Skip to content

Commit

Permalink
feat: add support for Hashicorp Vault mTLS (external-secrets#3018)
Browse files Browse the repository at this point in the history 
* feat: adding support for mTLS to the Vault provider

Signed-off-by: Rodrigo Fior Kuntzer <[email protected]>
  • Loading branch information
@rodrigorfk
rodrigorfk authored Jan 18, 2024
1 parent 00249f1 commit 31cecaa
Show file tree
Hide file tree
Showing 17 changed files with 828 additions and 74 deletions.
22 changes: 22 additions & 0 deletions apis/externalsecrets/v1beta1/secretstore_vault_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,14 @@ type VaultProvider struct {
// +optional
CABundle []byte `json:"caBundle,omitempty"`

// The configuration used for client side related TLS communication, when the Vault server
// requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
// This parameter is ignored for plain HTTP protocol connection.
// It's worth noting this configuration is different from the "TLS certificates auth method",
// which is available under the `auth.cert` section.
// +optional
ClientTLS VaultClientTLS `json:"tls,omitempty"`

// The provider for the CA bundle to use to validate Vault server certificate.
// +optional
CAProvider *CAProvider `json:"caProvider,omitempty"`
Expand All @@ -80,6 +88,20 @@ type VaultProvider struct {
ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
}

// VaultClientTLS is the configuration used for client side related TLS communication,
// when the Vault server requires mutual authentication.
type VaultClientTLS struct {
// CertSecretRef is a certificate added to the transport layer
// when communicating with the Vault server.
// If no key for the Secret is specified, external-secret will default to 'tls.crt'.
CertSecretRef *esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`

// KeySecretRef to a key in a Secret resource containing client private key
// added to the transport layer when communicating with the Vault server.
// If no key for the Secret is specified, external-secret will default to 'tls.key'.
KeySecretRef *esmeta.SecretKeySelector `json:"keySecretRef,omitempty"`
}

// VaultAuth is the configuration used to authenticate with a Vault server.
// Only one of `tokenSecretRef`, `appRole`, `kubernetes`, `ldap`, `userPass`, `jwt` or `cert`
// can be specified.
Expand Down
26 changes: 26 additions & 0 deletions apis/externalsecrets/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

53 changes: 53 additions & 0 deletions config/crds/bases/external-secrets.io_clustersecretstores.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3844,6 +3844,59 @@ spec:
description: 'Server is the connection address for the Vault
server, e.g: "https://vault.example.com:8200".'
type: string
tls:
description: The configuration used for client side related
TLS communication, when the Vault server requires mutual
authentication. Only used if the Server URL is using HTTPS
protocol. This parameter is ignored for plain HTTP protocol
connection. It's worth noting this configuration is different
from the "TLS certificates auth method", which is available
under the `auth.cert` section.
properties:
certSecretRef:
description: CertSecretRef is a certificate added to the
transport layer when communicating with the Vault server.
If no key for the Secret is specified, external-secret
will default to 'tls.crt'.
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being
referred to.
type: string
namespace:
description: Namespace of the resource being referred
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
type: object
keySecretRef:
description: KeySecretRef to a key in a Secret resource
containing client private key added to the transport
layer when communicating with the Vault server. If no
key for the Secret is specified, external-secret will
default to 'tls.key'.
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being
referred to.
type: string
namespace:
description: Namespace of the resource being referred
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
type: object
type: object
version:
default: v2
description: Version is the Vault KV secret engine version.
Expand Down
53 changes: 53 additions & 0 deletions config/crds/bases/external-secrets.io_secretstores.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3844,6 +3844,59 @@ spec:
description: 'Server is the connection address for the Vault
server, e.g: "https://vault.example.com:8200".'
type: string
tls:
description: The configuration used for client side related
TLS communication, when the Vault server requires mutual
authentication. Only used if the Server URL is using HTTPS
protocol. This parameter is ignored for plain HTTP protocol
connection. It's worth noting this configuration is different
from the "TLS certificates auth method", which is available
under the `auth.cert` section.
properties:
certSecretRef:
description: CertSecretRef is a certificate added to the
transport layer when communicating with the Vault server.
If no key for the Secret is specified, external-secret
will default to 'tls.crt'.
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being
referred to.
type: string
namespace:
description: Namespace of the resource being referred
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
type: object
keySecretRef:
description: KeySecretRef to a key in a Secret resource
containing client private key added to the transport
layer when communicating with the Vault server. If no
key for the Secret is specified, external-secret will
default to 'tls.key'.
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being
referred to.
type: string
namespace:
description: Namespace of the resource being referred
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
type: object
type: object
version:
default: v2
description: Version is the Vault KV secret engine version.
Expand Down
51 changes: 51 additions & 0 deletions config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -605,6 +605,57 @@ spec:
description: 'Server is the connection address for the Vault server,
e.g: "https://vault.example.com:8200".'
type: string
tls:
description: The configuration used for client side related TLS
communication, when the Vault server requires mutual authentication.
Only used if the Server URL is using HTTPS protocol. This parameter
is ignored for plain HTTP protocol connection. It's worth noting
this configuration is different from the "TLS certificates auth
method", which is available under the `auth.cert` section.
properties:
certSecretRef:
description: CertSecretRef is a certificate added to the transport
layer when communicating with the Vault server. If no key
for the Secret is specified, external-secret will default
to 'tls.crt'.
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this field
may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred
to.
type: string
namespace:
description: Namespace of the resource being referred
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
type: object
keySecretRef:
description: KeySecretRef to a key in a Secret resource containing
client private key added to the transport layer when communicating
with the Vault server. If no key for the Secret is specified,
external-secret will default to 'tls.key'.
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this field
may be defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred
to.
type: string
namespace:
description: Namespace of the resource being referred
to. Ignored if referent is not cluster-scoped. cluster-scoped
defaults to the namespace of the referent.
type: string
type: object
type: object
version:
default: v2
description: Version is the Vault KV secret engine version. This
Expand Down
Loading

0 comments on commit 31cecaa

Please sign in to comment.