sign in to comment.