Add Kubernetes Auth Method

CHANGES.md

@@ -1,5 +1,10 @@
 # Change Log
 
+## 1.1.0
+
+- Added `kuberentes` auth method.
+- Added `auth_mount_point` config option for specifying custom authentication mount points.
+
 ## 1.0.0
 
 * Drop Python 2.7 support

README.md

@@ -13,14 +13,15 @@ It should contain:
 * `cert` - Path to client-side certificate
 * `verify` - Whether to verify the SSL certificate or not
 * `auth_method` - Which authentication method to use.
- Only `token` (the default) and `approle` are implemented so far.
+ Available implementations are: `token` (default), `approle` and `kubernetes`.
 
 Also include the relevant auth_method-specific config:
 
 * `token` - Authentication token for `auth_method=token`. If not specified,
  also tries using the `VAULT_TOKEN` env var or the `~/.vault-token` file.
 * `role_id` - Authentication role_id for `auth_method=approle`.
 * `secret_id` - Authentication secret_id for `auth_method=approle`.
+* `role` - Authentication role for `auth_method=kubernetes`
 
 You can also use dynamic values from the datastore. See the
 [docs](https://docs.stackstorm.com/reference/pack_configs.html) for more info.

actions/lib/action.py

@@ -24,6 +24,13 @@ def _get_client(self):
  # in favor of: client.auth.<method>.login
  # So, use client.auth.<method> where implemented
 
+ # Support for optional kwargs - only passed to login method if defined in config
+ login_kwargs = {}
+
+ auth_mount_point = self.config.get("auth_mount_point")
+ if auth_mount_point:
+ login_kwargs["mount_point"] = auth_mount_point
+
  # token is handled during client init
  # other auth methods will override it as needed
  if auth_method == "token":
@@ -32,7 +39,15 @@ def _get_client(self):
  client.auth.approle.login(
  role_id=self.config["role_id"],
  secret_id=self.config["secret_id"],
+ **login_kwargs,
  )
+ elif auth_method == "kubernetes":
+ with open("/var/run/secrets/kubernetes.io/serviceaccount/token") as sa_token:
+ client.auth.kubernetes.login(
+ self.config["role"],
+ sa_token.read(),
+ **login_kwargs,
+ )
  else:
  raise NotImplementedError(
  "The {} auth method has a typo or has not been implemented (yet).".format(

config.schema.yaml

@@ -22,6 +22,7 @@
  enum:
  - approle
  - token
+ - kubernetes
  # Not implemented:
  # - app-id
  # - ali-cloud
@@ -32,15 +33,18 @@
  # - gcp
  # - github
  # - jwt
- # - kubernetes
  # - ldap
  # - mfa
  # - oidc
  # - okta
  # - radius
  # - userpass
  required: false
-
+
+ auth_mount_point:
+ description: "Custom authentication mount point, if required"
+ type: "string"
+ required: false
  token:
  description: "Authentication token (method=token)"
  type: "string"
@@ -56,3 +60,7 @@
  type: "string"
  secret: true
  required: false
+ role:
+ description: "Authentication role (method=kubernetes)"
+ secret: false
+ required: false

pack.yaml

@@ -2,7 +2,7 @@
 ref: vault
 name: vault
 description: HashiCorp Vault
-version: 1.0.0
+version: 1.1.0
 python_versions:
  - "3"
 author: steve.neuharth