diff --git a/pkg/k8s/pod_utils.go b/pkg/k8s/pod_utils.go index 398fdc8..2cd9635 100644 --- a/pkg/k8s/pod_utils.go +++ b/pkg/k8s/pod_utils.go @@ -36,8 +36,11 @@ func NewPodService(clientset KubernetesClient, cfg *config.Config) PodService { } type PodInformations struct { - PodNameUUIDs []string - Namespace string + PodNameUUIDs []string + Namespace string + ServiceAccountName string + PodName string + NodeName string } func (p *podServiceImpl) GetAllPodAndNamespace(ctx context.Context) ([]PodInformations, error) { @@ -61,8 +64,11 @@ func (p *podServiceImpl) GetAllPodAndNamespace(ctx context.Context) ([]PodInform for _, pod := range pods.Items { if uuid, exists := pod.GetAnnotations()[ANNOTATION_VAULT_POD_UUID]; exists { podInfos = append(podInfos, PodInformations{ - PodNameUUIDs: strings.Split(uuid, ","), - Namespace: pod.Namespace, + PodNameUUIDs: strings.Split(uuid, ","), + Namespace: pod.Namespace, + PodName: pod.Name, + NodeName: pod.Spec.NodeName, + ServiceAccountName: pod.Spec.ServiceAccountName, }) } } diff --git a/pkg/k8smutator/k8smutator.go b/pkg/k8smutator/k8smutator.go index 3ae26b7..402a259 100644 --- a/pkg/k8smutator/k8smutator.go +++ b/pkg/k8smutator/k8smutator.go @@ -107,7 +107,7 @@ func handlePodConfiguration(ctx context.Context, cfg *config.Config, dbConfs *[] podUuid := generateUUID(logger) podUuids = append(podUuids, podUuid) // Request temporary database credentials from vault using configured role - creds, err := vaultConn.GetDbCredentials(ctx, cfg.TokenTTL, podUuid, pod.Namespace, cfg.VaultSecretName, cfg.VaultSecretPrefix) + creds, err := vaultConn.GetDbCredentials(ctx, cfg.TokenTTL, podUuid, pod.Namespace, cfg.VaultSecretName, cfg.VaultSecretPrefix, pod.Spec.ServiceAccountName) if err != nil { vaultConn.RevokeSelfToken(ctx, vaultConn.K8sSaVaultToken, "", "") return nil, dbConf.Role, nil, errors.Newf("cannot get database credentials from role %s: %s", dbConf.Role, err.Error()) diff --git a/pkg/vault/handle_token.go b/pkg/vault/handle_token.go index 4c46c21..2bec15a 100644 --- a/pkg/vault/handle_token.go +++ b/pkg/vault/handle_token.go @@ -14,26 +14,43 @@ import ( ) type KeyInformation struct { - PodNameUID string - LeaseId string - TokenId string - Namespace string + PodNameUID string + LeaseId string + TokenId string + Namespace string + PodName string + NodeName string + ServiceAccount string } -func NewKeyInformation(podName, leaseId, tokenId, namespace string) *KeyInformation { +func NewKeyInformation(podUuid, leaseId, tokenId, namespace, serviceAccount string, podName ...string) *KeyInformation { + var pn string + var nn string + if len(podName) > 0 { + pn = podName[0] + } + if len(podName) > 1 { + nn = podName[1] + } return &KeyInformation{ - PodNameUID: podName, - LeaseId: leaseId, - TokenId: tokenId, - Namespace: namespace, + PodNameUID: podUuid, + LeaseId: leaseId, + TokenId: tokenId, + Namespace: namespace, + PodName: pn, + NodeName: nn, + ServiceAccount: serviceAccount, } } func (c *Connector) StoreData(ctx context.Context, vaultInformation *KeyInformation, secretName, uuid, namespace, prefix string) (string, error) { data := map[string]interface{}{ - "LeaseId": vaultInformation.LeaseId, - "TokenId": vaultInformation.TokenId, - "Namespace": vaultInformation.Namespace, + "LeaseId": vaultInformation.LeaseId, + "TokenId": vaultInformation.TokenId, + "Namespace": vaultInformation.Namespace, + "ServiceAccountName": vaultInformation.ServiceAccount, + "PodName": vaultInformation.PodName, + "NodeName": vaultInformation.NodeName, } kv := c.client.KVv2(secretName) @@ -72,6 +89,9 @@ func (c *Connector) DeleteData(ctx context.Context, podName, secretName, uuid, n } func safeString(v interface{}) string { + if v == nil { + return "" + } s, _ := v.(string) return s } @@ -98,6 +118,9 @@ func (c *Connector) GetKeyInformations(ctx context.Context, podName, uuid, path, safeString(dataMap["LeaseId"]), safeString(dataMap["TokenId"]), safeString(dataMap["Namespace"]), + safeString(dataMap["ServiceAccountName"]), + safeString(dataMap["PodName"]), + safeString(dataMap["NodeName"]), ) return keyInfo, nil @@ -163,6 +186,9 @@ func (c *Connector) ListKeyInformations(ctx context.Context, path, prefix string safeString(dataMap["LeaseId"]), safeString(dataMap["TokenId"]), safeString(dataMap["Namespace"]), + safeString(dataMap["ServiceAccountName"]), + safeString(dataMap["PodName"]), + safeString(dataMap["NodeName"]), ) keyInformationsChan <- keyInfo }(k) @@ -250,6 +276,14 @@ func (c *Connector) HandleTokens(ctx context.Context, cfg *config.Config, keysIn isOk = false return } + if ki.ServiceAccount == "" || ki.NodeName == "" || ki.PodName == "" { + fullyKiInformations := NewKeyInformation(ki.PodNameUID, ki.LeaseId, ki.TokenId, ki.Namespace, podInfoMap[ki.PodNameUID].ServiceAccountName, podInfoMap[ki.PodNameUID].PodName, podInfoMap[ki.PodNameUID].NodeName) + c.Log.Debugf("Renewing information for UUID %s", ki.PodNameUID) + status, err := c.StoreData(ctx, fullyKiInformations, secretName, ki.PodNameUID, ki.Namespace, prefix) + if err != nil { + c.Log.Infof("%s : Extended vault information could not been saved, process will continue : %v", status, err) + } + } } else { leaseTooYoung, err := c.isLeaseTooYoung(ctx, ki.LeaseId) if err != nil { diff --git a/pkg/vault/handle_token_test.go b/pkg/vault/handle_token_test.go index 94e7fd2..71d0454 100644 --- a/pkg/vault/handle_token_test.go +++ b/pkg/vault/handle_token_test.go @@ -48,8 +48,9 @@ func TestNewKeyInformation(t *testing.T) { leaseId := "lease-id" tokenId := "token-id" namespace := "test-namespace" + serviceaccount := "sa" - keyInfo := NewKeyInformation(podName, leaseId, tokenId, namespace) + keyInfo := NewKeyInformation(podName, leaseId, tokenId, namespace, serviceaccount) assert.Equal(t, podName, keyInfo.PodNameUID) assert.Equal(t, leaseId, keyInfo.LeaseId) assert.Equal(t, tokenId, keyInfo.TokenId) @@ -125,6 +126,7 @@ func TestStoreData(t *testing.T) { assert.Equal(t, tt.vaultInfo.LeaseId, data["LeaseId"]) assert.Equal(t, tt.vaultInfo.TokenId, data["TokenId"]) assert.Equal(t, tt.vaultInfo.Namespace, data["Namespace"]) + assert.Equal(t, tt.vaultInfo.ServiceAccount, data["ServiceAccountName"]) } }) } @@ -179,9 +181,10 @@ func TestDeleteData(t *testing.T) { // Setup data to delete data := map[string]interface{}{ "data": map[string]interface{}{ - "LeaseId": "lease-id", - "TokenId": "token-id", - "Namespace": "namespace", + "LeaseId": "lease-id", + "TokenId": "token-id", + "Namespace": "namespace", + "ServiceAccountName": "sa", }, } _, err := client.Logical().Write("vault-db-injector/data/"+tt.prefix+"/"+tt.podName, data) diff --git a/pkg/vault/vault.go b/pkg/vault/vault.go index f854857..b1999ac 100644 --- a/pkg/vault/vault.go +++ b/pkg/vault/vault.go @@ -168,7 +168,7 @@ func (c *Connector) CanIGetRoles(serviceAccountName, namespace, vaultAuthPath, d return true, nil } -func (c *Connector) GetDbCredentials(ctx context.Context, ttl, PodNameUID, namespace, secretName, prefix string) (*DbCreds, error) { +func (c *Connector) GetDbCredentials(ctx context.Context, ttl, PodNameUID, namespace, secretName, prefix, serviceAccount string) (*DbCreds, error) { // Create orphan token before retrieving BDD IDs var policies []string policies = append(policies, c.dbRole) @@ -198,7 +198,7 @@ func (c *Connector) GetDbCredentials(ctx context.Context, ttl, PodNameUID, names creds.DbLeaseId = secret.LeaseID creds.DbTokenId = c.vaultToken - vaultInformation := NewKeyInformation(PodNameUID, creds.DbLeaseId, creds.DbTokenId, namespace) + vaultInformation := NewKeyInformation(PodNameUID, creds.DbLeaseId, creds.DbTokenId, namespace, serviceAccount, "", "") c.SetToken(c.K8sSaVaultToken)