Support TLS Certificates Auth Method in HashiCorp Vault Provider

[ryysud]

Currently, Only Kubernetes Auth Method is supported as a method to authenticate to Vault from HashiCorp Vault Provider, but what do you think about supporting TLS Certificates Auth Method in addition?

I think that it is good specification ( I am currently investigating how to implement it and whether it is a possible specification... Please let me know if there is other good spec... ) to pass a TLS certificate from the Pod Spec's volume to Secrets Store CSI Driver running as a Node Plugin and use it to authenticate to Vault. The authentication method is specified with a parameter such as authMethod (default: k8s), and the file to be used in the Volume is specified with a parameter such as cert.

example1. Pass tls cert using config map

kind: Pod
apiVersion: v1
metadata:
  name: nginx-secrets-store-inline
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.com
        readOnly: true
        volumeAttributes:
          providerName: "vault"
          authMethod: "cert" # New param (default: k8s)
          cert: cert.pem # New param
          roleName: "example-role"
          vaultAddress: "http://vault:8200"
          vaultSkipTLSVerify: "true"
          objects:  |
            array:
              - |
                objectPath: "/foo"
                objectName: "bar"
                objectVersion: ""
    - name: certs
      configMap:
        name: certs

example2. Pass tls cert using share volume

kind: Pod
apiVersion: v1
metadata:
  name: nginx-secrets-store-inline
spec:
  initContainers:
    - name: tls-certs-fetcher
      image: tls-certs-fetcher
      command:
        - tls-certs-fetch
      args:
        - -write
        - /certs
      volumeMounts:
        - name: certs-dir
          mountPath: /certs
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.com
        readOnly: true
        volumeAttributes:
          providerName: "vault"
          authMethod: "cert" # New param (default: k8s)
          cert: cert.pem # New param
          roleName: "example-role"
          vaultAddress: "http://vault:8200"
          vaultSkipTLSVerify: "true"
          objects:  |
            array:
              - |
                objectPath: "/foo"
                objectName: "bar"
                objectVersion: ""
    - name: certs-dir
      emptyDir: {}

[ryysud]

@anubhavmishra After adding a parameter such as vaultCertPath, Secrets Store CSI Driver authenticates to Vault with TLS Cert Auth Method using the certificate (mounted in the container) specified by that parameter. How about this specification? If you think that looks good, I’ll create a PR.

kind: Pod
apiVersion: v1
metadata:
  name: nginx-secrets-store-inline
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
    - name: certs
      mountPath: "/certs"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.com
        readOnly: true
        volumeAttributes:
          providerName: "vault"
          authMethod: "cert" # New param (default: k8s)
          roleName: "example-role"
          vaultAddress: "http://vault:8200"
          vaultCertPath: "/certs/cert.pem" # New param
          vaultSkipTLSVerify: "true"
          objects:  |
            array:
              - |
                objectPath: "/foo"
                objectName: "bar"
                objectVersion: ""
    - name: certs
      configMap:
        name: certs

[ritazh]

Closing in favor of hashicorp/vault-csi-provider#15