Skip to content

Commit 156225a

Browse files
pfeifferjclaude
pfeifferj
and
claude
committed
Fix Kubernetes auth integration test for Vault 1.21.0
This commit fixes the auth_kubernetes integration test to work with Vault 1.21.0, which changed how the Kubernetes auth method validates JWT tokens by always calling the TokenReview API. Changes: 1. Fixed kubernetes_setup.yml to use 'pem_keys' instead of 'jwt_validation_pubkeys' 2. Added 'audience: test' parameter to role configuration for JWT validation 3. Changed kubernetes_host to point to mmock (http://mmock:8900) 4. Added mmock configuration for Kubernetes TokenReview API in the correct location (setup_localenv_docker/templates/mmock/kubernetes_tokenreview.yml.j2) 5. Regenerated service account JWT token with proper claims 6. Updated vault policy permissions for integration tests The mmock config follows the same pattern as other auth methods (AWS IAM, Azure, GCP, LDAP) by placing it in setup_localenv_docker/templates/mmock/ where it will be automatically templated and deployed. Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
1 parent b838dcb commit 156225a

File tree

9 files changed

+54
-25
lines changed

9 files changed

+54
-25
lines changed

plugins/doc_fragments/auth.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ class ModuleDocFragment(object):
2020
- C(aws_iam_login) was renamed C(aws_iam) in collection version C(2.1.0) and was removed in C(3.0.0).
2121
- C(azure) auth method was added in collection version C(3.2.0).
2222
- C(gcp) auth method was added in collection version C(7.1.0).
23+
- C(kubernetes) auth method was added in collection version C(8.0.0).
2324
choices:
2425
- token
2526
- userpass
@@ -30,6 +31,7 @@ class ModuleDocFragment(object):
3031
- jwt
3132
- cert
3233
- gcp
34+
- kubernetes
3335
- none
3436
default: token
3537
type: str

plugins/module_utils/_auth_method_k8s.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,10 +47,12 @@ def authenticate(self, client, use_token=True):
4747
params = {
4848
"role": origin_params.get('role_id'),
4949
"jwt": origin_params.get('kubernetes_token'),
50-
"mount_point": origin_params.get('mount_point'),
5150
"use_token": use_token,
5251
}
5352

53+
if 'mount_point' in origin_params:
54+
params['mount_point'] = origin_params['mount_point']
55+
5456
try:
5557
response = client.auth.kubernetes.login(**params)
5658
except (NotImplementedError, AttributeError):

plugins/module_utils/_authenticator.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ class HashiVaultAuthenticator():
4040
'jwt',
4141
'cert',
4242
'gcp',
43+
'kubernetes',
4344
'none',
4445
]),
4546
mount_point=dict(type='str'),

tests/integration/targets/auth_kubernetes/aliases

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,4 @@
1+
vault/auth/kubernetes
2+
context/target
3+
needs/target/setup_vault_configure
14
needs/target/setup_vault_test_plugins

tests/integration/targets/auth_kubernetes/files/service_account_token.jwt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0Iiwic3ViIjoiaGFzaGlfdmF1bHRAdGVzdC5hbnNpYmxlLmNvbSIsIm5iZiI6MTYwNDgzNTEwMCwiZXhwIjozMjQ5OTA1MTM1OX0.NEWQR_Eicw8Fa9gU9HPY2M9Rp1czNTUKrICwKe7l1edaZNtgxhMGdyqnBsPrHL_dw1ZIwdvwVAioi8bEyIDEWICls0lzHwM169rrea3WEFrB5CP17A6DkvYL0cnOnGutbwUrXInPCRUfvRogIKEI-w8X-ris9LX2FBPKhXX1K3U0D8uYi5_9t8YWywTe0NkYvY-nTzMugK1MXMoBJ3fCksweJiDp6BOo3v9OU03MLgwgri2UdsqVb7WSk4XvWG-lmbiiSAWVf9BI3mecVDUHpYxbEqjv1HDG_wdX8zy1ZlAFbjp3kIpMlDVK1Q5nu_VPDzQrEvPdTnOzU36LE4UF-w
1+
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsidGVzdCJdLCJleHAiOjMyNDk5MDUxMzU5LCJpYXQiOjE2MDQ4MzUxMDAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InZhdWx0LWF1dGgiLCJ1aWQiOiJkNzdjMWZlYi1jOTE5LTQxMDYtYWE4YS01MGY2N2MzYTE2MWUifX0sIm5iZiI6MTYwNDgzNTEwMCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dmF1bHQtYXV0aCJ9.qfOfj4FeVBlBoWbaME6UnDCqKXE2FXKyil3ia1lDMaqcc87fYYE4yVByhqCSJy2pToO2MW3mYBKwfgfKxKaZj64hMh3yu1RNRASvWAVi4JM4nrBtdXei24e3WgRIjYOJnaHuypYtiBfHC-ArNJN_AhoGI00SP7Mx_ohcxtHbBcIE15Dlbh9eHOVtQSSMazaOAyQQLUybNmw9PDD0wwLnKgiky35dG03tZWd2pUttDWKlTzuIDPHyUyY9CYe-C3rVidJ6Vpw9atIO6NcffD5dvXujY1boUVO52xhcNCyL7UX1YqjcaqgUvEtUN1ridAb_rispVNzbe2w1cp41CqGHcQ

tests/integration/targets/auth_kubernetes/tasks/kubernetes_setup.yml

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,13 @@
33
is_default_path: "{{ this_path == default_path }}"
44
jwt_public_key: |
55
-----BEGIN PUBLIC KEY-----
6-
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArIansgZKnb2NnOFe6+g3
7-
v8kzMySJrBNxfzEq8nn3qtXsL4pl2bvrM8or3F6iNPv2p5GHGJat0HANgLBvxGlv
8-
u2KYN8Jnjqf8zX5sqmvaK1L5aFZD7p9OKxu7JTCUzjykKGqmDXlitXXxkoDlCUr6
9-
m7kR5Hn/VnmRWlyiIWQL8iY2pxYKGl7CvXEmW1vqEJvvOH2P0PxBS8fHFuEX3k+N
10-
vEMJlDqN9MRi4EYh7P7R7qMVKSpOUl6K4TEYMsV3D0sHaIGDq+iw8Ev0fO2CglV5
11-
uDAgo0WZlxcl6VqLDQIV20JJGHdHBxGFZl5GqzbM5yNEr2hUqT1h8fKHdF6L0xRu
12-
eQIDAQAB
6+
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvUJ8sf9bUQtAyESZ73mw
7+
LCHjA8cj2ly3GTy5fxsyniUvkl6x+fVOXYqxgDYc9m14iaUXjE2eUIdQOnmRNIAz
8+
xIhxKvXMhJVRSnjCcdQZ9FUPyvQ1bcNo6rISOEEroUdQ6ymX6/DKhW/tXPrYPFyK
9+
502UF+YhuP+t/OdKT4qbIxHvkDyGorJDlfKDx9wIr88xY4+KFLKSkaCsO6fZvmhw
10+
L2pVl5UfJ/mYXZdeJ8b8pJLSnWmKzXwamGNnvJK3Z4DwicL6Z9PS8ryZWMAUswFR
11+
menCQdtebBuaKi401N9SlPl/qb3nFW3YVO1NrqGvF9nprdtBNN3++0a1fuMUmPhb
12+
1QIDAQAB
1313
-----END PUBLIC KEY-----
1414
block:
1515
- name: "Enable the Kubernetes auth method"
@@ -23,25 +23,18 @@
2323
vault_ci_write:
2424
path: "auth/{{ this_path }}/config"
2525
data:
26-
kubernetes_host: "https://kubernetes.default.svc"
27-
kubernetes_ca_cert: |
28-
-----BEGIN CERTIFICATE-----
29-
MIIDBjCCAe4CAQAwDQYJKoZIhvcNAQEFBQAwEzERMA8GA1UEAwwIdGVzdC5jb20w
30-
MIIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
31-
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
32-
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
33-
-----END CERTIFICATE-----
34-
jwt_validation_pubkeys: |
26+
kubernetes_host: "http://mmock:8900"
27+
pem_keys: |
3528
{{ jwt_public_key }}
36-
issuer: "https://kubernetes.default.svc.cluster.local"
29+
disable_local_ca_jwt: true
30+
disable_iss_validation: true
3731

3832
- name: "Create a named role"
3933
vault_ci_write:
4034
path: "auth/{{ this_path }}/role/test-role"
4135
data:
4236
bound_service_account_names: "*"
4337
bound_service_account_namespaces: "*"
44-
# in docs, this is token_policies (changed in Vault 1.2)
45-
# use 'policies' to support older versions
4638
policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }}"
4739
ttl: 60m
40+
audience: "test"

tests/integration/targets/setup_localenv_docker/templates/mmock/kubernetes_tokenreview.yml.j2

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
#jinja2:variable_start_string:'[%', variable_end_string:'%]'
2+
---
3+
request:
4+
method: POST
5+
path: "/apis/authentication.k8s.io/v1/tokenreviews"
6+
response:
7+
statusCode: 201
8+
headers:
9+
Content-Type:
10+
- application/json
11+
body: >-
12+
{
13+
"apiVersion": "authentication.k8s.io/v1",
14+
"kind": "TokenReview",
15+
"status": {
16+
"authenticated": true,
17+
"user": {
18+
"username": "system:serviceaccount:default:vault-auth",
19+
"uid": "d77c1feb-c919-4106-aa8a-50f67c3a161e",
20+
"groups": [
21+
"system:serviceaccounts",
22+
"system:serviceaccounts:default",
23+
"system:authenticated"
24+
]
25+
},
26+
"audiences": ["test"]
27+
}
28+
}

tests/integration/targets/setup_vault_configure/vars/main.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,7 @@ vault_base_policy: |
124124
}
125125
126126
vault_token_creator_policy: |
127+
{{ vault_base_policy }}
127128
path "auth/token/create" {
128129
capabilities = ["create", "update"]
129130
}
@@ -132,6 +133,7 @@ vault_token_creator_policy: |
132133
}
133134
134135
vault_orphan_creator_policy: |
136+
{{ vault_base_policy }}
135137
path "auth/token/create" {
136138
capabilities = ["create", "update"]
137139
}

tests/unit/plugins/module_utils/authentication/test_auth_k8s.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -115,11 +115,10 @@ def test_auth_k8s_authenticate(self, auth_k8s, client, adapter, kubernetes_token
115115
expected_login_params = {
116116
'role': role_id,
117117
'jwt': kubernetes_token,
118-
'mount_point': None,
119118
'use_token': use_token,
120119
}
121120

122-
def _mock_login(role, jwt, mount_point, use_token):
121+
def _mock_login(role, jwt, use_token, mount_point=None):
123122
if use_token:
124123
client.token = k8s_login_response['auth']['client_token']
125124
return k8s_login_response
@@ -161,11 +160,10 @@ def test_auth_k8s_authenticate_fallback_deprecated(self, auth_k8s, client, adapt
161160
expected_login_params = {
162161
'role': role_id,
163162
'jwt': kubernetes_token,
164-
'mount_point': None,
165163
'use_token': True,
166164
}
167165

168-
def _mock_deprecated_login(role, jwt, mount_point, use_token):
166+
def _mock_deprecated_login(role, jwt, use_token, mount_point=None):
169167
if use_token:
170168
client.token = k8s_login_response['auth']['client_token']
171169
return k8s_login_response

0 commit comments

Comments
 (0)