ktsstudio · InsaneTimeWatcher · May 21, 2024 · May 21, 2024
diff --git a/README.md b/README.md
@@ -131,6 +131,38 @@ stringData:
   token: s.YOURTOKEN
 ```
 
+And it is also possible to authenticate using a Kubernetes:
+```yaml
+apiVersion: mirrors.kts.studio/v1alpha2
+kind: SecretMirror
+metadata:
+  name: mysecret
+spec:
+  source:
+    name: mysecret
+  destination:
+    type: vault
+    vault:
+      addr: https://vault.example.com
+      path: /secret/data/myteam/mysecret
+      auth:
+        kubernetes:
+          secretRef:
+            name: vault-kubernetes
+```
+with the secret containing Kubernetes credentials:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-kubernetes
+type: Opaque
+stringData:
+  mountPath: mountPath
+  pathToToken: /var/run/secrets/kubernetes.io/serviceaccount/token
+  roleName: role
+```
+
 **But this is highly discouraged, because currently there is no token renewal 
 mechanism in `mirrors` so if your token will expire `mirrors` can do nothing 
 with that, and you will be forced to update a token in the secret.**

diff --git a/api/v1alpha2/vault.go b/api/v1alpha2/vault.go
@@ -10,6 +10,7 @@ type VaultAuthType string
 const (
 	VaultAuthTypeAppRole VaultAuthType = "appRole"
 	VaultAuthTypeToken   VaultAuthType = "token"
+	VaultAuthTypeK8SAuth VaultAuthType = "kubernetes"
 )
 
 // VaultAppRoleAuthSpec specifies approle-specific auth data
@@ -39,18 +40,39 @@ type VaultTokenAuthSpec struct {
 	TokenKey string `json:"tokenKey,omitempty"`
 }
 
+// VaultTokenAuthSpec specifies token-specific auth data
+type VaultKubernetesAuthSpec struct {
+	// Reference to a Secret containing roleName , mountPath and pathToToken
+	// +optional
+
+	SecretRef v1.SecretReference `json:"secretRef,omitempty"`
+
+	// roleName Vault prefix. Default: roleName
+	RoleName string `json:"roleName,omitempty"`
+
+	// A key in the SecretRef which contains mountPath value. Default: mountPath
+	MountPath string `json:"mountPath,omitempty"`
+
+	// A key in the SecretRef which contains pathToToken value. Default: pathToToken
+	PathToToken string `json:"pathToToken,omitempty"`
+}
+
 // VaultAuthSpec describes how to authenticate against a Vault server
 type VaultAuthSpec struct {
 	// +optional
 	AppRole *VaultAppRoleAuthSpec `json:"approle,omitempty"`
 	// +optional
 	Token *VaultTokenAuthSpec `json:"token,omitempty"`
+	Kubernetes *VaultKubernetesAuthSpec `json:"kubernetes,omitempty"`
 }
 
 func (s *VaultAuthSpec) Type() VaultAuthType {
 	if s.AppRole != nil && s.AppRole.SecretRef.Name != "" {
 		return VaultAuthTypeAppRole
 	}
+	if s.Kubernetes != nil && s.Kubernetes.SecretRef.Name != "" {
+		return VaultAuthTypeK8SAuth
+	}
 
 	return VaultAuthTypeToken
 }
@@ -86,6 +108,19 @@ func (s *VaultSpec) Default(namespace string) {
 		if s.Auth.Token.SecretRef.Namespace == "" {
 			s.Auth.Token.SecretRef.Namespace = namespace
 		}
+	} else if s.Auth.Type() == VaultAuthTypeK8SAuth {
+		if s.Auth.Kubernetes.RoleName == "" {
+			s.Auth.Kubernetes.RoleName = "roleName"
+		}
+		if s.Auth.Kubernetes.MountPath == "" {
+			s.Auth.Kubernetes.MountPath = "mountPath"
+		}
+		if s.Auth.Kubernetes.PathToToken == "" {
+			s.Auth.Kubernetes.PathToToken = "pathToToken"
+		}
+		if s.Auth.Kubernetes.SecretRef.Namespace == "" {
+			s.Auth.Kubernetes.SecretRef.Namespace = namespace
+		}
 	}
 }
 
@@ -107,6 +142,10 @@ func (s *VaultSpec) Validate() error {
 		if s.Auth.Token.SecretRef.Name == "" {
 			return errors.New("vault.auth.token.secretRef.name is required when using token auth")
 		}
+	} else if s.Auth.Type() == VaultAuthTypeK8SAuth {
+		if s.Auth.Kubernetes.SecretRef.Name == "" {
+			return errors.New("vault.auth.kubernetes.secretRef.name is required when using kubernetes auth")
+		}
 	}
 
 	return nil

diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/mirrors.kts.studio_secretmirrors.yaml b/config/crd/bases/mirrors.kts.studio_secretmirrors.yaml
@@ -204,6 +204,36 @@ spec:
                                     type: string
                                 type: object
                             type: object
+                          kubernetes:
+                            description: VaultTokenAuthSpec specifies token-specific
+                              auth data
+                            properties:
+                              mountPath:
+                                description: 'A key in the SecretRef which contains
+                                  mountPath value. Default: mountPath'
+                                type: string
+                              pathToToken:
+                                description: 'A key in the SecretRef which contains
+                                  pathToToken value. Default: pathToToken'
+                                type: string
+                              roleName:
+                                description: 'roleName Vault prefix. Default: roleName'
+                                type: string
+                              secretRef:
+                                description: SecretReference represents a Secret Reference.
+                                  It has enough information to retrieve secret in
+                                  any namespace
+                                properties:
+                                  name:
+                                    description: Name is unique within a namespace
+                                      to reference a secret resource.
+                                    type: string
+                                  namespace:
+                                    description: Namespace defines the space within
+                                      which the secret name must be unique.
+                                    type: string
+                                type: object
+                            type: object
                           token:
                             description: VaultTokenAuthSpec specifies token-specific
                               auth data
@@ -288,6 +318,36 @@ spec:
                                     type: string
                                 type: object
                             type: object
+                          kubernetes:
+                            description: VaultTokenAuthSpec specifies token-specific
+                              auth data
+                            properties:
+                              mountPath:
+                                description: 'A key in the SecretRef which contains
+                                  mountPath value. Default: mountPath'
+                                type: string
+                              pathToToken:
+                                description: 'A key in the SecretRef which contains
+                                  pathToToken value. Default: pathToToken'
+                                type: string
+                              roleName:
+                                description: 'roleName Vault prefix. Default: roleName'
+                                type: string
+                              secretRef:
+                                description: SecretReference represents a Secret Reference.
+                                  It has enough information to retrieve secret in
+                                  any namespace
+                                properties:
+                                  name:
+                                    description: Name is unique within a namespace
+                                      to reference a secret resource.
+                                    type: string
+                                  namespace:
+                                    description: Namespace defines the space within
+                                      which the secret name must be unique.
+                                    type: string
+                                type: object
+                            type: object
                           token:
                             description: VaultTokenAuthSpec specifies token-specific
                               auth data

diff --git a/go.mod b/go.mod
@@ -4,12 +4,13 @@ go 1.18
 
 require (
 	github.com/go-logr/logr v0.3.0
-	github.com/hashicorp/vault/api v1.4.1
+	github.com/hashicorp/vault/api v1.12.0
+	github.com/hashicorp/vault/api/auth/kubernetes v0.6.0
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.18.1
 	github.com/panjf2000/ants/v2 v2.4.8
 	github.com/prometheus/client_golang v1.7.1
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/sync v0.1.0
 	k8s.io/api v0.20.2
 	k8s.io/apimachinery v0.20.2
 	k8s.io/client-go v0.20.2
@@ -24,58 +25,41 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.0 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/armon/go-metrics v0.3.9 // indirect
-	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/evanphx/json-patch v4.9.0+incompatible // indirect
-	github.com/fatih/color v1.7.0 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.2+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-logr/zapr v0.2.0 // indirect
 	github.com/gogo/protobuf v1.3.1 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/uuid v1.1.2 // indirect
 	github.com/googleapis/gnostic v0.5.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v0.16.2 // indirect
-	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-plugin v1.4.3 // indirect
 	github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/hashicorp/go-uuid v1.0.2 // indirect
-	github.com/hashicorp/go-version v1.2.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/vault/sdk v0.4.1 // indirect
-	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
 	github.com/imdario/mergo v0.3.10 // indirect
 	github.com/json-iterator/go v1.1.10 // indirect
-	github.com/mattn/go-colorable v0.1.6 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.2 // indirect
-	github.com/mitchellh/reflectwalk v1.0.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/oklog/run v1.0.0 // indirect
-	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.10.0 // indirect
@@ -85,23 +69,20 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.5.0 // indirect
 	go.uber.org/zap v1.15.0 // indirect
-	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
-	golang.org/x/sys v0.0.0-20220317061510-51cd9980dadf // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e // indirect
 	gomodules.xyz/jsonpatch/v2 v2.1.0 // indirect
 	google.golang.org/appengine v1.6.6 // indirect
-	google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect
-	google.golang.org/grpc v1.41.0 // indirect
 	google.golang.org/protobuf v1.26.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.20.1 // indirect
 	k8s.io/component-base v0.20.2 // indirect
 	k8s.io/klog/v2 v2.4.0 // indirect