diff --git a/CHANGES.md b/CHANGES.md index e04305a..42abc37 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,10 @@ # Change Log +## 1.1.0 + +- Added `kuberentes` auth method. +- Added `auth_mount_point` config option for specifying custom authentication mount points. + ## 1.0.0 * Drop Python 2.7 support diff --git a/README.md b/README.md index 9cc097e..53238b7 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ It should contain: * `cert` - Path to client-side certificate * `verify` - Whether to verify the SSL certificate or not * `auth_method` - Which authentication method to use. - Only `token` (the default) and `approle` are implemented so far. + Available implementations are: `token` (default), `approle` and `kubernetes`. Also include the relevant auth_method-specific config: @@ -21,6 +21,7 @@ Also include the relevant auth_method-specific config: also tries using the `VAULT_TOKEN` env var or the `~/.vault-token` file. * `role_id` - Authentication role_id for `auth_method=approle`. * `secret_id` - Authentication secret_id for `auth_method=approle`. +* `role` - Authentication role for `auth_method=kubernetes` You can also use dynamic values from the datastore. See the [docs](https://docs.stackstorm.com/reference/pack_configs.html) for more info. diff --git a/actions/lib/action.py b/actions/lib/action.py index d3e4e5e..b55cad0 100644 --- a/actions/lib/action.py +++ b/actions/lib/action.py @@ -24,6 +24,13 @@ def _get_client(self): # in favor of: client.auth..login # So, use client.auth. where implemented + # Support for optional kwargs - only passed to login method if defined in config + login_kwargs = {} + + auth_mount_point = self.config.get("auth_mount_point") + if auth_mount_point: + login_kwargs["mount_point"] = auth_mount_point + # token is handled during client init # other auth methods will override it as needed if auth_method == "token": @@ -32,7 +39,15 @@ def _get_client(self): client.auth.approle.login( role_id=self.config["role_id"], secret_id=self.config["secret_id"], + **login_kwargs, ) + elif auth_method == "kubernetes": + with open("/var/run/secrets/kubernetes.io/serviceaccount/token") as sa_token: + client.auth.kubernetes.login( + self.config["role"], + sa_token.read(), + **login_kwargs, + ) else: raise NotImplementedError( "The {} auth method has a typo or has not been implemented (yet).".format( diff --git a/config.schema.yaml b/config.schema.yaml index 0eaa02b..5862b3f 100644 --- a/config.schema.yaml +++ b/config.schema.yaml @@ -22,6 +22,7 @@ enum: - approle - token + - kubernetes # Not implemented: # - app-id # - ali-cloud @@ -32,7 +33,6 @@ # - gcp # - github # - jwt - # - kubernetes # - ldap # - mfa # - oidc @@ -40,7 +40,11 @@ # - radius # - userpass required: false - + + auth_mount_point: + description: "Custom authentication mount point, if required" + type: "string" + required: false token: description: "Authentication token (method=token)" type: "string" @@ -56,3 +60,7 @@ type: "string" secret: true required: false + role: + description: "Authentication role (method=kubernetes)" + secret: false + required: false diff --git a/pack.yaml b/pack.yaml index 48ddb9c..e36603f 100644 --- a/pack.yaml +++ b/pack.yaml @@ -2,7 +2,7 @@ ref: vault name: vault description: HashiCorp Vault -version: 1.0.0 +version: 1.1.0 python_versions: - "3" author: steve.neuharth