Add new VaultAuthGlobal type #735
Conversation
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
2 times, most recently
from
74dca96
to
7ecc7c0
Compare
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
5 times, most recently
from
4406bf0
to
071ba35
Compare
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
2 times, most recently
from
303ce2f
to
6eaec64
Compare
|
Relates to #341 |
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
from
6eaec64
to
84003e2
Compare
benashz
changed the title
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
from
84003e2
to
86c22bc
Compare
The resource provide a resource holding Vault auth configuration that
can be shared across VaultAuth resources. A VaultAuth instance only
needs to provide the authentication method and a valid
vaultAuthGlobalRef. VSO will automatically merge the VaultAuthGlobal
with the referring VaultAuth. This allows for a VaultAuth instance to
inherit some global authentication configuration.
The VaultAuthGlobal resource can be configured with one or more Vault
auth method specific configuration.
Given the following VaultAuthGlobal:
```
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuthGlobal
metadata:
name: default
namespace: tenant-ns
spec:
kubernetes:
audiences:
- vault
namespace: demo-ns
mount: demo-auth-mount
role: auth-role
serviceAccount: default
tokenExpirationSeconds: 600
```
The referring VaultAuth would look like:
```
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: tenant-ns
spec:
method: kubernetes
vaultAuthGlobalRef: default
```
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
from
86c22bc
to
b0a73a4
Compare
| Valid bool `json:"valid"` | ||
| Error string `json:"error"` | ||
| Conditions []metav1.Condition `json:"conditions,omitempty"` | ||
| SpecHash string `json:"specHash,omitempty"` | ||
| } |
There was a problem hiding this comment.
Is there a way for users to see what the merged VaultAuth spec is? I wonder if in the future putting the full merged spec in the status would make sense. Would be a a little crowded though.
There was a problem hiding this comment.
It was definitely a consideration, since the hash of the spec is rather opaque :) I think it could make things easier to debug. I can spike in another PR to see what we think. Since we are introducing Conditions here, we could always extend it later as well.
Fixes: - vaultConnectionRef not be inherited from the global auth - firstNonZeroLen() always returned last - misc doc updates and improvements - some fixes to the credentials providers
| Type: "VaultAuthGlobalRef", | ||
| Status: "True", | ||
| ObservedGeneration: o.Generation, | ||
| LastTransitionTime: metav1.NewTime(nowFunc()), |
There was a problem hiding this comment.
This doesn't seem like a transition time, more like an evaluation time?
There was a problem hiding this comment.
Yeah, we probably want the transition time to be related to whenever the ref was last updated.
| var errs error | ||
|
|
||
| var conditions []metav1.Condition |
There was a problem hiding this comment.
Should this be adding onto the existing conditions on the object's status? It looks like this starts over with a single entry every evaluation.
There was a problem hiding this comment.
Yeah, that makes sense. I will address that in a follow-on PR.
| Status: "True", | ||
| ObservedGeneration: o.Generation, | ||
| LastTransitionTime: metav1.NewTime(nowFunc()), | ||
| Reason: "VaultAuthGlobalRef", |
There was a problem hiding this comment.
I wonder if Type and Reason should be different?
There was a problem hiding this comment.
Going to address this comment in a follow-on PR
The resource provide a resource holding Vault auth configuration that can be shared across VaultAuth resources. A VaultAuth instance only needs to provide the authentication method and a valid vaultAuthGlobalRef. VSO will automatically merge the VaultAuthGlobal with the referring VaultAuth. This allows for a VaultAuth instance to inherit some global authentication configuration.
The VaultAuthGlobal resource can be configured with one or more Vault auth method specific configuration.
Given the following VaultAuthGlobal:
The referring VaultAuth would look like:
If you wanted to override the
kubernetes.rolethe VaultAuth would look like:The referring
VaultAuth's configuration always overrides itsVaultAuthGlobal's configuration.