-
Notifications
You must be signed in to change notification settings - Fork 157
fix: enable Vault JWT auth without Spire for KMS signing #1616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -36,8 +36,11 @@ import ( | |
| "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" | ||
| "github.com/spiffe/go-spiffe/v2/workloadapi" | ||
| "github.com/tektoncd/chains/pkg/chains/signing" | ||
| "knative.dev/pkg/logging" | ||
| ) | ||
|
|
||
| const defaultOIDCTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec // Not a credential, this is the path to read the K8s SA token file from | ||
|
|
||
| // Signer exposes methods to sign payloads using a KMS | ||
| type Signer struct { | ||
| signature.SignerVerifier | ||
|
|
@@ -125,6 +128,25 @@ func NewSigner(ctx context.Context, cfg config.KMSSigner) (*Signer, error) { | |
| } | ||
| rpcAuth.OIDC.Token = token | ||
| } | ||
|
|
||
| if rpcAuth.OIDC.Token == "" && rpcAuth.Token == "" && cfg.Auth.OIDC.Path != "" && cfg.Auth.OIDC.Role != "" { | ||
| tokenPath := cfg.Auth.OIDC.TokenPath | ||
| if tokenPath == "" { | ||
| tokenPath = defaultOIDCTokenPath | ||
| } | ||
| logger := logging.FromContext(ctx) | ||
| logger.Debugw("OIDC token path for Vault JWT auth", "path", tokenPath) | ||
| token, err := os.ReadFile(tokenPath) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. can we reuse the existing
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah yes that is intentional, since getKMSAuthToken uses TrimSuffix("\n") which only strips a single trailing newline. That's fine for static Vault tokens, but for the OIDC JWT path I used TrimSpace because for example if someone has a token file with just whitespaces like " \n \n", TrimSuffix would leave " \n " (looks non-empty, gets sent to Vault, confusing error), while TrimSpace correctly gives us "" which we then catch with the empty file check. The empty file check itself is the other difference, since getKMSAuthToken might return "" without error, but here an empty token might cause the code to drop the entire OIDC config and fall back to VAULT_TOKEN, which is the exact bug this PR is fixing. So same os.ReadFile, but different post-processing needs. |
||
| if err != nil { | ||
| return nil, fmt.Errorf("reading OIDC token from %q: %w", tokenPath, err) | ||
| } | ||
| oidcToken := strings.TrimSpace(string(token)) | ||
| if oidcToken == "" { | ||
| return nil, fmt.Errorf("OIDC token file %q is empty", tokenPath) | ||
| } | ||
| rpcAuth.OIDC.Token = oidcToken | ||
| } | ||
|
|
||
| kmsOpts = append(kmsOpts, options.WithRPCAuthOpts(rpcAuth)) | ||
| // get the signer/verifier from sigstore | ||
| k, err := kms.Get(ctx, cfg.KMSRef, crypto.SHA256, kmsOpts...) | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.