Merge b4653aa into cd881ac

ansible-collections · Mar 5, 2023 · 345eef8 · 345eef8
2 parents cd881ac + b4653aa
commit 345eef8
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 0 deletions.
diff --git a/plugins/doc_fragments/auth.py b/plugins/doc_fragments/auth.py
@@ -28,6 +28,7 @@ class ModuleDocFragment(object):
           - azure
           - jwt
           - cert
+          - kubernetes
           - none
         default: token
         type: str
@@ -75,6 +76,15 @@ class ModuleDocFragment(object):
       jwt:
         description: The JSON Web Token (JWT) to use for JWT authentication to Vault.
         type: str
+      kubernetes_token:
+        description: The Kubernetes Token (JWT) to use for Kubernetes authentication to Vault.
+        type: str
+        version_added: 2.5.0
+      kubernetes_token_path:
+        description: If no kubernetes_token is specified, will try to read the token from this path.
+        default: '/var/run/secrets/kubernetes.io/serviceaccount/token'
+        type: str
+        version_added: 2.5.0
       aws_profile:
         description: The AWS profile
         type: str
@@ -305,4 +315,17 @@ class ModuleDocFragment(object):
         ini:
           - section: hashi_vault_collection
             key: cert_auth_private_key
+      kubernetes_token:
+        env:
+          - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN
+        vars:
+          - name: ansible_hashi_vault_kubernetes_token
+      kubernetes_token_path:
+        env:
+          - name: ANSIBLE_HASHI_VAULT_KUBERNETES_TOKEN_PATH
+        ini:
+          - section: hashi_vault_collection
+            key: kubernetes_token_path
+        vars:
+          - name: ansible_hashi_vault_kubernetes_token_path
     '''
diff --git a/plugins/module_utils/_auth_method_k8s.py b/plugins/module_utils/_auth_method_k8s.py
@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+# Copyright (c) 2021 FERREIRA Christophe (@chris93111)
+# Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
+
+'''Python versions supported: >=3.6'''
+
+# FOR INTERNAL COLLECTION USE ONLY
+# The interfaces in this file are meant for use within the community.hashi_vault collection
+# and may not remain stable to outside uses. Changes may be made in ANY release, even a bugfix release.
+# See also: https://github.com/ansible/community/issues/539#issuecomment-780839686
+# Please open an issue if you have questions about this.
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+from ..module_utils._hashi_vault_common import HashiVaultAuthMethodBase, HashiVaultValueError
+import os
+
+
+class HashiVaultAuthMethodKubernetes(HashiVaultAuthMethodBase):
+    '''HashiVault option group class for auth: kubernetes'''
+
+    NAME = 'kubernetes'
+    OPTIONS = ['kubernetes_token', 'kubernetes_token_path', 'role_id', 'mount_point']
+
+    def __init__(self, option_adapter, warning_callback, deprecate_callback):
+        super(HashiVaultAuthMethodKubernetes, self).__init__(option_adapter, warning_callback, deprecate_callback)
+
+    def validate(self):
+        self.validate_by_required_fields('role_id')
+
+        if self._options.get_option('kubernetes_token') is None and self._options.get_option('kubernetes_token_path') is not None:
+            token_filename = self._options.get_option('kubernetes_token_path')
+            if os.path.exists(token_filename):
+                if not os.path.isfile(token_filename):
+                    raise HashiVaultValueError("The Kubernetes token file '%s' was found but is not a file." % token_filename)
+                with open(token_filename) as token_file:
+                    self._options.set_option('kubernetes_token', token_file.read().strip())
+
+        if self._options.get_option('kubernetes_token') is None:
+            raise HashiVaultValueError(
+                self._options.get_option_default('kubernetes_token_path') + " No Kubernetes Token specified or discovered."
+            )
+
+    def authenticate(self, client, use_token=True):
+        origin_params = self._options.get_filled_options(*self.OPTIONS)
+        params = {
+            "role": origin_params.get('role_id'),
+            "jwt": origin_params.get('kubernetes_token'),
+            "mount_point": origin_params.get('mount_point'),
+            "use_token": use_token,
+        }
+
+        try:
+            response = client.auth.kubernetes.login(**params)
+        except (NotImplementedError, AttributeError):
+            self.warn("Kubernetes authentication requires HVAC version 1.0.0 or higher. Deprecated method 'auth_kubernetes' will be used.")
+            response = client.auth_kubernetes(**params)
+
+        return response
diff --git a/plugins/module_utils/_authenticator.py b/plugins/module_utils/_authenticator.py
@@ -20,6 +20,7 @@
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_azure import HashiVaultAuthMethodAzure
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_cert import HashiVaultAuthMethodCert
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_jwt import HashiVaultAuthMethodJwt
+from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_k8s import HashiVaultAuthMethodKubernetes
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_ldap import HashiVaultAuthMethodLdap
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_none import HashiVaultAuthMethodNone
 from ansible_collections.community.hashi_vault.plugins.module_utils._auth_method_token import HashiVaultAuthMethodToken
@@ -37,6 +38,7 @@ class HashiVaultAuthenticator():
             'azure',
             'jwt',
             'cert',
+            'kubernetes',
             'none',
         ]),
         mount_point=dict(type='str'),
@@ -49,6 +51,8 @@ class HashiVaultAuthenticator():
         role_id=dict(type='str'),
         secret_id=dict(type='str', no_log=True),
         jwt=dict(type='str', no_log=True),
+        kubernetes_token=dict(type='str', no_log=True),
+        kubernetes_token_path=dict(type='str', default='/var/run/secrets/kubernetes.io/serviceaccount/token', no_log=False),
         aws_profile=dict(type='str', aliases=['boto_profile']),
         aws_access_key=dict(type='str', aliases=['aws_access_key_id'], no_log=False),
         aws_secret_key=dict(type='str', aliases=['aws_secret_access_key'], no_log=True),
@@ -73,6 +77,7 @@ def __init__(self, option_adapter, warning_callback, deprecate_callback):
             'azure': HashiVaultAuthMethodAzure(option_adapter, warning_callback, deprecate_callback),
             'cert': HashiVaultAuthMethodCert(option_adapter, warning_callback, deprecate_callback),
             'jwt': HashiVaultAuthMethodJwt(option_adapter, warning_callback, deprecate_callback),
+            'kubernetes': HashiVaultAuthMethodKubernetes(option_adapter, warning_callback, deprecate_callback),
             'ldap': HashiVaultAuthMethodLdap(option_adapter, warning_callback, deprecate_callback),
             'none': HashiVaultAuthMethodNone(option_adapter, warning_callback, deprecate_callback),
             'token': HashiVaultAuthMethodToken(option_adapter, warning_callback, deprecate_callback),