Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HashiCorp Vault key manager plugin to SPIRE server #5500

Open
wants to merge 32 commits into
base: main
Choose a base branch
from
Open

Add HashiCorp Vault key manager plugin to SPIRE server #5500

wants to merge 32 commits into from

Conversation

InverseIntegral
Copy link

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality
This MR introduces a new SPIRE server key manager plugin that uses HashiCorp Vault to manage keys.

Description of change
This change adds a new key manager plugin to SPIRE server named hashicorp_vault. It uses a transit secrets engine within HashiCorp Vault to manage keys and sign data. The client is largely based on the existing upstream authority plugin for HashiCorp Vault which was introduced in #1611 by @hiyosi.

Which issue this PR fixes
This PR fixes #5058

Note that this is my first time implementing such a plugin and I expect there to be a lot of open questions and expected changes. I'm really looking forward to any feedback! ❤️

@InverseIntegral
Create skeleton of HC Vault based server keymanager plugin (spiffe#5058)
4623949 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Start implementing signing function for HC vault (spiffe#5058)
e0dbff7 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Make SignData work with HC Vault keymanager plugin (spiffe#5058)
8784293 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Rename transit key type constants (spiffe#5058)
beabe56 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Make vault client more robust by handling invariant violations (spiff…
39e4803 
…e#5058)

Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Move logic from plugin to vault client (spiffe#5058)
8d60d50 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Refactor logic to generate vault client (spiffe#5058)
90f68fd 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Use latest key version to sign data (spiffe#5058)
c6332a0 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Move data encoding to vault client (spiffe#5058)
8042877 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Add simple vault client auth test (spiffe#5058)
702193a 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Remove unused test code (spiffe#5058)
0d78ffa 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Support configuring vault namespace (spiffe#5058)
41b91e5 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Support AppRole authentication (spiffe#5058)
c8e9b0b 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Make transit engine path configurable (spiffe#5058)
573cca6 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Add comments to exported functions (spiffe#5058)
7d3d9f7 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Support certificate authentication (spiffe#5058)
53f5709 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Add missing app role auth test case (spiffe#5058)
9d6ea3e 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Support K8s auth (spiffe#5058)
82f4be6 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Support verifying server certificate via CA (spiffe#5058)
12fe8c4 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Test vault client create key function (spiffe#5058)
d15d8ff 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Test vault client get key function (spiffe#5058)
5c33e05 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Test vault client sign data function (spiffe#5058)
1438bc4 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Test vault key manager configure function (spiffe#5058)
c2879e2 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Test vault key manager generate key function (spiffe#5058)
2a074d9 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Load keys from Vault on configure (spiffe#5058)
d739d8e 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Test get key entry function (spiffe#5058)
2ba4eb4 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Test get keys function (spiffe#5058)
4f1b244 
Signed-off-by: Matteo Kamm <[email protected]>
@InverseIntegral
Add simple plugin documentation (spiffe#5058)
307a2a7 
Signed-off-by: Matteo Kamm <[email protected]>
amartinezfayo
amartinezfayo reviewed Oct 1, 2024
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @InverseIntegral, thank you very much for this contribution.
I'm still going over this PR, but the first high-level comment that I wanted to provide is that we will need integration tests that exercise this plugin. It should be a new suite added to our integration test framework: https://github.com/spiffe/spire/tree/main/test/integration

I'll be adding more comments as I make progress with the review :) Thank you again for this contribution!

doc/plugin_server_keymanager_hashicorp_vault.md Outdated
| client_key_path | string | | Path to a client private key file. Only PEM format is supported. | `${VAULT_CLIENT_KEY}` |

```hcl
UpstreamAuthority "vault" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
UpstreamAuthority "vault" {
KeyManager "hashicorp_vault" {

doc/plugin_server_keymanager_hashicorp_vault.md Outdated
| token | string | | Token string to set into "X-Vault-Token" header | `${VAULT_TOKEN}` |

```hcl
UpstreamAuthority "vault" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
UpstreamAuthority "vault" {
KeyManager "hashicorp_vault" {

doc/plugin_server_keymanager_hashicorp_vault.md Outdated
| approle_secret_id | string | | A credential of AppRole | `${VAULT_APPROLE_SECRET_ID}` |

```hcl
UpstreamAuthority "vault" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
UpstreamAuthority "vault" {
KeyManager "hashicorp_vault" {

doc/plugin_server_keymanager_hashicorp_vault.md Outdated
| token_path | string | ✔ | Path to the Kubernetes Service Account Token to use authentication with the Vault | |

```hcl
UpstreamAuthority "vault" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
UpstreamAuthority "vault" {
KeyManager "hashicorp_vault" {

@InverseIntegral
Copy link
Author

Thank you @amartinezfayo for the initial review and sorry for the delay on my end. I will add integration tests to test the plugin more thoroughly 👍

amartinezfayo
amartinezfayo reviewed Oct 31, 2024
View reviewed changes
doc/plugin_server_keymanager_hashicorp_vault.md
| namespace | string | | Name of the Vault namespace. This is only available in the Vault Enterprise. | `${VAULT_NAMESPACE}` |
| transit_engine_path | string | | Path of the transit engine that stores the keys. | transit |
| ca_cert_path | string | | Path to a CA certificate file used to verify the Vault server certificate. Only PEM format is supported. | `${VAULT_CACERT}` |
| insecure_skip_verify | bool | | If true, vault client accepts any server certificates | false |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have a note here, that this is only for test environments.

pkg/server/plugin/keymanager/hashicorpvault/hashicorp_vault.go
Namespace: p.getEnvOrDefault(envVaultNamespace, config.Namespace),
TransitEnginePath: p.getEnvOrDefault(envVaultTransitEnginePath, config.TransitEnginePath),
CACertPath: p.getEnvOrDefault(envVaultCACert, config.CACertPath),
TLSSKipVerify: config.InsecureSkipVerify,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we should log a warning if InsecureSkipVerify is set to true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amartinezfayo amartinezfayo amartinezfayo left review comments

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@amartinezfayo amartinezfayo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature Request: Use HashiCorp Vault as a SPIRE Server KeyManager
2 participants
@InverseIntegral @amartinezfayo