Merge pull request #2 from DoodleScheduling/kubedb-vault-secrets

Kubedb vault secrets

Author: raffis

common/vault/cache.go renamed to common/cache.go

@@ -1,4 +1,4 @@
-package vault
+package common
 
 type Cache struct {
 	cache map[string]*Vault

common/db.go

@@ -0,0 +1,9 @@
+package common
+
+import "github.com/doodlescheduling/kubedb/api/v1beta1"
+
+type DatabaseCredentials []DatabaseCredential
+type DatabaseCredential struct {
+	UserName string        `json:"username"`
+	Vault    v1beta1.Vault `json:"vault"`
+}

common/vault.go

@@ -0,0 +1,205 @@
+package common
+
+import (
+	"context"
+	"errors"
+	"github.com/doodlescheduling/kubedb/api/v1beta1"
+	"github.com/doodlescheduling/kubedb/common/vault"
+	"github.com/doodlescheduling/kubedb/common/vault/kubernetes"
+	"github.com/go-logr/logr"
+	"github.com/rs/xid"
+	"os"
+
+	vaultapi "github.com/hashicorp/vault/api"
+)
+
+type VaultRequest struct {
+	Path        string
+	UserField   string
+	SecretField string
+}
+
+type VaultResponse struct {
+	User   string
+	Secret string
+}
+
+type Vault struct {
+	Host string
+}
+
+func NewVault(host string) (*Vault, error) {
+	// TODO implement Vault integration
+	return &Vault{
+		Host: host,
+	}, nil
+}
+
+func (v *Vault) Get(cred *DatabaseCredential, username string, logger logr.Logger) (VaultResponse, error) {
+
+	// goran vault
+	//h, err := FromCredential(binding, logger)
+	h, err := FromCredential(cred, logger)
+
+	r := VaultRequest{
+		Path:        cred.Vault.Path,
+		UserField:   cred.Vault.UserField,
+		SecretField: cred.Vault.SecretField,
+	}
+
+	data, response, err := processRequest(h, r, username)
+
+	if err != nil {
+		return response, err
+	}
+
+	return VaultResponse{
+		User:   data[r.UserField].(string),
+		Secret: data[r.SecretField].(string),
+	}, err
+}
+
+func processRequest(h *VaultHandler, r VaultRequest, databaseName string) (map[string]interface{}, VaultResponse, error) {
+	data, err := h.Read(r.Path)
+	if err != nil {
+		return nil, VaultResponse{}, err
+	}
+	var rewrite = false
+	_, existingField := data[r.UserField]
+	if !existingField {
+		data[r.UserField] = databaseName
+		rewrite = true
+	}
+	_, existingField = data[r.SecretField]
+	if !existingField {
+		data[r.SecretField] = xid.New().String()
+		rewrite = true
+	}
+	if rewrite {
+		_, err = h.c.Logical().Write(r.Path, data)
+		if err != nil {
+			return nil, VaultResponse{}, err
+		}
+	}
+	return data, VaultResponse{}, nil
+}
+
+// part from k8svault controller
+
+// Common errors
+var (
+	ErrVaultAddrNotFound          = errors.New("Neither vault address nor a default vault address found")
+	ErrK8sSecretFieldNotAvailable = errors.New("K8s secret field to be mapped does not exist")
+	ErrUnsupportedAuthType        = errors.New("Unsupported vault authentication")
+	ErrVaultConfig                = errors.New("Failed to setup default vault configuration")
+)
+
+func ConvertPostgreSQLDatabaseCredential(cred v1beta1.PostgreSQLDatabaseCredential) *DatabaseCredential {
+	return &DatabaseCredential{
+		UserName: cred.UserName,
+		Vault:    cred.Vault,
+	}
+}
+
+func ConvertMongoDBDatabaseCredential(cred v1beta1.MongoDBDatabaseCredential) *DatabaseCredential {
+	return &DatabaseCredential{
+		UserName: cred.UserName,
+		Vault:    cred.Vault,
+	}
+}
+
+// Setup vault client & authentication from binding
+func setupAuth(h *VaultHandler) error {
+	auth := vault.NewAuthHandler(&vault.AuthHandlerConfig{
+		Logger: h.logger,
+		Client: h.c,
+	})
+
+	var method vault.AuthMethod
+
+	m, err := authKubernetes(h)
+	if err != nil {
+		return err
+	}
+
+	method = m
+
+	if err := auth.Authenticate(context.TODO(), method); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Wrapper around vault kubernetes auth (taken from vault agent)
+// Injects env variables if not set on the binding
+func authKubernetes(h *VaultHandler) (vault.AuthMethod, error) {
+	role := os.Getenv("VAULT_ROLE")
+	tokenPath := os.Getenv("VAULT_TOKEN_PATH")
+
+	return kubernetes.NewKubernetesAuthMethod(&vault.AuthConfig{
+		Logger:    h.logger,
+		MountPath: "/auth/kubernetes",
+		Config: map[string]interface{}{
+			"role":       role,
+			"token_path": tokenPath,
+		},
+	})
+}
+
+// FromCredential creates a vault client handler
+// If the binding holds no vault address it will fallback to the env VAULT_ADDRESS
+func FromCredential(credential *DatabaseCredential, logger logr.Logger) (*VaultHandler, error) {
+	cfg := vaultapi.DefaultConfig()
+
+	if cfg == nil {
+		return nil, ErrVaultConfig
+	}
+
+	if credential.Vault.Host != "" {
+		cfg.Address = credential.Vault.Host
+	}
+
+	client, err := vaultapi.NewClient(cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	h := &VaultHandler{
+		cfg:    cfg,
+		c:      client,
+		logger: logger,
+	}
+
+	logger.Info("setup vault client", "vault", cfg.Address)
+
+	if err = setupAuth(h); err != nil {
+		return nil, err
+	}
+
+	return h, nil
+}
+
+// VaultHandler
+type VaultHandler struct {
+	c      *vaultapi.Client
+	cfg    *vaultapi.Config
+	auth   *vault.AuthHandler
+	logger logr.Logger
+}
+
+// Read vault path and return data map
+// Return empty map if no data exists
+func (h *VaultHandler) Read(path string) (map[string]interface{}, error) {
+	s, err := h.c.Logical().Read(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// Return empty map if no data exists
+	if s == nil || s.Data == nil {
+		return make(map[string]interface{}), nil
+	}
+
+	return s.Data, nil
+}

common/vault/auth.go

@@ -0,0 +1,118 @@
+// This package implements authentication for vault
+// Most of this code within this package has been borrowed and shrinked from the vault client agent.
+// See https://github.com/hashicorp/vault/blob/master/command/agent/auth/auth.go
+
+// Note this package uses API which is in the vault stable release but it was not released in the api package,
+// see https://github.com/hashicorp/vault/issues/10490
+
+package vault
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/go-logr/logr"
+	vaultapi "github.com/hashicorp/vault/api"
+)
+
+// AuthMethod is the interface that auto-auth methods implement for the agent
+// to use.
+type AuthMethod interface {
+	// Authenticate returns a mount path, header, request body, and error.
+	// The header may be nil if no special header is needed.
+	Authenticate(context.Context, *vaultapi.Client) (string, http.Header, map[string]interface{}, error)
+	NewCreds() chan struct{}
+	CredSuccess()
+	Shutdown()
+}
+
+// AuthMethodWithClient is an extended interface that can return an API client
+// for use during the authentication call.
+type AuthMethodWithClient interface {
+	AuthMethod
+	AuthClient(client *vaultapi.Client) (*vaultapi.Client, error)
+}
+
+type AuthConfig struct {
+	Logger    logr.Logger
+	MountPath string
+	Config    map[string]interface{}
+}
+
+// AuthHandler is responsible for keeping a token alive and renewed and passing
+// new tokens to the sink server
+type AuthHandler struct {
+	logger logr.Logger
+	client *vaultapi.Client
+}
+
+type AuthHandlerConfig struct {
+	Logger logr.Logger
+	Client *vaultapi.Client
+}
+
+func NewAuthHandler(conf *AuthHandlerConfig) *AuthHandler {
+	ah := &AuthHandler{
+		logger: conf.Logger,
+		client: conf.Client,
+	}
+
+	return ah
+}
+
+func (ah *AuthHandler) Authenticate(ctx context.Context, am AuthMethod) error {
+	if am == nil {
+		return errors.New("auth handler: nil auth method")
+	}
+
+	path, _, data, err := am.Authenticate(ctx, ah.client)
+
+	if err != nil {
+		ah.logger.Error(err, "error getting path or data from method")
+		return err
+	}
+
+	var clientToUse *vaultapi.Client
+
+	switch am.(type) {
+	case AuthMethodWithClient:
+		clientToUse, err = am.(AuthMethodWithClient).AuthClient(ah.client)
+		if err != nil {
+			ah.logger.Error(err, "error creating client for authentication call")
+			return err
+		}
+	default:
+		clientToUse = ah.client
+	}
+
+	/*for key, values := range header {
+		for _, value := range values {
+			clientToUse.AddHeader(key, value)
+		}
+	}*/
+
+	secret, err := clientToUse.Logical().Write(path, data)
+
+	// Check errors/sanity
+	if err != nil {
+		ah.logger.Error(err, "error authenticating")
+		return err
+	}
+
+	if secret == nil || secret.Auth == nil {
+		ah.logger.Error(err, "authentication returned nil auth info")
+		return err
+	}
+
+	if secret.Auth.ClientToken == "" {
+		ah.logger.Error(err, "authentication returned empty client token")
+		return err
+	}
+
+	ah.logger.Info("authentication successful")
+	ah.client.SetToken(secret.Auth.ClientToken)
+	am.CredSuccess()
+
+	return nil
+}