From 98035331373b58e0c5e3717d782fd1cf165b9fa8 Mon Sep 17 00:00:00 2001 From: John Eikenberry Date: Wed, 15 Feb 2023 13:04:28 -0800 Subject: [PATCH] add comments on source/contents of auth method's parameters --- agent/connect/ca/provider_vault.go | 7 +++++++ agent/connect/ca/provider_vault_auth_k8s.go | 5 +++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go index 926a8321626e2..d257dffb2b811 100644 --- a/agent/connect/ca/provider_vault.go +++ b/agent/connect/ca/provider_vault.go @@ -921,6 +921,13 @@ func vaultLogin(client *vaultapi.Client, authMethod *structs.VaultAuthMethod) (* return resp, nil } +// Note the authMethod's parameters (Params) is populated from a freeform map +// in the configuration where they could hardcode values to be passed directly +// to the `auth/*/login` endpoint. So each auth method's authentication code +// needs to handle both these cases. The legacy case (which should be +// deprecated) where the user has hardcoded login values directly (eg. a `jwt` +// string) and the case where they use the configuration option used in the +// vault agent's auth methods. func configureVaultAuthMethod(authMethod *structs.VaultAuthMethod) (VaultAuthenticator, error) { if authMethod.MountPath == "" { authMethod.MountPath = authMethod.Type diff --git a/agent/connect/ca/provider_vault_auth_k8s.go b/agent/connect/ca/provider_vault_auth_k8s.go index bb1f3b31521ee..9395c5bebbeab 100644 --- a/agent/connect/ca/provider_vault_auth_k8s.go +++ b/agent/connect/ca/provider_vault_auth_k8s.go @@ -24,8 +24,9 @@ func K8sLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error params := authMethod.Params role := params["role"].(string) - // token passed directly - // refactor this to use the hasJWT function as used in the jwt auth + // Note the `jwt` can be passed directly in the authMethod as the it's Params + // is a freeform map in the config where they could hardcode it. + // See comment on configureVaultAuthMethod (in ./provider_vault.go) for more. if jwt, ok := params["jwt"].(string); ok && strings.TrimSpace(jwt) != "" { return map[string]any{ "role": role,