actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 15:16:56 +00:00
Code Activity Actions

Implement kubernetes auth / Add customizable auth path (#218)

Browse source 
* Implement kubernetes auth / Add customizable auth path

* Fix typo

* Apply suggestions from code review

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
This commit is contained in:
Falcon Taylor-Carter 2021-06-03 10:59:51 -04:00 committed by GitHub
parent 0cf3bd6a39
commit 72c7a899ca
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 139 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
README.md
View file

@ -10,20 +10,20 @@ A helper action for easily pulling secrets from HashiCorp Vault™.
<!-- TOC --> <!-- TOC -->
- [Example Usage](#example-usage) - [Vault GitHub Action](#vault-github-action)
- [Authentication method](#authentication-method) - [Example Usage](#example-usage)
- [Key Syntax](#key-syntax) - [Authentication method](#authentication-method)
- [Key Syntax](#key-syntax)
- [Simple Key](#simple-key) - [Simple Key](#simple-key)
- [Set Output Variable Name](#set-output-variable-name) - [Set Output Variable Name](#set-output-variable-name)
- [Multiple Secrets](#multiple-secrets) - [Multiple Secrets](#multiple-secrets)
- [Nested Secrets](#nested-secrets) - [Other Secret Engines](#other-secret-engines)
- [Other Secret Engines](#other-secret-engines) - [Adding Extra Headers](#adding-extra-headers)
- [Adding Extra Headers](#adding-extra-headers) - [Vault Enterprise Features](#vault-enterprise-features)
- [Vault Enterprise Features](#vault-enterprise-features)
- [Namespace](#namespace) - [Namespace](#namespace)
- [Reference](#reference) - [Reference](#reference)
- [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs) - [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs)
- [Normalization](#normalization) - [Normalization](#normalization)
<!-- /TOC --> <!-- /TOC -->
@ -98,6 +98,15 @@ with:
jwtTtl: 3600 # 1 hour, default value jwtTtl: 3600 # 1 hour, default value
``` ```
- **kubernetes**: you must provide the `role` paramaters. You can optionally override the `kubernetesTokenPath` paramater for custom mounted serviceAccounts. Consider [kubernetes auth](https://www.vaultproject.io/docs/auth/kubernetes) when using self-hosted runners on Kubernetes:
```yaml
...
with:
url: https://vault.mycompany.com:8200
method: kubernetes
role: ${{ secrets.KUBE_ROLE }}
```
If any other method is specified and you provide an `authPayload`, the action will attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token. If any other method is specified and you provide an `authPayload`, the action will attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token.
## Key Syntax ## Key Syntax
@ -261,14 +270,16 @@ Here are all the inputs available through `with`:
| `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | ✔ | | `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | ✔ |
| `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | | | `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | |
| `method` | The method to use to authenticate with Vault. | `token` | | | `method` | The method to use to authenticate with Vault. | `token` | |
| `role` | Vault role for specified auth method | | |
| `path` | Custom vault path, if the auth method was enabled at a different path | | |
| `token` | The Vault Token to be used to authenticate with Vault | | | | `token` | The Vault Token to be used to authenticate with Vault | | |
| `roleId` | The Role Id for App Role authentication | | | | `roleId` | The Role Id for App Role authentication | | |
| `secretId` | The Secret Id for App Role authentication | | | | `secretId` | The Secret Id for App Role authentication | | |
| `githubToken` | The Github Token to be used to authenticate with Vault | | | | `githubToken` | The Github Token to be used to authenticate with Vault | | |
| `role` | Vault role for specified auth method | | |
| `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | | | `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | |
| `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | | | `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | |
| `jwtTtl` | Time in seconds, after which token expires | | 3600 | | `jwtTtl` | Time in seconds, after which token expires | | 3600 |
| `kubernetesTokenPath` | The path to the service-account secret with the jwt token for kubernetes based authentication |`/var/run/secrets/kubernetes.io/serviceaccount/token` | |
| `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | | | `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | |
| `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `extraHeaders` | A string of newline separated extra headers to include on every request. | | |
| `exportEnv` | Whether or not export secrets as environment variables. | `true` | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | |

15
action.yml
View file

@ -14,6 +14,12 @@ inputs:
description: 'The method to use to authenticate with Vault.' description: 'The method to use to authenticate with Vault.'
default: 'token' default: 'token'
required: false required: false
role:
description: 'Vault role for specified auth method'
required: false
path:
description: 'Custom Vault path, if the auth method was mounted at a different path'
required: false
token: token:
description: 'The Vault Token to be used to authenticate with Vault' description: 'The Vault Token to be used to authenticate with Vault'
required: false required: false
@ -26,6 +32,10 @@ inputs:
githubToken: githubToken:
description: 'The Github Token to be used to authenticate with Vault' description: 'The Github Token to be used to authenticate with Vault'
required: false required: false
kubernetesTokenPath:
description: 'The path to the Kubernetes service account secret'
required: false
default: '/var/run/secrets/kubernetes.io/serviceaccount/token'
authPayload: authPayload:
description: 'The JSON payload to be sent to Vault when using a custom authentication method.' description: 'The JSON payload to be sent to Vault when using a custom authentication method.'
required: false required: false
@ -52,10 +62,7 @@ inputs:
tlsSkipVerify: tlsSkipVerify:
description: 'When set to true, disables verification of the Vault server certificate. Setting this to true in production is not recommended.' description: 'When set to true, disables verification of the Vault server certificate. Setting this to true in production is not recommended.'
required: false required: false
default: "false" default: 'false'
role:
description: 'Vault role for specified auth method'
required: false
jwtPrivateKey: jwtPrivateKey:
description: 'Base64 encoded Private key to sign JWT' description: 'Base64 encoded Private key to sign JWT'
required: false required: false

2
src/action.js
View file

@ -5,7 +5,7 @@ const got = require('got').default;
const jsonata = require('jsonata'); const jsonata = require('jsonata');
const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index'); const { auth: { retrieveToken }, secrets: { getSecrets } } = require('./index');
const AUTH_METHODS = ['approle', 'token', 'github', 'jwt']; const AUTH_METHODS = ['approle', 'token', 'github', 'jwt', 'kubernetes'];
async function exportSecrets() { async function exportSecrets() {
const vaultUrl = core.getInput('url', { required: true }); const vaultUrl = core.getInput('url', { required: true });

29
src/auth.js
View file

@ -1,22 +1,26 @@
// @ts-check // @ts-check
const core = require('@actions/core'); const core = require('@actions/core');
const rsasign = require('jsrsasign'); const rsasign = require('jsrsasign');
const fs = require('fs');
const defaultKubernetesTokenPath = '/var/run/secrets/kubernetes.io/serviceaccount/token'
/*** /***
* Authenticate with Vault and retrieve a Vault token that can be used for requests. * Authenticate with Vault and retrieve a Vault token that can be used for requests.
* @param {string} method * @param {string} method
* @param {import('got').Got} client * @param {import('got').Got} client
*/ */
async function retrieveToken(method, client) { async function retrieveToken(method, client) {
const path = core.getInput('path', { required: false }) || method;
switch (method) { switch (method) {
case 'approle': { case 'approle': {
const vaultRoleId = core.getInput('roleId', { required: true }); const vaultRoleId = core.getInput('roleId', { required: true });
const vaultSecretId = core.getInput('secretId', { required: true }); const vaultSecretId = core.getInput('secretId', { required: true });
return await getClientToken(client, method, { role_id: vaultRoleId, secret_id: vaultSecretId }); return await getClientToken(client, method, path, { role_id: vaultRoleId, secret_id: vaultSecretId });
} }
case 'github': { case 'github': {
const githubToken = core.getInput('githubToken', { required: true }); const githubToken = core.getInput('githubToken', { required: true });
return await getClientToken(client, method, { token: githubToken }); return await getClientToken(client, method, path, { token: githubToken });
} }
case 'jwt': { case 'jwt': {
const role = core.getInput('role', { required: true }); const role = core.getInput('role', { required: true });
@ -25,8 +29,18 @@ async function retrieveToken(method, client) {
const keyPassword = core.getInput('jwtKeyPassword', { required: false }); const keyPassword = core.getInput('jwtKeyPassword', { required: false });
const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
const jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl)); const jwt = generateJwt(privateKey, keyPassword, Number(tokenTtl));
return await getClientToken(client, method, { jwt: jwt, role: role }); return await getClientToken(client, method, path, { jwt: jwt, role: role });
} }
case 'kubernetes': {
const role = core.getInput('role', { required: true })
const tokenPath = core.getInput('kubernetesTokenPath', { required: false }) || defaultKubernetesTokenPath
const data = fs.readFileSync(tokenPath, 'utf8')
if (!(role && data) && data != "") {
throw new Error("Role Name must be set and a kubernetes token must set")
}
return await getClientToken(client, method, path, { jwt: data, role: role })
}
default: { default: {
if (!method || method === 'token') { if (!method || method === 'token') {
return core.getInput('token', { required: true }); return core.getInput('token', { required: true });
@ -36,7 +50,7 @@ async function retrieveToken(method, client) {
if (!payload) { if (!payload) {
throw Error('When using a custom authentication method, you must provide the payload'); throw Error('When using a custom authentication method, you must provide the payload');
} }
return await getClientToken(client, method, JSON.parse(payload.trim())); return await getClientToken(client, method, path, JSON.parse(payload.trim()));
} }
} }
} }
@ -72,9 +86,10 @@ function generateJwt(privateKey, keyPassword, ttl) {
* Call the appropriate login endpoint and parse out the token in the response. * Call the appropriate login endpoint and parse out the token in the response.
* @param {import('got').Got} client * @param {import('got').Got} client
* @param {string} method * @param {string} method
* @param {string} path
* @param {any} payload * @param {any} payload
*/ */
async function getClientToken(client, method, payload) { async function getClientToken(client, method, path, payload) {
/** @type {'json'} */ /** @type {'json'} */
const responseType = 'json'; const responseType = 'json';
var options = { var options = {
@ -82,10 +97,10 @@ async function getClientToken(client, method, payload) {
responseType, responseType,
}; };
core.debug(`Retrieving Vault Token from v1/auth/${method}/login endpoint`); core.debug(`Retrieving Vault Token from v1/auth/${path}/login endpoint`);
/** @type {import('got').Response<VaultLoginResponse>} */ /** @type {import('got').Response<VaultLoginResponse>} */
const response = await client.post(`v1/auth/${method}/login`, options); const response = await client.post(`v1/auth/${path}/login`, options);
if (response && response.body && response.body.auth && response.body.auth.client_token) { if (response && response.body && response.body.auth && response.body.auth.client_token) {
core.debug('✔ Vault Token successfully retrieved'); core.debug('✔ Vault Token successfully retrieved');

83
src/auth.test.js Normal file
View file

@ -0,0 +1,83 @@
jest.mock('got');
jest.mock('@actions/core');
jest.mock('@actions/core/lib/command');
jest.mock("fs")
const core = require('@actions/core');
const got = require('got');
const fs = require("fs")
const { when } = require('jest-when');
const {
retrieveToken
} = require('./auth');
function mockInput(name, key) {
when(core.getInput)
.calledWith(name)
.mockReturnValueOnce(key);
}
function mockApiResponse() {
const response = { body: { auth: { client_token: testToken, renewable: true, policies: [], accessor: "accessor" } } }
got.post = jest.fn()
got.post.mockReturnValue(response)
}
const testToken = "testoken";
describe("test retrival for token", () => {
beforeEach(() => {
jest.resetAllMocks();
});
it("test retrival with approle", async () => {
const method = 'approle'
mockApiResponse()
const testRoleId = "testRoleId"
const testSecretId = "testSecretId"
mockInput("roleId", testRoleId)
mockInput("secretId", testSecretId)
const token = await retrieveToken(method, got)
expect(token).toEqual(testToken)
const payload = got.post.mock.calls[0][1].json
expect(payload).toEqual({ role_id: testRoleId, secret_id: testSecretId })
const url = got.post.mock.calls[0][0]
expect(url).toContain('approle')
})
it("test retrival with github token", async () => {
const method = 'github'
mockApiResponse()
const githubToken = "githubtoken"
mockInput("githubToken", githubToken)
const token = await retrieveToken(method, got)
expect(token).toEqual(testToken)
const payload = got.post.mock.calls[0][1].json
expect(payload).toEqual({ token: githubToken })
const url = got.post.mock.calls[0][0]
expect(url).toContain('github')
})
it("test retrival with kubernetes", async () => {
const method = 'kubernetes'
const jwtToken = "someJwtToken"
const testRole = "testRole"
const testTokenPath = "testTokenPath"
const testPath = 'differentK8sPath'
mockApiResponse()
mockInput("kubernetesTokenPath", testTokenPath)
mockInput("role", testRole)
mockInput("path", testPath)
fs.readFileSync = jest.fn()
fs.readFileSync.mockReturnValueOnce(jwtToken)
const token = await retrieveToken(method, got)
expect(token).toEqual(testToken)
const payload = got.post.mock.calls[0][1].json
expect(payload).toEqual({ jwt: jwtToken, role: testRole })
const url = got.post.mock.calls[0][0]
expect(url).toContain('differentK8sPath')
})
})