CR-2435 - Vault GCP + K8S (#616)

ATGardner · web-flow · commit b5f84dc35774 · 2020-12-29T14:11:35.000+02:00
* add vault GCP-GCE authentication
* added k8s auth option
* removed some client-side validation (moved to context-manager)
diff --git a/lib/interface/cli/commands/context/create/secret-store/types/hashicorp-vault.cmd.js b/lib/interface/cli/commands/context/create/secret-store/types/hashicorp-vault.cmd.js
@@ -3,7 +3,7 @@ const CFError = require('cf-errors');
 const cmd = require('../base.cmd');
 const { sdk } = require('../../../../../../../logic');
 
-function buildAuthObject({ token, username, password, roleId, secretId, loginPath }) {
+function buildAuthObject({ token, username, password, roleId, secretId, loginPath, gcpRole, kubernetesRole, kubernetesJwt }) {
     const mountPoint = loginPath ? { mount_point: loginPath } : {};
     if (token) {
         return { type: 'token', token, ...mountPoint };
@@ -17,6 +17,19 @@ function buildAuthObject({ token, username, password, roleId, secretId, loginPat
         return { type: 'approle', role_id: roleId, secret_id: secretId, ...mountPoint };
     }
 
+    if (gcpRole) {
+        return { type: 'gcp', roleType: 'gce', role: gcpRole, ...mountPoint };
+    }
+
+    if (kubernetesRole) {
+        return {
+            type: 'kubernetes',
+            role: kubernetesRole,
+            ...(kubernetesJwt && { jwt: kubernetesJwt }),
+            ...mountPoint,
+        };
+    }
+
     throw new CFError('missing authentication info');
 }
 
@@ -27,56 +40,71 @@ const command = new Command({
     usage: cmd.usage,
     webDocs: {
         category: 'Create Secret-Store Context',
-        subCategory: 'vault',
-        title: 'vault',
+        subCategory: 'hashicorp-vault',
+        title: 'hashicorp-vault',
         weight: 10,
     },
     builder(yargs) {
         return yargs
+            .option('behind-firewall', {
+                describe: 'Set to true to mark this context with behind firewall flag',
+                type: 'boolean',
+                default: false,
+            })
             .option('api-url', {
                 alias: 'a',
                 describe: 'URL of the vault server',
                 type: 'string',
                 required: true,
             })
+            .option('login-path', {
+                describe: 'Path for given auth method. Leave out to use the default path for the type.',
+                type: 'string',
+            })
             .option('token', {
                 alias: 't',
                 describe: 'Token',
                 type: 'string',
-                conflicts: ['username', 'password', 'roleId', 'secretId'],
+                conflicts: ['username', 'password', 'roleId', 'secretId', 'gcp-role', 'kubernetes-role', 'kubernetes-jwt'],
             })
             .option('username', {
                 describe: 'Username',
                 alias: 'u',
                 type: 'string',
-                conflicts: ['token', 'roleId', 'secretId'],
+                conflicts: ['token', 'roleId', 'secretId', 'gcp-role', 'kubernetes-role', 'kubernetes-jwt'],
             })
             .option('password', {
                 describe: 'Password',
                 alias: 'p',
                 type: 'string',
-                conflicts: ['token', 'roleId', 'secretId'],
+                conflicts: ['token', 'roleId', 'secretId', 'gcp-role', 'kubernetes-role', 'kubernetes-jwt'],
             })
             .option('role-id', {
                 describe: 'Role Id',
                 alias: 'r',
                 type: 'string',
-                conflicts: ['token', 'username', 'password'],
+                conflicts: ['token', 'username', 'password', 'gcp-role', 'kubernetes-role', 'kubernetes-jwt'],
             })
             .option('secret-id', {
                 describe: 'Secret Id',
                 alias: 's',
                 type: 'string',
-                conflicts: ['token', 'username', 'password'],
+                conflicts: ['token', 'username', 'password', 'gcp-role', 'kubernetes-role', 'kubernetes-jwt'],
             })
-            .option('login-path', {
-                describe: 'Path for given auth method. Leave out to use the default path for the type.',
+            .option('gcp-role', {
+                describe: 'GCP Role',
                 type: 'string',
+                conflicts: ['token', 'username', 'password', 'role-id', 'secret-id', 'kubernetes-role', 'kubernetes-jwt'],
             })
-            .option('behind-firewall', {
-                describe: 'Set to true to mark this context with behind firewall flag',
-                type: 'boolean',
-                default: false,
+            .option('kubernetes-role', {
+                describe: 'Kubernetes Role',
+                type: 'string',
+                conflicts: ['token', 'username', 'password', 'role-id', 'secret-id', 'gcp-role'],
+            })
+            .option('kubernetes-jwt', {
+                describe: 'Kubernetes Role',
+                type: 'string',
+                conflicts: ['token', 'username', 'password', 'role-id', 'secret-id', 'gcp-role'],
             })
             .check(buildAuthObject);
     },
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codefresh",
-  "version": "0.74.3",
+  "version": "0.74.4",
   "description": "Codefresh command line utility",
   "main": "index.js",
   "preferGlobal": true,

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "codefresh",`
`3`		`- "version": "0.74.3",`
	`3`	`+ "version": "0.74.4",`
`4`	`4`	`"description": "Codefresh command line utility",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"preferGlobal": true,`