Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make kubernetes_ca_cert optional #238

Merged
merged 18 commits into from
Mar 27, 2024
Merged

make kubernetes_ca_cert optional #238

merged 18 commits into from
Mar 27, 2024

Conversation

thyton
Copy link
Contributor

@thyton thyton commented Mar 13, 2024
edited
Loading

Overview

Users want to make kubernetes_ca_cert optional. Since the CA cert is used only for establishing a TLS connection Kubernetes api, we can default to use the system's trust store with no harm as mentioned in #62.

Design of Change

The config write handler removes non-nil kubernetes_ca_cert enforcement.

When kubernetes_ca_cert is not given:

  • If disable_local_default_ca_jwt is false, set the local CA to caCertBytes.
  • If caCertBytes is empty, assign the default TLS config to transport.TLSClientConfig and return early.

Related Issues/Pull Requests

Contributor Checklist

The self-signed kubernetes host CA is in the host’s trust store

2024-03-19T15:35:11.286Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=started
2024-03-19T15:35:11.311Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=finished err=<nil> took=24.570041ms
2024-03-19T15:35:11.311Z [DEBUG] identity: creating a new entity: alias="id:\"153b12e0-7d31-9c7d-a022-c2ad17a0d5b3\"  canonical_id:\"de0043a8-5f9b-9d19-ee52-0183d2110157\"  mount_type:\"vault-plugin-auth-kubernetes\"  mount_accessor:\"auth_vault-plugin-auth-kubernetes_2996fdb6\"  mount_path:\"auth/kubernetes/\"  metadata:{key:\"service_account_name\"  value:\"default\"}  metadata:{key:\"service_account_namespace\"  value:\"default\"}  metadata:{key:\"service_account_secret_name\"  value:\"\"}  metadata:{key:\"service_account_uid\"  value:\"6ac6361a-722a-4b11-8c4f-d1e4c5fdfaae\"}  name:\"6ac6361a-722a-4b11-8c4f-d1e4c5fdfaae\"  creation_time:{seconds:1710862511  nanos:311625256}  last_update_time:{seconds:1710862511  nanos:311625256}  namespace_id:\"root\"  local_bucket_key:\"packer/local-aliases/buckets/248\""
2024-03-19T15:35:11.313Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: type: transport=gRPC status=started
2024-03-19T15:35:11.314Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2996fdb6.vault-plugin-auth-kubernetes: type: transport=gRPC status=finished took=1.367708ms

The self-signed kubernetes host CA is not in the host’s trust store

2024-03-19T15:47:33.196Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2e239732.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=started
2024-03-19T15:47:33.211Z [DEBUG] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2e239732.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: login unauthorized: err="Post \"https://192.168.1.95:60815/apis/authentication.k8s.io/v1/tokenreviews\": tls: failed to verify certificate: x509: certificate signed by unknown authority" timestamp=2024-03-19T15:47:33.211Z
2024-03-19T15:47:33.212Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_2e239732.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=finished err="permission denied" took=15.917208ms

Invalid kubernetes_ca_cert

$ cat scratch/invalid-ca-bundble.pem 
bad
$ scr
atch/test-ca-bundle.sh scratch/invalid-ca-bundble.pem
Error writing data to auth/kubernetes/config: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/auth/kubernetes/config
Code: 400. Errors:

* Configured CA PEM data contains no valid certificates, TLS verification will fail

Correctly formatted kubernetes_ca_cert but not the kubernetes host's CA

$ scratch/test-ca-bundle.sh scratch/non-k8s-valid-ca-bundle.pem
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Error writing data to auth/kubernetes/login: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/auth/kubernetes/login
Code: 403. Errors:

* permission denied

2024-03-20T16:17:15.288Z [DEBUG] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_a119c08e.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: login unauthorized: err="Post \"https://192.168.1.95:60815/apis/authentication.k8s.io/v1/tokenreviews\": tls: failed to verify certificate: x509: certificate signed by unknown authority" timestamp=2024-03-20T16:17:15.288Z
2024-03-20T16:17:15.288Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_a119c08e.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=login status=finished err="permission denied" took=14.4695ms

Valid kubernetes_ca_cert

Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESIIFdnVdpvlFfXeR2uqyDgVCJaUInEcw_BC2ufWzOdnmaGh4KHGh2cy5CMGF2ZVp4RVJ1dWdlcDhDOFZpd1AzcXk
.....

Switching from system cert pool to kubernetes_ca_cert

[24/03/20 09:35:04] ~/go/src/github.com/hashicorp/vault-plugin-auth-kubernetes (VAULT-1729-make-kubernetes-ca-cert-optional) $ scratch/test-system.sh
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESILLOEjFnCBbx6ZJ-Q-BLwWLQLXou9LwWp2n5KoT-7NkNGh4KHGh2cy5mMHpsVWVTQU91d1NsZUttZURKbW1BbHE
token_accessor                            NIELmHYd6Hv9vDSQay0sRllP
...
[24/03/20 09:35:23] ~/go/src/github.com/hashicorp/vault-plugin-auth-kubernetes (VAULT-1729-make-kubernetes-ca-cert-optional) $ scratch/test-ca-bundle.sh scratch/valid-ca-cert.pem                                                                
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESINIGC0y-q0iJ_iBFcnaPJyQw0E-C7tijilW_K2TEO_30Gh4KHGh2cy4xV2hTbzU1bVlhamNFVGQ3T3VFN3FNelE
token_accessor                            GPE0XTcNZA9ZQnhn2THFs0P6
token_duration                            1h

2024-03-20T16:35:31.307Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=started
2024-03-20T16:35:31.310Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: Root CA certificate pool has changed, updating the client's transport: timestamp=2024-03-20T16:35:31.310Z
2024-03-20T16:35:31.312Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=finished err=<nil> took=5.18775ms

Switching back to system cert pool from kubernetes_ca_cert

[24/03/20 09:36:18] ~/go/src/github.com/hashicorp/vault-plugin-auth-kubernetes (VAULT-1729-make-kubernetes-ca-cert-optional) $ scratch/test-system.sh
Success! Data written to: auth/kubernetes/config
Success! Data written to: auth/kubernetes/role/demo
Key                                       Value
---                                       -----
token                                     hvs.CAESICgVKj0Kk_vppYBKtoJpyGVoOax90DJO4GJ-GckInnwbGh4KHGh2cy5tZUplNDVRRlF0TTJqMkNHTWVLMGszUlg
...

2024-03-20T16:39:07.523Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=started
2024-03-20T16:39:07.525Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes.vault-plugin-auth-kubernetes: Root CA certificate pool has changed, updating the client's transport: timestamp=2024-03-20T16:39:07.525Z
2024-03-20T16:39:07.526Z [TRACE] auth.vault-plugin-auth-kubernetes.auth_vault-plugin-auth-kubernetes_f6d85e17.vault-plugin-auth-kubernetes: handle request: transport=gRPC path=config status=finished err=<nil> took=3.289667ms
  • Backwards compatible

@thyton thyton linked an issue Mar 13, 2024 that may be closed by this pull request
Do not make ca cert or pem keys required #62
Closed
@benashz benashz self-requested a review March 14, 2024 15:54
@thyton thyton requested a review from a team as a code owner March 19, 2024 19:42
benashz
benashz reviewed Mar 26, 2024
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. I had a few suggestions/nits for your consideration.

CHANGELOG.md Outdated
@@ -10,6 +10,10 @@
* `k8s.io/api` v0.29.1 -> v0.29.2
* `k8s.io/apimachinery` v0.29.1 -> v0.29.2

### Improvements

* Make kubernetes_ca_cert optional [GH-238](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/238)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is really about having "TLS uses the host's root CA set" if no CA chain is provided - which is a behavioural change.

We should also document the extra validation being done on the provided CA PEM bundle.

backend.go Outdated Show resolved Hide resolved
path_config.go Outdated Show resolved Hide resolved
path_config.go Outdated Show resolved Hide resolved
path_config_test.go Outdated Show resolved Hide resolved
path_config_test.go Outdated Show resolved Hide resolved
thyton and others added 5 commits March 26, 2024 09:34
@thyton @benashz
Update path_config_test.go
82ec9fb 
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
@thyton @benashz
Update path_config.go
698a21b 
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
@thyton @benashz
Update path_config.go
6b84d97 
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
@thyton
update CHANGELOG entry
3a5f5d7
@thyton
use truncated CA cert for invalid kubernetes_ca_cert test
5025f03
@thyton
Copy link
Contributor Author

thyton commented Mar 26, 2024

Thank you for your feedback!

@thyton thyton requested a review from benashz March 26, 2024 17:40
benashz
benashz approved these changes Mar 27, 2024
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor nits, otherwise 👍

path_config.go Outdated
}

if caCert != "" && !hasCerts(caCert) {
return logical.ErrorResponse("The provided CA PEM data contains no valid certificates"), nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the line is bit long, may bring the message down one line, as it was before.

CHANGELOG.md Outdated
@@ -10,6 +10,10 @@
* `k8s.io/api` v0.29.1 -> v0.29.2
* `k8s.io/apimachinery` v0.29.1 -> v0.29.2

### Improvements

* Allow TLS client to use the host's root CA set when no CA certificates are provided and `disable_local_ca_jwt` is true if running Vault in a Kubernetes pod. Additionally, validate the configuration's provided CA PEM bundle. [GH-238](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/238)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: line is a bit long, mind folding it?

@thyton thyton merged commit da08a6a into main Mar 27, 2024
8 checks passed
@thyton thyton deleted the VAULT-1729-make-kubernetes-ca-cert-optional branch March 27, 2024 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benashz benashz benashz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Do not make ca cert or pem keys required
2 participants
@thyton @benashz