From b2707661b58a302da6aed82accf1334bb273b62d Mon Sep 17 00:00:00 2001 From: "Thomas J. Zajac" Date: Wed, 17 Jul 2024 11:51:08 +0000 Subject: [PATCH] Added kubernetes mount point to vault adapter --- .pyproject_generation/pyproject_custom.toml | 2 +- pyproject.toml | 2 +- services/ekss/README.md | 10 ++++++++++ services/ekss/config_schema.json | 9 +++++++++ services/ekss/example_config.yaml | 1 + .../ekss/src/ekss/adapters/outbound/vault/client.py | 5 ++++- services/ekss/src/ekss/config.py | 5 +++++ services/fis/README.md | 10 ++++++++++ services/fis/config_schema.json | 9 +++++++++ services/fis/example_config.yaml | 1 + services/fis/src/fis/adapters/outbound/vault/client.py | 10 +++++++++- 11 files changed, 60 insertions(+), 4 deletions(-) diff --git a/.pyproject_generation/pyproject_custom.toml b/.pyproject_generation/pyproject_custom.toml index 5f7c7ac3..0fc65a58 100644 --- a/.pyproject_generation/pyproject_custom.toml +++ b/.pyproject_generation/pyproject_custom.toml @@ -1,6 +1,6 @@ [project] name = "fsb" -version = "0.1.1" +version = "0.1.2" description = "File Services Backend - monorepo housing file services" dependencies = [ "typer >= 0.12", diff --git a/pyproject.toml b/pyproject.toml index 6a5057ee..4f78db13 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "fsb" -version = "0.1.1" +version = "0.1.2" description = "File Services Backend - monorepo housing file services" dependencies = [ "typer >= 0.12", diff --git a/services/ekss/README.md b/services/ekss/README.md index 75438ae1..27708884 100644 --- a/services/ekss/README.md +++ b/services/ekss/README.md @@ -219,6 +219,16 @@ The service requires the following configuration parameters: ``` +- **`vault_kube_mount_point`** *(string)*: Name used to address kubernetes under a custom mount path. Default: `"kubernetes"`. + + + Examples: + + ```json + "kubernetes" + ``` + + - **`service_account_token_path`** *(string, format: path)*: Path to service account token used by kube auth adapter. Default: `"/var/run/secrets/kubernetes.io/serviceaccount/token"`. - **`host`** *(string)*: IP of the host. Default: `"127.0.0.1"`. diff --git a/services/ekss/config_schema.json b/services/ekss/config_schema.json index c1350cdb..31360752 100644 --- a/services/ekss/config_schema.json +++ b/services/ekss/config_schema.json @@ -142,6 +142,15 @@ ], "title": "Vault Kube Role" }, + "vault_kube_mount_point": { + "default": "kubernetes", + "description": "Name used to address kubernetes under a custom mount path.", + "examples": [ + "kubernetes" + ], + "title": "Vault Kube Mount Point", + "type": "string" + }, "service_account_token_path": { "default": "/var/run/secrets/kubernetes.io/serviceaccount/token", "description": "Path to service account token used by kube auth adapter.", diff --git a/services/ekss/example_config.yaml b/services/ekss/example_config.yaml index 3b22a767..6fe625ca 100644 --- a/services/ekss/example_config.yaml +++ b/services/ekss/example_config.yaml @@ -17,6 +17,7 @@ server_public_key: HsKvfHsAFNGykFi/zMssay0xajoHvY30IcYPGDCXrGU= service_account_token_path: /var/run/secrets/kubernetes.io/serviceaccount/token service_instance_id: '1' service_name: encryption_key_store +vault_kube_mount_point: kubernetes vault_kube_role: dummy-role vault_path: ekss vault_role_id: '**********' diff --git a/services/ekss/src/ekss/adapters/outbound/vault/client.py b/services/ekss/src/ekss/adapters/outbound/vault/client.py index 0900ddd3..0a6aa8f9 100644 --- a/services/ekss/src/ekss/adapters/outbound/vault/client.py +++ b/services/ekss/src/ekss/adapters/outbound/vault/client.py @@ -36,6 +36,7 @@ def __init__(self, config: VaultConfig): self._client = hvac.Client(url=config.vault_url, verify=config.vault_verify) self._path = config.vault_path self._secrets_mount_point = config.vault_secrets_mount_point + self._kube_mount_point = config.vault_kube_mount_point self._kube_role = config.vault_kube_role if self._kube_role: @@ -63,7 +64,9 @@ def _login(self): if self._kube_role: with self._service_account_token_path.open() as token_file: jwt = token_file.read() - self._kube_adapter.login(role=self._kube_role, jwt=jwt) + self._kube_adapter.login( + role=self._kube_role, jwt=jwt, mount_point=self._kube_mount_point + ) else: self._client.auth.approle.login( diff --git a/services/ekss/src/ekss/config.py b/services/ekss/src/ekss/config.py index 450a69f0..778fe32c 100644 --- a/services/ekss/src/ekss/config.py +++ b/services/ekss/src/ekss/config.py @@ -64,6 +64,11 @@ class VaultConfig(BaseSettings): examples=["file-ingest-role"], description="Vault role name used for Kubernetes authentication", ) + vault_kube_mount_point: str = Field( + default="kubernetes", + examples=["kubernetes"], + description="Name used to address kubernetes under a custom mount path.", + ) service_account_token_path: Path = Field( default="/var/run/secrets/kubernetes.io/serviceaccount/token", description="Path to service account token used by kube auth adapter.", diff --git a/services/fis/README.md b/services/fis/README.md index 5bfcee0b..fc1b330e 100644 --- a/services/fis/README.md +++ b/services/fis/README.md @@ -169,6 +169,16 @@ The service requires the following configuration parameters: ``` +- **`vault_kube_mount_point`** *(string)*: Name used to address kubernetes under a custom mount path. Default: `"kubernetes"`. + + + Examples: + + ```json + "kubernetes" + ``` + + - **`service_account_token_path`** *(string, format: path)*: Path to service account token used by kube auth adapter. Default: `"/var/run/secrets/kubernetes.io/serviceaccount/token"`. - **`private_key`** *(string)*: Base64 encoded private key of the keypair whose public key is used to encrypt the payload. diff --git a/services/fis/config_schema.json b/services/fis/config_schema.json index 46b63fa3..03d405ae 100644 --- a/services/fis/config_schema.json +++ b/services/fis/config_schema.json @@ -142,6 +142,15 @@ ], "title": "Vault Kube Role" }, + "vault_kube_mount_point": { + "default": "kubernetes", + "description": "Name used to address kubernetes under a custom mount path.", + "examples": [ + "kubernetes" + ], + "title": "Vault Kube Mount Point", + "type": "string" + }, "service_account_token_path": { "default": "/var/run/secrets/kubernetes.io/serviceaccount/token", "description": "Path to service account token used by kube auth adapter.", diff --git a/services/fis/example_config.yaml b/services/fis/example_config.yaml index 94fd1b2f..5793e92e 100644 --- a/services/fis/example_config.yaml +++ b/services/fis/example_config.yaml @@ -31,6 +31,7 @@ source_bucket_id: staging token_hashes: - abcdef - ghijkl +vault_kube_mount_point: kubernetes vault_kube_role: dummy-role vault_path: ekss vault_role_id: '**********' diff --git a/services/fis/src/fis/adapters/outbound/vault/client.py b/services/fis/src/fis/adapters/outbound/vault/client.py index 42973a12..18d3b297 100644 --- a/services/fis/src/fis/adapters/outbound/vault/client.py +++ b/services/fis/src/fis/adapters/outbound/vault/client.py @@ -66,6 +66,11 @@ class VaultConfig(BaseSettings): examples=["file-ingest-role"], description="Vault role name used for Kubernetes authentication", ) + vault_kube_mount_point: str = Field( + default="kubernetes", + examples=["kubernetes"], + description="Name used to address kubernetes under a custom mount path.", + ) service_account_token_path: Path = Field( default="/var/run/secrets/kubernetes.io/serviceaccount/token", description="Path to service account token used by kube auth adapter.", @@ -80,6 +85,7 @@ def __init__(self, config: VaultConfig): self._client = hvac.Client(url=config.vault_url, verify=config.vault_verify) self._path = config.vault_path self._secrets_mount_point = config.vault_secrets_mount_point + self._kube_mount_point = config.vault_kube_mount_point self._kube_role = config.vault_kube_role if self._kube_role: @@ -106,7 +112,9 @@ def _login(self): if self._kube_role: with self._service_account_token_path.open() as token_file: jwt = token_file.read() - self._kube_adapter.login(role=self._kube_role, jwt=jwt) + self._kube_adapter.login( + role=self._kube_role, jwt=jwt, mount_point=self._kube_mount_point + ) else: self._client.auth.approle.login(