fix for #143

kubernetes path can be provided in vault when creating the auth when running a multicluster setup. defaults to kubernetes.
nodevault · Feb 29, 2024 · a660d8a · a660d8a
1 parent 81f8f8b
commit a660d8a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -64,6 +64,16 @@ vault.write('secret/hello', { value: 'world', lease: '1s' })
 .then( () => vault.delete('secret/hello'))
 .catch(console.error);
 ```
+### Kubernetes Auth Example
+```javascript
+
+//if vault kubernets endpoint is /auth/example-cluster/login and role is example-role
+//read token from default token mount path
+const token = await fs.readFileSync('/var/run/secrets/kubernetes.io/serviceaccount/token', { encoding: 'utf8' });
+vault.kubernetesLogin({role: 'example-role' ,
+            jwt: token,
+            kubernetesPath: 'example-cluster'})
+```
 
 ## Docs
 Just generate [docco] docs via `npm run docs`.

diff --git a/example/auth_kubernetes.js b/example/auth_kubernetes.js
@@ -9,6 +9,7 @@ const kubernetesCaCert = process.env.K8S_CA_CERT || 'k8s-ca-certificate-data';
 
 const appName = process.env.APP_NAME || 'some-app';
 const appServiceAccountSecretToken = process.env.APP_SVC_ACCT_SECRET_TOKEN || 'app-k8s-token';
+const kubernetesPath = process.env.APP_SVC_ACCT_SECRET_TOKEN || 'kubernetes';
 
 vault.auths()
     .then((result) => {
@@ -19,7 +20,7 @@ vault.auths()
             description: 'Kubernetes auth',
         });
     })
-    .then(() => vault.write('auth/kubernetes/config', {
+    .then(() => vault.write('auth/${kubernetesPath}/config', {
         token_reviewer_jwt: vaultServicAccountSecretToken,
         kubernetes_host: kubernetesHostUrl,
         kubernetes_ca_cert: kubernetesCaCert,
@@ -28,12 +29,12 @@ vault.auths()
         name: appName,
         rules: `path "secret/${appName}/*" { capabilities = ["read"] }`,
     }))
-    .then(() => vault.write(`auth/kubernetes/role/${appName}`, {
+    .then(() => vault.write(`auth/${kubernetesPath}/role/${appName}`, {
         bound_service_account_names: appName,
         bound_service_account_namespaces: 'default',
         policies: appName,
         ttl: '1h',
     }))
-    .then(() => vault.kubernetesLogin({ role: appName, jwt: appServiceAccountSecretToken }))
+    .then(() => vault.kubernetesLogin({ role: appName, jwt: appServiceAccountSecretToken, kubernetesPath: kubernetesPath  }))
     .then(console.log)
     .catch((err) => console.error(err.message));
diff --git a/src/commands.js b/src/commands.js
@@ -205,7 +205,7 @@ module.exports = {
     },
     addKubernetesRole: {
         method: 'POST',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
         schema: {
             req: {
                 name: {
@@ -240,14 +240,14 @@ module.exports = {
     },
     getKubernetesRole: {
         method: 'GET',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
         schema: {
             res: kubernetesRoleResponse,
         },
     },
     deleteKubernetesRole: {
         method: 'DELETE',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
     },
     addApproleRole: {
         method: 'POST',
@@ -611,7 +611,7 @@ module.exports = {
     },
     kubernetesLogin: {
         method: 'POST',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/login',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/login',
         tokenSource: true,
         schema: {
             req: {
@@ -742,7 +742,7 @@ module.exports = {
             },
             res: tokenResponse,
         },
-    },  
+    },
     tokenAccessors: {
         method: 'LIST',
         path: '/auth/token/accessors',

diff --git a/src/index.js b/src/index.js
@@ -75,6 +75,7 @@ module.exports = (config = {}) => {
     client.token = config.token || process.env.VAULT_TOKEN;
     client.noCustomHTTPVerbs = config.noCustomHTTPVerbs || false;
     client.namespace = config.namespace || process.env.VAULT_NAMESPACE;
+    client.kubernetesPath = config.kubernetesPath || 'kubernetes';
 
     const requestSchema = {
         type: 'object',