add comments on source/contents of auth method's parameters

hashicorp · Feb 28, 2023 · 9803533 · 9803533
1 parent 6a820cf
commit 9803533
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go
@@ -921,6 +921,13 @@ func vaultLogin(client *vaultapi.Client, authMethod *structs.VaultAuthMethod) (*
 	return resp, nil
 }
 
+// Note the authMethod's parameters (Params) is populated from a freeform map
+// in the configuration where they could hardcode values to be passed directly
+// to the `auth/*/login` endpoint. So each auth method's authentication code
+// needs to handle both these cases. The legacy case (which should be
+// deprecated) where the user has hardcoded login values directly (eg. a `jwt`
+// string) and the case where they use  the configuration option used in the
+// vault agent's auth methods.
 func configureVaultAuthMethod(authMethod *structs.VaultAuthMethod) (VaultAuthenticator, error) {
 	if authMethod.MountPath == "" {
 		authMethod.MountPath = authMethod.Type

diff --git a/agent/connect/ca/provider_vault_auth_k8s.go b/agent/connect/ca/provider_vault_auth_k8s.go
@@ -24,8 +24,9 @@ func K8sLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error
 	params := authMethod.Params
 	role := params["role"].(string)
 
-	// token passed directly
-	// refactor this to use the hasJWT function as used in the jwt auth
+	// Note the `jwt` can be passed directly in the authMethod as the it's Params
+	// is a freeform map in the config where they could hardcode it.
+	// See comment on configureVaultAuthMethod (in ./provider_vault.go) for more.
 	if jwt, ok := params["jwt"].(string); ok && strings.TrimSpace(jwt) != "" {
 		return map[string]any{
 			"role": role,