setting api_proxy stanza in vault configuration

hashicorp · Jul 10, 2023 · 412e109 · 412e109
1 parent 0315a12
commit 412e109
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
@@ -34,6 +34,7 @@ const (
 	DefaultAgentUseLeaderElector            = false
 	DefaultAgentInjectToken                 = false
 	DefaultAgentSidecarType                 = "agent"
+	DefaultProxyUseAutoAuthToken            = true
 	DefaultTemplateConfigExitOnRetryFailure = true
 	DefaultServiceAccountMount              = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
 	DefaultEnableQuit                       = false
@@ -125,6 +126,10 @@ type Agent struct {
 	// SidecarType is the type of the sidecar container that is injected into the pod
 	SidecarType string
 
+	// Use the auto auth token in the sidecar proxy, usable only when SidecarType is set to "proxy"
+	// acceptable values are boolean true / false and "force"
+	ProxyUseAutoAuthToken interface{}
+
 	// Vault is the structure holding all the Vault specific configurations.
 	Vault Vault
 
@@ -352,6 +357,7 @@ func New(pod *corev1.Pod) (*Agent, error) {
 		Annotations:               pod.Annotations,
 		ConfigMapName:             pod.Annotations[AnnotationAgentConfigMap],
 		SidecarType:               pod.Annotations[AnnotationAgentSidecarType],
+		ProxyUseAutoAuthToken:     pod.Annotations[AnnotationAgentProxyUseAutoAuthToken],
 		ImageName:                 pod.Annotations[AnnotationAgentImage],
 		DefaultTemplate:           pod.Annotations[AnnotationAgentInjectDefaultTemplate],
 		LimitsCPU:                 pod.Annotations[AnnotationAgentLimitsCPU],
@@ -402,6 +408,7 @@ func New(pod *corev1.Pod) (*Agent, error) {
 	}
 
 	agent.SidecarType = agent.sidecarType()
+	agent.ProxyUseAutoAuthToken = agent.proxyUseAutoAuthToken()
 
 	agent.Vault.AgentTelemetryConfig = agent.telemetryConfig()
 

diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
@@ -22,6 +22,11 @@ const (
 	// Should be set to one of "agent" / "proxy", defaults to "agent".
 	AnnotationAgentSidecarType = "vault.hashicorp.com/sidecar-type"
 
+	// AnnotationAgentProxyUseAutoAuthToken is the key of the annotation that controls whether
+	// the auto auth token should be used in the vault proxy.
+	// configures the "use_auto_auth_token" key in the "api_proxy" stanza.
+	AnnotationAgentProxyUseAutoAuthToken = "vault.hashicorp.com/sidecar-proxy-use-auto-auth-token"
+
 	// AnnotationAgentStatus is the key of the annotation that is added to
 	// a pod after an injection is done.
 	// There's only one valid status we care about: "injected".
@@ -896,3 +901,17 @@ func (a *Agent) sidecarType() string {
 	}
 	return DefaultAgentSidecarType
 }
+
+func (a *Agent) proxyUseAutoAuthToken() interface{} {
+    switch a.ProxyUseAutoAuthToken.(type) {
+        case bool:
+            return a.ProxyUseAutoAuthToken.(bool)
+        case string:
+            if a.ProxyUseAutoAuthToken == "force" {
+                return a.ProxyUseAutoAuthToken.(string)
+            }
+        default:
+            return DefaultProxyUseAutoAuthToken
+    }
+    return nil
+}
diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go
@@ -33,6 +33,7 @@ type Config struct {
 	DisableIdleConnections []string        `json:"disable_idle_connections,omitempty"`
 	DisableKeepAlives      []string        `json:"disable_keep_alives,omitempty"`
 	Telemetry              *Telemetry      `json:"telemetry,omitempty"`
+	ApiProxy               *ApiProxy       `json:"api_proxy,omitempty"`
 }
 
 // Vault contains configuration for connecting to Vault servers
@@ -108,6 +109,12 @@ type Cache struct {
 	Persist          *CachePersist `json:"persist,omitempty"`
 }
 
+type ApiProxy struct {
+    UseAutoAuthToken   interface{} `json:"use_auto_auth_token,omitempty"`
+    EnforceConsistency string      `json:enforce_consistency,omitempty`
+    WhenInconsistent   string      `json:when_inconsistent,omitempty`
+}
+
 // CachePersist defines the configuration for persistent caching in Vault Agent
 type CachePersist struct {
 	Type                    string `json:"type"`
@@ -283,6 +290,13 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 		}
 	}
 
+    // adds the api_proxy stanza to the configuration
+	if a.SidecarType == "proxy" {
+	   config.ApiProxy = &ApiProxy{
+	       UseAutoAuthToken: a.ProxyUseAutoAuthToken,
+	   }
+	}
+
 	// If EnableQuit is true, set it on the listener. If a listener hasn't been
 	// defined, set it on a new one. Also add a simple cache stanza since that's
 	// required for an agent listener.