Fix Kubernetes auth integration test for Vault 1.21.0

Author: pfeifferj

plugins/doc_fragments/auth.py

@@ -20,6 +20,7 @@ class ModuleDocFragment(object):
           - C(aws_iam_login) was renamed C(aws_iam) in collection version C(2.1.0) and was removed in C(3.0.0).
           - C(azure) auth method was added in collection version C(3.2.0).
           - C(gcp) auth method was added in collection version C(7.1.0).
+          - C(kubernetes) auth method was added in collection version C(8.0.0).
         choices:
           - token
           - userpass
@@ -30,6 +31,7 @@ class ModuleDocFragment(object):
           - jwt
           - cert
           - gcp
+          - kubernetes
           - none
         default: token
         type: str

plugins/module_utils/_auth_method_k8s.py

@@ -47,10 +47,12 @@ def authenticate(self, client, use_token=True):
         params = {
             "role": origin_params.get('role_id'),
             "jwt": origin_params.get('kubernetes_token'),
-            "mount_point": origin_params.get('mount_point'),
             "use_token": use_token,
         }
 
+        if 'mount_point' in origin_params:
+            params['mount_point'] = origin_params['mount_point']
+
         try:
             response = client.auth.kubernetes.login(**params)
         except (NotImplementedError, AttributeError):

plugins/module_utils/_authenticator.py

@@ -40,6 +40,7 @@ class HashiVaultAuthenticator():
             'jwt',
             'cert',
             'gcp',
+            'kubernetes',
             'none',
         ]),
         mount_point=dict(type='str'),

tests/integration/targets/auth_kubernetes/aliases

@@ -1 +1,4 @@
+vault/auth/kubernetes
+context/target
+needs/target/setup_vault_configure
 needs/target/setup_vault_test_plugins

tests/integration/targets/auth_kubernetes/files/service_account_token.jwt

@@ -1 +1 @@
-eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0Iiwic3ViIjoiaGFzaGlfdmF1bHRAdGVzdC5hbnNpYmxlLmNvbSIsIm5iZiI6MTYwNDgzNTEwMCwiZXhwIjozMjQ5OTA1MTM1OX0.NEWQR_Eicw8Fa9gU9HPY2M9Rp1czNTUKrICwKe7l1edaZNtgxhMGdyqnBsPrHL_dw1ZIwdvwVAioi8bEyIDEWICls0lzHwM169rrea3WEFrB5CP17A6DkvYL0cnOnGutbwUrXInPCRUfvRogIKEI-w8X-ris9LX2FBPKhXX1K3U0D8uYi5_9t8YWywTe0NkYvY-nTzMugK1MXMoBJ3fCksweJiDp6BOo3v9OU03MLgwgri2UdsqVb7WSk4XvWG-lmbiiSAWVf9BI3mecVDUHpYxbEqjv1HDG_wdX8zy1ZlAFbjp3kIpMlDVK1Q5nu_VPDzQrEvPdTnOzU36LE4UF-w
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsidGVzdCJdLCJleHAiOjMyNDk5MDUxMzU5LCJpYXQiOjE2MDQ4MzUxMDAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InZhdWx0LWF1dGgiLCJ1aWQiOiJkNzdjMWZlYi1jOTE5LTQxMDYtYWE4YS01MGY2N2MzYTE2MWUifX0sIm5iZiI6MTYwNDgzNTEwMCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dmF1bHQtYXV0aCJ9.qfOfj4FeVBlBoWbaME6UnDCqKXE2FXKyil3ia1lDMaqcc87fYYE4yVByhqCSJy2pToO2MW3mYBKwfgfKxKaZj64hMh3yu1RNRASvWAVi4JM4nrBtdXei24e3WgRIjYOJnaHuypYtiBfHC-ArNJN_AhoGI00SP7Mx_ohcxtHbBcIE15Dlbh9eHOVtQSSMazaOAyQQLUybNmw9PDD0wwLnKgiky35dG03tZWd2pUttDWKlTzuIDPHyUyY9CYe-C3rVidJ6Vpw9atIO6NcffD5dvXujY1boUVO52xhcNCyL7UX1YqjcaqgUvEtUN1ridAb_rispVNzbe2w1cp41CqGHcQ

tests/integration/targets/auth_kubernetes/tasks/kubernetes_setup.yml

@@ -3,13 +3,13 @@
     is_default_path: "{{ this_path == default_path }}"
     jwt_public_key: |
       -----BEGIN PUBLIC KEY-----
-      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArIansgZKnb2NnOFe6+g3
-      v8kzMySJrBNxfzEq8nn3qtXsL4pl2bvrM8or3F6iNPv2p5GHGJat0HANgLBvxGlv
-      u2KYN8Jnjqf8zX5sqmvaK1L5aFZD7p9OKxu7JTCUzjykKGqmDXlitXXxkoDlCUr6
-      m7kR5Hn/VnmRWlyiIWQL8iY2pxYKGl7CvXEmW1vqEJvvOH2P0PxBS8fHFuEX3k+N
-      vEMJlDqN9MRi4EYh7P7R7qMVKSpOUl6K4TEYMsV3D0sHaIGDq+iw8Ev0fO2CglV5
-      uDAgo0WZlxcl6VqLDQIV20JJGHdHBxGFZl5GqzbM5yNEr2hUqT1h8fKHdF6L0xRu
-      eQIDAQAB
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvUJ8sf9bUQtAyESZ73mw
+      LCHjA8cj2ly3GTy5fxsyniUvkl6x+fVOXYqxgDYc9m14iaUXjE2eUIdQOnmRNIAz
+      xIhxKvXMhJVRSnjCcdQZ9FUPyvQ1bcNo6rISOEEroUdQ6ymX6/DKhW/tXPrYPFyK
+      502UF+YhuP+t/OdKT4qbIxHvkDyGorJDlfKDx9wIr88xY4+KFLKSkaCsO6fZvmhw
+      L2pVl5UfJ/mYXZdeJ8b8pJLSnWmKzXwamGNnvJK3Z4DwicL6Z9PS8ryZWMAUswFR
+      menCQdtebBuaKi401N9SlPl/qb3nFW3YVO1NrqGvF9nprdtBNN3++0a1fuMUmPhb
+      1QIDAQAB
       -----END PUBLIC KEY-----
   block:
     - name: "Enable the Kubernetes auth method"
@@ -23,25 +23,18 @@
       vault_ci_write:
         path: "auth/{{ this_path }}/config"
         data:
-          kubernetes_host: "https://kubernetes.default.svc"
-          kubernetes_ca_cert: |
-            -----BEGIN CERTIFICATE-----
-            MIIDBjCCAe4CAQAwDQYJKoZIhvcNAQEFBQAwEzERMA8GA1UEAwwIdGVzdC5jb20w
-            MIIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-            AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-            AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-            -----END CERTIFICATE-----
-          jwt_validation_pubkeys: |
+          kubernetes_host: "http://mmock:8900"
+          pem_keys: |
             {{ jwt_public_key }}
-          issuer: "https://kubernetes.default.svc.cluster.local"
+          disable_local_ca_jwt: true
+          disable_iss_validation: true
 
     - name: "Create a named role"
       vault_ci_write:
         path: "auth/{{ this_path }}/role/test-role"
         data:
           bound_service_account_names: "*"
           bound_service_account_namespaces: "*"
-          # in docs, this is token_policies (changed in Vault 1.2)
-          # use 'policies' to support older versions
           policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }}"
           ttl: 60m
+          audience: "test"

tests/integration/targets/setup_localenv_docker/templates/mmock/kubernetes_tokenreview.yml.j2

@@ -0,0 +1,28 @@
+#jinja2:variable_start_string:'[%', variable_end_string:'%]'
+---
+request:
+  method: POST
+  path: "/apis/authentication.k8s.io/v1/tokenreviews"
+response:
+  statusCode: 201
+  headers:
+    Content-Type:
+      - application/json
+  body: >-
+    {
+      "apiVersion": "authentication.k8s.io/v1",
+      "kind": "TokenReview",
+      "status": {
+        "authenticated": true,
+        "user": {
+          "username": "system:serviceaccount:default:vault-auth",
+          "uid": "d77c1feb-c919-4106-aa8a-50f67c3a161e",
+          "groups": [
+            "system:serviceaccounts",
+            "system:serviceaccounts:default",
+            "system:authenticated"
+          ]
+        },
+        "audiences": ["test"]
+      }
+    }

tests/integration/targets/setup_vault_configure/vars/main.yml

@@ -124,6 +124,7 @@ vault_base_policy: |
   }
 
 vault_token_creator_policy: |
+  {{ vault_base_policy }}
   path "auth/token/create" {
     capabilities = ["create", "update"]
   }
@@ -132,6 +133,7 @@ vault_token_creator_policy: |
   }
 
 vault_orphan_creator_policy: |
+  {{ vault_base_policy }}
   path "auth/token/create" {
     capabilities = ["create", "update"]
   }

tests/unit/plugins/module_utils/authentication/test_auth_k8s.py

@@ -115,11 +115,10 @@ def test_auth_k8s_authenticate(self, auth_k8s, client, adapter, kubernetes_token
         expected_login_params = {
             'role': role_id,
             'jwt': kubernetes_token,
-            'mount_point': None,
             'use_token': use_token,
         }
 
-        def _mock_login(role, jwt, mount_point, use_token):
+        def _mock_login(role, jwt, use_token, mount_point=None):
             if use_token:
                 client.token = k8s_login_response['auth']['client_token']
             return k8s_login_response
@@ -161,11 +160,10 @@ def test_auth_k8s_authenticate_fallback_deprecated(self, auth_k8s, client, adapt
         expected_login_params = {
             'role': role_id,
             'jwt': kubernetes_token,
-            'mount_point': None,
             'use_token': True,
         }
 
-        def _mock_deprecated_login(role, jwt, mount_point, use_token):
+        def _mock_deprecated_login(role, jwt, use_token, mount_point=None):
             if use_token:
                 client.token = k8s_login_response['auth']['client_token']
             return k8s_login_response