From 84762d7d99589c68cdbe1163308f05ee5b311eef Mon Sep 17 00:00:00 2001 From: Srevin Saju Date: Sun, 2 Jun 2024 00:59:45 +0300 Subject: [PATCH] feat: add extra annotations to customize path of injected token and permissions of the token file sink on vault adds: * `vault.hashicorp.com/agent-inject-token-file` to specify a different path other than `${vault_volume_name}/token` * `vault.hashicorp.com/agent-inject-token-perms` to specify a different permission for the token file, other than the current default, 0640 --- agent-inject/agent/agent.go | 10 ++++++- agent-inject/agent/annotations.go | 43 ++++++++++++++++++++++++++++--- agent-inject/agent/config.go | 3 ++- 3 files changed, 51 insertions(+), 5 deletions(-) diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index 67f21d37..2c96bae5 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -33,6 +33,8 @@ const ( DefaultAgentCacheExitOnErr = false DefaultAgentUseLeaderElector = false DefaultAgentInjectToken = false + DefaultAgentInjectTokenFile = "token" + DefaultAgentInjectTokenPermissions = "0640" DefaultTemplateConfigExitOnRetryFailure = true DefaultServiceAccountMount = "/var/run/secrets/vault.hashicorp.com/serviceaccount" DefaultEnableQuit = false @@ -169,6 +171,12 @@ type Agent struct { // secrets volume (e.g. /vault/secrets/token) InjectToken bool + // InjectTokenFile is the file path where the auto-auth token is injected + InjectTokenFile string + + // InjectTokenPermissions is the file permissions for the auto-auth token file + InjectTokenPermissions string + // EnableQuit controls whether the quit endpoint is enabled on a localhost // listener EnableQuit bool @@ -497,7 +505,7 @@ func New(pod *corev1.Pod) (*Agent, error) { return agent, fmt.Errorf("invalid default template type: %s", agent.DefaultTemplate) } - agent.InjectToken, err = agent.injectToken() + err = agent.injectToken() if err != nil { return agent, err } diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go index 4a12a8a1..4d0d7fd0 100644 --- a/agent-inject/agent/annotations.go +++ b/agent-inject/agent/annotations.go @@ -84,6 +84,15 @@ const ( // auto-auth token into the secrets volume (e.g. /vault/secrets/token) AnnotationAgentInjectToken = "vault.hashicorp.com/agent-inject-token" + // AnnotationAgentInjectTokenFile is the annotation key for specifying the + // path to which the auto-auth token should be written to disk. + // (defaults to 'token') + AnnotationAgentInjectTokenFile = "vault.hashicorp.com/agent-inject-token-file" + + // AnnotationAgentInjectTokenPermission is the annotation key for specifying the + // permission of the token file written to disk. (defaults to '0640') + AnnotationAgentInjectTokenPermission = "vault.hashicorp.com/agent-inject-token-perms" + // AnnotationAgentInjectCommand is the key annotation that configures Vault Agent // to run a command after the secret is rendered. The name of the template is any // unique string after "vault.hashicorp.com/agent-inject-command-". This should map @@ -880,12 +889,40 @@ func (a *Agent) cacheExitOnErr() (bool, error) { return parseutil.ParseBool(raw) } -func (a *Agent) injectToken() (bool, error) { +func (a *Agent) injectToken() error { raw, ok := a.Annotations[AnnotationAgentInjectToken] if !ok { - return DefaultAgentInjectToken, nil + a.InjectToken = DefaultAgentInjectToken + return nil } - return parseutil.ParseBool(raw) + injectToken, err := parseutil.ParseBool(raw) + if err != nil { + return err + } + a.InjectToken = injectToken + + raw, ok = a.Annotations[AnnotationAgentInjectTokenFile] + if !ok { + a.InjectTokenFile = DefaultAgentInjectTokenFile + return nil + } + injectTokenPath, err := parseutil.ParseString(raw) + if err != nil { + return err + } + a.InjectTokenFile = injectTokenPath + + raw, ok = a.Annotations[AnnotationAgentInjectTokenPermission] + if !ok { + a.InjectTokenPermissions = DefaultAgentInjectTokenPermissions + return nil + } + injectTokenPermissions, err := parseutil.ParseString(raw) + if err != nil { + return err + } + a.InjectTokenPermissions = injectTokenPermissions + return nil } // telemetryConfig accumulates the agent-telemetry annotations into a map which is diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go index e4437291..44cd6129 100644 --- a/agent-inject/agent/config.go +++ b/agent-inject/agent/config.go @@ -264,7 +264,8 @@ func (a *Agent) newConfig(init bool) ([]byte, error) { config.AutoAuth.Sinks = append(config.AutoAuth.Sinks, &Sink{ Type: "file", Config: map[string]interface{}{ - "path": path.Join(a.Annotations[AnnotationVaultSecretVolumePath], "token"), + "path": path.Join(a.Annotations[AnnotationVaultSecretVolumePath], a.InjectTokenFile), + "mode": a.InjectTokenPermissions, }, }) }