feat(certs): get Vault token from Secret (#4753)

jaellio · web-flow · commit baff85f1ff1b · 2022-06-28T13:00:39.000-07:00
If the Vault token option is not set, the token will be obtained
from the secret referenced in the SecretKeyRef. Currently, the
Vault token must still be set as an option if Vault is the cert
provider. In a subsequent change, all cert provider flags will be
removed from the osm-bootstrap, osm-controller, and osm-injector.
These values will instead be obtained from the MRC created by the
osm-bootstrap and populated using the preset-mesh-root-certificate

Signed-off-by: jaellio &lt;jaellio@microsoft.com&gt;
diff --git a/charts/osm/README.md b/charts/osm/README.md
@@ -176,9 +176,9 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.vault.port | int | `8200` | port to use to connect to Vault |
 | osm.vault.protocol | string | `"http"` | protocol to use to connect to Vault |
 | osm.vault.role | string | `"openservicemesh"` | Vault role to be used by Open Service Mesh |
-| osm.vault.secret | object | `{"key":"token","name":"osm-vault-token"}` | The Kubernetes secret storing the Vault token used in OSM |
-| osm.vault.secret.key | string | `"token"` | The Kubernetes secret key with the value bring the Vault token |
-| osm.vault.secret.name | string | `"osm-vault-token"` | The Kubernetes secret name storing the Vault token used in OSM |
+| osm.vault.secret | object | `{"key":"","name":""}` | The Kubernetes secret storing the Vault token used in OSM |
+| osm.vault.secret.key | string | `""` | The Kubernetes secret key with the value bring the Vault token |
+| osm.vault.secret.name | string | `""` | The Kubernetes secret name storing the Vault token used in OSM |
 | osm.vault.token | string | `""` | token that should be used to connect to Vault |
 | osm.webhookConfigNamePrefix | string | `"osm-webhook"` | Prefix used in name of the webhook configuration resources |
 | smi.validateTrafficTarget | bool | `true` | Enables validation of SMI Traffic Target |
diff --git a/charts/osm/values.yaml b/charts/osm/values.yaml
@@ -135,9 +135,9 @@ osm:
     # -- The Kubernetes secret storing the Vault token used in OSM
     secret:
       # -- The Kubernetes secret name storing the Vault token used in OSM
-      name: osm-vault-token
+      name: ""
       # -- The Kubernetes secret key with the value bring the Vault token
-      key: token
+      key: ""
 
   #
   # -- cert-manager.io configuration
diff --git a/pkg/certificate/providers/config.go b/pkg/certificate/providers/config.go
@@ -188,10 +188,21 @@ func (c *MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc *v1alpha2.
 
 	// A Vault address would have the following shape: "http://vault.default.svc.cluster.local:8200"
 	vaultAddr := fmt.Sprintf("%s://%s:%d", provider.Protocol, provider.Host, provider.Port)
-	// TODO(#4502): If the DefaultVaultToken is empty, query the mrc.provider.vault.token.secretRef.
+
+	// If the DefaultVaultToken is empty, query Vault token secret
+	var err error
+	vaultToken := c.DefaultVaultToken
+	if vaultToken == "" {
+		log.Debug().Msgf("Attempting to get Vault token from secret %s", provider.Token.SecretKeyRef.Name)
+		vaultToken, err = getHashiVaultOSMToken(&provider.Token.SecretKeyRef, c.kubeClient)
+		if err != nil {
+			return nil, "", err
+		}
+	}
+
 	vaultClient, err := vault.New(
 		vaultAddr,
-		c.DefaultVaultToken,
+		vaultToken,
 		provider.Role,
 	)
 	if err != nil {
@@ -204,6 +215,21 @@ func (c *MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc *v1alpha2.
 	return vaultClient, id, nil
 }
 
+// getHashiVaultOSMToken returns the Hashi Vault token from the secret specified in the provided secret key reference
+func getHashiVaultOSMToken(secretKeyRef *v1alpha2.SecretKeyReferenceSpec, kubeClient kubernetes.Interface) (string, error) {
+	tokenSecret, err := kubeClient.CoreV1().Secrets(secretKeyRef.Namespace).Get(context.TODO(), secretKeyRef.Name, metav1.GetOptions{})
+	if err != nil {
+		return "", fmt.Errorf("error retrieving Hashi Vault token secret %s/%s: %w", secretKeyRef.Namespace, secretKeyRef.Name, err)
+	}
+
+	token, ok := tokenSecret.Data[secretKeyRef.Key]
+	if !ok {
+		return "", fmt.Errorf("key %s not found in Hashi Vault token secret %s/%s", secretKeyRef.Key, secretKeyRef.Namespace, secretKeyRef.Name)
+	}
+
+	return string(token), nil
+}
+
 // getCertManagerOSMCertificateManager returns a certificate manager instance with cert-manager as the certificate provider
 func (c *MRCProviderGenerator) getCertManagerOSMCertificateManager(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, string, error) {
 	provider := mrc.Spec.Provider.CertManager
diff --git a/pkg/certificate/providers/config_test.go b/pkg/certificate/providers/config_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/rest"
@@ -88,6 +89,62 @@ func TestGetCertificateManager(t *testing.T) {
 			},
 			cfg: mockConfigurator,
 		},
+		{
+			name: "Valid Vault protocol using vault secret defined in MRC",
+			options: VaultOptions{
+				VaultHost:     "vault.default.svc.cluster.local",
+				VaultRole:     "role",
+				VaultPort:     8200,
+				VaultProtocol: "http",
+			},
+			kubeClient: fake.NewSimpleClientset(&v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "vault-token",
+					Namespace: "osm-system",
+				},
+				Data: map[string][]byte{
+					"token": []byte("secret"),
+				},
+			}),
+			configClient: fakeConfigClientset.NewSimpleClientset(&v1alpha2.MeshRootCertificate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "osm-mesh-root-certificate",
+					Namespace: "osm-system",
+					Annotations: map[string]string{
+						constants.MRCVersionAnnotation: "0",
+					},
+				},
+				Spec: v1alpha2.MeshRootCertificateSpec{
+					Provider: v1alpha2.ProviderSpec{
+						Vault: &v1alpha2.VaultProviderSpec{
+							Host:     "vault.default.svc.cluster.local",
+							Role:     "role",
+							Port:     8200,
+							Protocol: "http",
+							Token: v1alpha2.VaultTokenSpec{
+								SecretKeyRef: v1alpha2.SecretKeyReferenceSpec{
+									Name:      "vault-token",
+									Namespace: "osm-system",
+									Key:       "token",
+								},
+							},
+						},
+					},
+				},
+				Status: v1alpha2.MeshRootCertificateStatus{
+					State: constants.MRCStateActive,
+				},
+			}),
+			informerCollectionFunc: func(tc testCase) (*informers.InformerCollection, error) {
+				ic, err := informers.NewInformerCollection("osm", nil, informers.WithKubeClient(tc.kubeClient), informers.WithConfigClient(tc.configClient))
+				if err != nil {
+					return nil, err
+				}
+
+				return ic, nil
+			},
+			cfg: mockConfigurator,
+		},
 		{
 			name: "Not a valid Vault protocol",
 			options: VaultOptions{
@@ -185,3 +242,78 @@ func TestGetCertificateManager(t *testing.T) {
 		})
 	}
 }
+
+func TestGetHashiVaultOSMToken(t *testing.T) {
+	validVaultTokenSecret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "osm-system",
+			Name:      "osm-vault-token",
+		},
+		Data: map[string][]byte{
+			"token": []byte("token"),
+		},
+	}
+
+	invalidVaultTokenSecret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "osm-system",
+			Name:      "osm-vault-token",
+		},
+		Data: map[string][]byte{
+			"noop": []byte("noop"),
+		},
+	}
+
+	testCases := []struct {
+		name         string
+		secretKeyRef *v1alpha2.SecretKeyReferenceSpec
+		kubeClient   kubernetes.Interface
+		expectError  bool
+	}{
+		{
+			name: "No Vault token secret",
+			secretKeyRef: &v1alpha2.SecretKeyReferenceSpec{
+				Name:      "osm-vault-token",
+				Namespace: "osm-system",
+				Key:       "token",
+			},
+			kubeClient:  fake.NewSimpleClientset(),
+			expectError: true,
+		},
+		{
+			name: "Invalid Vault token secret",
+			secretKeyRef: &v1alpha2.SecretKeyReferenceSpec{
+				Name:      "osm-vault-token",
+				Namespace: "osm-system",
+				Key:       "token",
+			},
+			kubeClient:  fake.NewSimpleClientset([]runtime.Object{invalidVaultTokenSecret}...),
+			expectError: true,
+		},
+		{
+			name: "Valid Vault token secret",
+			secretKeyRef: &v1alpha2.SecretKeyReferenceSpec{
+				Name:      "osm-vault-token",
+				Namespace: "osm-system",
+				Key:       "token",
+			},
+			kubeClient:  fake.NewSimpleClientset([]runtime.Object{validVaultTokenSecret}...),
+			expectError: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert := tassert.New(t)
+
+			token, err := getHashiVaultOSMToken(tc.secretKeyRef, tc.kubeClient)
+			if tc.expectError {
+				assert.Empty(token)
+				assert.Error(err)
+			} else {
+				assert.NotEmpty(token)
+				assert.NoError(err)
+			}
+		})
+	}
+}
diff --git a/pkg/certificate/providers/options.go b/pkg/certificate/providers/options.go
@@ -9,8 +9,6 @@ import (
 	"github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
 )
 
-const vaultTokenSecretName = "osm-vault-token" // #nosec G101: Potential hardcoded credentials
-
 // Validate validates the options for Tresor certificate provider
 func (options TresorOptions) Validate() error {
 	if options.SecretName == "" {
@@ -39,7 +37,7 @@ func (options VaultOptions) Validate() error {
 	}
 
 	if options.VaultToken == "" {
-		return errors.New("VaultToken not specified in Hashi Vault options")
+		log.Warn().Msg("VaultToken is not specified in Hashi Vault options. The token secret reference option must be specified.")
 	}
 
 	if options.VaultRole == "" {
@@ -61,7 +59,9 @@ func (options VaultOptions) AsProviderSpec() v1alpha2.ProviderSpec {
 			Host:     options.VaultHost,
 			Token: v1alpha2.VaultTokenSpec{
 				SecretKeyRef: v1alpha2.SecretKeyReferenceSpec{
-					Name: vaultTokenSecretName,
+					Name:      options.VaultTokenSecretName,
+					Namespace: options.VaultTokenSecretNamespace,
+					Key:       options.VaultTokenSecretKey,
 				},
 			},
 			Role: options.VaultRole,
diff --git a/pkg/certificate/providers/options_test.go b/pkg/certificate/providers/options_test.go
@@ -98,17 +98,7 @@ func TestValidateVaultOptions(t *testing.T) {
 				VaultToken:    "",
 				VaultRole:     "vault-role",
 			},
-			expectErr: true,
-		},
-		{
-			testName: "Empty role",
-			options: VaultOptions{
-				VaultProtocol: "http",
-				VaultHost:     "vault-host",
-				VaultToken:    "vault-token",
-				VaultRole:     "",
-			},
-			expectErr: true,
+			expectErr: false,
 		},
 		{
 			testName: "Empty role",
diff --git a/pkg/certificate/providers/types.go b/pkg/certificate/providers/types.go
@@ -8,8 +8,11 @@ import (
 	"github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
 	"github.com/openservicemesh/osm/pkg/certificate"
 	"github.com/openservicemesh/osm/pkg/certificate/pem"
+	"github.com/openservicemesh/osm/pkg/logger"
 )
 
+var log = logger.New("certificate/provider")
+
 // Kind specifies the certificate provider kind
 type Kind string
 
@@ -51,11 +54,14 @@ type TresorOptions struct {
 
 // VaultOptions is a type that specifies 'Hashicorp Vault' certificate provider options
 type VaultOptions struct {
-	VaultProtocol string
-	VaultHost     string
-	VaultToken    string // TODO(#4745): Remove after deprecating the osm.vault.token option. Replace with VaultTokenSecretName
-	VaultRole     string
-	VaultPort     int
+	VaultProtocol             string
+	VaultHost                 string
+	VaultToken                string // TODO(#4745): Remove after deprecating the osm.vault.token option. Replace with VaultTokenSecretName
+	VaultRole                 string
+	VaultPort                 int
+	VaultTokenSecretNamespace string
+	VaultTokenSecretName      string
+	VaultTokenSecretKey       string
 }
 
 // CertManagerOptions is a type that specifies 'cert-manager.io' certificate provider options
