Update k8s-auth config to support unsetting the K8s CA Cert (#2005)

Prior to vault-1.9.3, the k8s-auth engine would store the K8S CA cert in its configuration if Vault was running in K8s. Post vault-1.9.3, this behaviour was changed to longer store the K8s CA cert in config. That change confuses TFVP since the kubernetes_ca_cert field can no longer be computed. This fix detects and remedies by adding the ability to "unset" the CA cert in the case where we are provisioning vault-1.9.3+. It should also clean up any K8s CA cert that was left behind after upgrading from any Vault prior to 1.9.3. * Factor out some more K8s field constants * CI: skip in k8s cluster tests * Update imports
hashicorp · Sep 13, 2023 · db95128 · db95128
1 parent 64d30e0
commit db95128
Show file tree

Hide file tree

Showing 12 changed files with 482 additions and 204 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -192,7 +192,7 @@ jobs:
           LDAP_BINDPASS: "adminpassword"
           LDAP_URL: "ldap://openldap:1389"
         run: |
-          make testacc-ent TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true
+          make testacc-ent TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true TF_ACC_K8S_SKIP_IN_CLUSTER=true
       - name: "Generate Vault API Path Coverage Report"
         run: |
           go run cmd/coverage/main.go -openapi-doc=./testdata/openapi.json
diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -352,6 +352,12 @@ const (
 	FieldCredentialType                = "credential_type"
 	FieldFilename                      = "filename"
 	FieldDefault                       = "default"
+	FieldKubernetesCACert              = "kubernetes_ca_cert"
+	FieldDisableLocalCAJWT             = "disable_local_ca_jwt"
+	FieldKubernetesHost                = "kubernetes_host"
+	FieldServiceAccountJWT             = "service_account_jwt"
+	FieldDisableISSValidation          = "disable_iss_validation"
+	FieldPEMKeys                       = "pem_keys"
 	/*
 		common environment variables
 	*/
@@ -385,7 +391,6 @@ const (
 	EnvVarRadiusPassword = "RADIUS_PASSWORD"
 	// EnvVarTokenFilename for the TokenFile auth login.
 	EnvVarTokenFilename = "TERRAFORM_VAULT_TOKEN_FILENAME"
-
 	/*
 		common mount types
 	*/

diff --git a/internal/provider/meta.go b/internal/provider/meta.go
@@ -35,7 +35,6 @@ const (
 var (
 	MaxHTTPRetriesCCC int
 
-	VaultVersion190 = version.Must(version.NewSemver(consts.VaultVersion190))
 	VaultVersion110 = version.Must(version.NewSemver(consts.VaultVersion110))
 	VaultVersion111 = version.Must(version.NewSemver(consts.VaultVersion111))
 	VaultVersion112 = version.Must(version.NewSemver(consts.VaultVersion112))

diff --git a/vault/data_source_kubernetes_auth_backend_config.go b/vault/data_source_kubernetes_auth_backend_config.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 )
 
@@ -28,38 +29,38 @@ func kubernetesAuthBackendConfigDataSource() *schema.Resource {
 					return strings.Trim(v.(string), "/")
 				},
 			},
-			"kubernetes_host": {
+			consts.FieldKubernetesHost: {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Optional:    true,
 				Description: "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.",
 			},
-			"kubernetes_ca_cert": {
+			consts.FieldKubernetesCACert: {
 				Type:        schema.TypeString,
 				Description: "PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.",
 				Computed:    true,
 				Optional:    true,
 			},
-			"pem_keys": {
+			consts.FieldPEMKeys: {
 				Type:        schema.TypeList,
 				Elem:        &schema.Schema{Type: schema.TypeString},
 				Computed:    true,
 				Description: "Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.",
 				Optional:    true,
 			},
-			"issuer": {
+			consts.FieldIssuer: {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Optional:    true,
 				Description: "Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.",
 			},
-			"disable_iss_validation": {
+			consts.FieldDisableISSValidation: {
 				Type:        schema.TypeBool,
 				Computed:    true,
 				Optional:    true,
 				Description: "Optional disable JWT issuer validation. Allows to skip ISS validation.",
 			},
-			"disable_local_ca_jwt": {
+			consts.FieldDisableLocalCAJWT: {
 				Type:        schema.TypeBool,
 				Computed:    true,
 				Optional:    true,
@@ -89,20 +90,20 @@ func kubernetesAuthBackendConfigDataSourceRead(d *schema.ResourceData, meta inte
 		return nil
 	}
 	d.SetId(path)
-	d.Set("kubernetes_ca_cert", resp.Data["kubernetes_ca_cert"])
-	d.Set("kubernetes_host", resp.Data["kubernetes_host"])
+	d.Set(consts.FieldKubernetesCACert, resp.Data[consts.FieldKubernetesCACert])
+	d.Set(consts.FieldKubernetesHost, resp.Data[consts.FieldKubernetesHost])
 
-	iPemKeys := resp.Data["pem_keys"].([]interface{})
+	iPemKeys := resp.Data[consts.FieldPEMKeys].([]interface{})
 	pemKeys := make([]string, 0, len(iPemKeys))
 
 	for _, iPemKey := range iPemKeys {
 		pemKeys = append(pemKeys, iPemKey.(string))
 	}
 
-	d.Set("pem_keys", pemKeys)
-	d.Set("issuer", resp.Data["issuer"])
-	d.Set("disable_iss_validation", resp.Data["disable_iss_validation"])
-	d.Set("disable_local_ca_jwt", resp.Data["disable_local_ca_jwt"])
+	d.Set(consts.FieldPEMKeys, pemKeys)
+	d.Set(consts.FieldIssuer, resp.Data[consts.FieldIssuer])
+	d.Set(consts.FieldDisableISSValidation, resp.Data[consts.FieldDisableISSValidation])
+	d.Set(consts.FieldDisableLocalCAJWT, resp.Data[consts.FieldDisableLocalCAJWT])
 
 	return nil
 }
diff --git a/vault/data_source_kubernetes_auth_backend_config_test.go b/vault/data_source_kubernetes_auth_backend_config_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/testutil"
 )
 
@@ -29,9 +30,9 @@ func TestAccKubernetesAuthBackendConfigDataSource_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
 						"backend", backend),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"kubernetes_host", "http://example.com:443"),
+						consts.FieldKubernetesHost, "http://example.com:443"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"kubernetes_ca_cert", kubernetesCAcert),
+						consts.FieldKubernetesCACert, kubernetesCAcert),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
 						"token_reviewer_jwt", jwt),
 				),
@@ -44,9 +45,9 @@ func TestAccKubernetesAuthBackendConfigDataSource_basic(t *testing.T) {
 					resource.TestCheckNoResourceAttr("data.vault_kubernetes_auth_backend_config.config",
 						"token_reviewer_jwt"),
 					resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
-						"kubernetes_host", "http://example.com:443"),
+						consts.FieldKubernetesHost, "http://example.com:443"),
 					resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
-						"kubernetes_ca_cert", kubernetesCAcert),
+						consts.FieldKubernetesCACert, kubernetesCAcert),
 					resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
 						"pem_keys.#", "0"),
 				),
@@ -68,26 +69,27 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
 		CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt),
+				Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
+					disableIssValidation, disableLocalCaJwt, false),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
 						"backend", backend),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"kubernetes_host", "http://example.com:443"),
+						consts.FieldKubernetesHost, "http://example.com:443"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"kubernetes_ca_cert", kubernetesCAcert),
+						consts.FieldKubernetesCACert, kubernetesCAcert),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
 						"token_reviewer_jwt", jwt),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
 						"pem_keys.#", "1"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
 						"pem_keys.0", kubernetesPEMfile),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"issuer", issuer),
+						consts.FieldIssuer, issuer),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"disable_iss_validation", strconv.FormatBool(disableIssValidation)),
+						consts.FieldDisableISSValidation, strconv.FormatBool(disableIssValidation)),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)),
+						consts.FieldDisableLocalCAJWT, strconv.FormatBool(disableLocalCaJwt)),
 				),
 			},
 			{
@@ -98,19 +100,19 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
 					resource.TestCheckNoResourceAttr("data.vault_kubernetes_auth_backend_config.config",
 						"token_reviewer_jwt"),
 					resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
-						"kubernetes_host", "http://example.com:443"),
+						consts.FieldKubernetesHost, "http://example.com:443"),
 					resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
-						"kubernetes_ca_cert", kubernetesCAcert),
+						consts.FieldKubernetesCACert, kubernetesCAcert),
 					resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
 						"pem_keys.#", "1"),
 					resource.TestCheckResourceAttr("data.vault_kubernetes_auth_backend_config.config",
 						"pem_keys.0", kubernetesPEMfile),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"issuer", issuer),
+						consts.FieldIssuer, issuer),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"disable_iss_validation", strconv.FormatBool(disableIssValidation)),
+						consts.FieldDisableISSValidation, strconv.FormatBool(disableIssValidation)),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
-						"disable_local_ca_jwt", strconv.FormatBool(disableLocalCaJwt)),
+						consts.FieldDisableLocalCAJWT, strconv.FormatBool(disableLocalCaJwt)),
 				),
 			},
 		},
@@ -132,5 +134,6 @@ func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string
 
 data "vault_kubernetes_auth_backend_config" "config" {
   backend = "%s"
-}`, testAccKubernetesAuthBackendConfigConfig_full(backend, jwt, issuer, disableIssValidation, disableLocalCaJwt), backend)
+}`, testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
+		disableIssValidation, disableLocalCaJwt, false), backend)
 }
diff --git a/vault/data_source_kubernetes_credentials_test.go b/vault/data_source_kubernetes_credentials_test.go
@@ -9,20 +9,23 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/testutil"
 )
 
 func TestAccKubernetesSecretCredentialsDataSource(t *testing.T) {
-	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+	t.Skip("Requires a Kubernetes cluster and manual setup. Should be automated.")
 
 	dataSourceName := "data.vault_kubernetes_service_account_token.token"
 	backend := acctest.RandomWithPrefix("tf-test-kubernetes")
 	name := acctest.RandomWithPrefix("tf-test-role")
 
 	resource.Test(t, resource.TestCase{
 		Providers: testProviders,
-		PreCheck:  func() { testutil.TestAccPreCheck(t) },
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+		},
 		Steps: []resource.TestStep{
 			{
 				Config: testDataSourceKubernetesServiceAccountTokenConfig(backend, name),