diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index ee85d4be..dc32fde8 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -34,6 +34,7 @@ const ( DefaultAgentUseLeaderElector = false DefaultAgentInjectToken = false DefaultAgentSidecarType = "agent" + DefaultProxyUseAutoAuthToken = true DefaultTemplateConfigExitOnRetryFailure = true DefaultServiceAccountMount = "/var/run/secrets/vault.hashicorp.com/serviceaccount" DefaultEnableQuit = false @@ -125,6 +126,10 @@ type Agent struct { // SidecarType is the type of the sidecar container that is injected into the pod SidecarType string + // Use the auto auth token in the sidecar proxy, usable only when SidecarType is set to "proxy" + // acceptable values are boolean true / false and "force" + ProxyUseAutoAuthToken interface{} + // Vault is the structure holding all the Vault specific configurations. Vault Vault @@ -352,6 +357,7 @@ func New(pod *corev1.Pod) (*Agent, error) { Annotations: pod.Annotations, ConfigMapName: pod.Annotations[AnnotationAgentConfigMap], SidecarType: pod.Annotations[AnnotationAgentSidecarType], + ProxyUseAutoAuthToken: pod.Annotations[AnnotationAgentProxyUseAutoAuthToken], ImageName: pod.Annotations[AnnotationAgentImage], DefaultTemplate: pod.Annotations[AnnotationAgentInjectDefaultTemplate], LimitsCPU: pod.Annotations[AnnotationAgentLimitsCPU], @@ -402,6 +408,7 @@ func New(pod *corev1.Pod) (*Agent, error) { } agent.SidecarType = agent.sidecarType() + agent.ProxyUseAutoAuthToken = agent.proxyUseAutoAuthToken() agent.Vault.AgentTelemetryConfig = agent.telemetryConfig() diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go index 1f162cda..59543a0c 100644 --- a/agent-inject/agent/annotations.go +++ b/agent-inject/agent/annotations.go @@ -22,6 +22,11 @@ const ( // Should be set to one of "agent" / "proxy", defaults to "agent". AnnotationAgentSidecarType = "vault.hashicorp.com/sidecar-type" + // AnnotationAgentProxyUseAutoAuthToken is the key of the annotation that controls whether + // the auto auth token should be used in the vault proxy. + // configures the "use_auto_auth_token" key in the "api_proxy" stanza. + AnnotationAgentProxyUseAutoAuthToken = "vault.hashicorp.com/sidecar-proxy-use-auto-auth-token" + // AnnotationAgentStatus is the key of the annotation that is added to // a pod after an injection is done. // There's only one valid status we care about: "injected". @@ -896,3 +901,17 @@ func (a *Agent) sidecarType() string { } return DefaultAgentSidecarType } + +func (a *Agent) proxyUseAutoAuthToken() interface{} { + switch a.ProxyUseAutoAuthToken.(type) { + case bool: + return a.ProxyUseAutoAuthToken.(bool) + case string: + if a.ProxyUseAutoAuthToken == "force" { + return a.ProxyUseAutoAuthToken.(string) + } + default: + return DefaultProxyUseAutoAuthToken + } + return nil +} diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go index 387aa897..e3df7085 100644 --- a/agent-inject/agent/config.go +++ b/agent-inject/agent/config.go @@ -33,6 +33,7 @@ type Config struct { DisableIdleConnections []string `json:"disable_idle_connections,omitempty"` DisableKeepAlives []string `json:"disable_keep_alives,omitempty"` Telemetry *Telemetry `json:"telemetry,omitempty"` + ApiProxy *ApiProxy `json:"api_proxy,omitempty"` } // Vault contains configuration for connecting to Vault servers @@ -108,6 +109,12 @@ type Cache struct { Persist *CachePersist `json:"persist,omitempty"` } +type ApiProxy struct { + UseAutoAuthToken interface{} `json:"use_auto_auth_token,omitempty"` + EnforceConsistency string `json:enforce_consistency,omitempty` + WhenInconsistent string `json:when_inconsistent,omitempty` +} + // CachePersist defines the configuration for persistent caching in Vault Agent type CachePersist struct { Type string `json:"type"` @@ -283,6 +290,13 @@ func (a *Agent) newConfig(init bool) ([]byte, error) { } } + // adds the api_proxy stanza to the configuration + if a.SidecarType == "proxy" { + config.ApiProxy = &ApiProxy{ + UseAutoAuthToken: a.ProxyUseAutoAuthToken, + } + } + // If EnableQuit is true, set it on the listener. If a listener hasn't been // defined, set it on a new one. Also add a simple cache stanza since that's // required for an agent listener.