hashicorp · zofskeez · Jan 18, 2023 · Nov 10, 2022 · Nov 14, 2022 · Nov 14, 2022
diff --git a/changelog/17893.txt b/changelog/17893.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+ui: Adds Kubernetes secrets engine
+```
@@ -0,0 +1,38 @@
+import ApplicationAdapter from 'vault/adapters/application';
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+
+export default class KubernetesConfigAdapter extends ApplicationAdapter {
+  namespace = 'v1';
+
+  getURL(backend, path = 'config') {
+    return `${this.buildURL()}/${encodePath(backend)}/${path}`;
+  }
+  urlForUpdateRecord(name, modelName, snapshot) {
+    return this.getURL(snapshot.attr('backend'));
+  }
+  urlForDeleteRecord(backend) {
+    return this.getURL(backend);
+  }
+
+  queryRecord(store, type, query) {
+    const { backend } = query;
+    return this.ajax(this.getURL(backend), 'GET').then((resp) => {
+      resp.backend = backend;
+      return resp;
+    });
+  }
+  createRecord() {
+    return this._saveRecord(...arguments);
+  }
+  updateRecord() {
+    return this._saveRecord(...arguments);
+  }
+  _saveRecord(store, { modelName }, snapshot) {
+    const data = store.serializerFor(modelName).serialize(snapshot);
+    const url = this.getURL(snapshot.attr('backend'));
+    return this.ajax(url, 'POST', { data }).then(() => data);
+  }
+  checkConfigVars(backend) {
+    return this.ajax(`${this.getURL(backend, 'check')}`, 'GET');
+  }
+}
@@ -0,0 +1,46 @@
+import NamedPathAdapter from 'vault/adapters/named-path';
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+
+export default class KubernetesRoleAdapter extends NamedPathAdapter {
+  getURL(backend, name) {
+    const base = `${this.buildURL()}/${encodePath(backend)}/roles`;
+    return name ? `${base}/${name}` : base;
+  }
+  urlForQuery({ backend }) {
+    return this.getURL(backend);
+  }
+  urlForUpdateRecord(name, modelName, snapshot) {
+    return this.getURL(snapshot.attr('backend'), name);
+  }
+  urlForDeleteRecord(name, modelName, snapshot) {
+    return this.getURL(snapshot.attr('backend'), name);
+  }
+
+  query(store, type, query) {
+    const { backend } = query;
+    return this.ajax(this.getURL(backend), 'GET', { data: { list: true } }).then((resp) => {
+      return resp.data.keys.map((name) => ({ name, backend }));
+    });
+  }
+  queryRecord(store, type, query) {
+    const { backend, name } = query;
+    return this.ajax(this.getURL(backend, name), 'GET').then((resp) => {
+      resp.data.backend = backend;
+      resp.data.name = name;
+      return resp.data;
+    });
+  }
+  generateCredentials(backend, data) {
+    const generateCredentialsUrl = `${this.buildURL()}/${encodePath(backend)}/creds/${data.role}`;
+
+    return this.ajax(generateCredentialsUrl, 'POST', { data }).then((response) => {
+      const { lease_id, lease_duration, data } = response;
+
+      return {
+        lease_id,
+        lease_duration,
+        ...data,
+      };
+    });
+  }
+}
@@ -49,6 +49,14 @@ export default class App extends Application {
         },
       },
     },
+    kubernetes: {
+      dependencies: {
+        services: ['router', 'store', 'secret-mount-path', 'flashMessages'],
+        externalRoutes: {
+          secrets: 'vault.cluster.secrets.backends',
+        },
+      },
+    },
     pki: {
       dependencies: {
         services: [

@@ -104,6 +104,14 @@ const MOUNTABLE_SECRET_ENGINES = [
     type: 'totp',
     category: 'generic',
   },
+  {
+    displayName: 'Kubernetes',
+    value: 'kubernetes',
+    type: 'kubernetes',
+    engineRoute: 'kubernetes.overview',
+    category: 'generic',
+    glyph: 'kubernetes-color',
+  },
 ];
 
 export function mountableEngines() {

@@ -12,6 +12,7 @@ const SUPPORTED_SECRET_BACKENDS = [
   'kmip',
   'transform',
   'keymgmt',
+  'kubernetes',
 ];
 
 export function supportedSecretBackends() {

@@ -0,0 +1,27 @@
+import Model, { attr } from '@ember-data/model';
+import { withFormFields } from 'vault/decorators/model-form-fields';
+
+@withFormFields(['kubernetesHost', 'serviceAccountJwt', 'kubernetesCaCert'])
+export default class KubernetesConfigModel extends Model {
+  @attr('string') backend; // dynamic path of secret -- set on response from value passed to queryRecord
+  @attr('string', {
+    label: 'Kubernetes host',
+    subText:
+      'Kubernetes API URL to connect to. Defaults to https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT if those environment variables are set.',
+  })
+  kubernetesHost;
+  @attr('string', {
+    label: 'Service account JWT',
+    subText:
+      'The JSON web token of the service account used by the secret engine to manage Kubernetes roles. Defaults to the local pod’s JWT if found.',
+  })
+  serviceAccountJwt;
+  @attr('string', {
+    label: 'Kubernetes CA Certificate',
+    subText:
+      'PEM-encoded CA certificate to use by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found.',
+    editType: 'textarea',
+  })
+  kubernetesCaCert;
+  @attr('boolean', { defaultValue: false }) disableLocalCaJwt;
+}
@@ -0,0 +1,153 @@
+import Model, { attr } from '@ember-data/model';
+import { withModelValidations } from 'vault/decorators/model-validations';
+import { withFormFields } from 'vault/decorators/model-form-fields';
+import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
+import { tracked } from '@glimmer/tracking';
+
+const validations = {
+  name: [{ type: 'presence', message: 'Name is required' }],
+};
+const formFieldProps = [
+  'name',
+  'serviceAccountName',
+  'kubernetesRoleType',
+  'kubernetesRoleName',
+  'allowedKubernetesNamespaces',
+  'tokenMaxTtl',
+  'tokenDefaultTtl',
+  'nameTemplate',
+];
+
+@withModelValidations(validations)
+@withFormFields(formFieldProps)
+export default class KubernetesRoleModel extends Model {
+  @attr('string') backend; // dynamic path of secret -- set on response from value passed to queryRecord
+  @attr('string', {
+    label: 'Role name',
+    subText: 'The role’s name in Vault.',
+  })
+  name;
+
+  @attr('string', {
+    label: 'Service account name',
+    subText: 'Vault will use the default template when generating service accounts, roles and role bindings.',
+  })
+  serviceAccountName;
+
+  @attr('string', {
+    label: 'Kubernetes role type',
+    editType: 'radio',
+    possibleValues: ['Role', 'ClusterRole'],
+  })
+  kubernetesRoleType;
+
+  @attr('string', {
+    label: 'Kubernetes role name',
+    subText: 'Vault will use the default template when generating service accounts, roles and role bindings.',
+  })
+  kubernetesRoleName;
+
+  @attr('string', {
+    label: 'Service account name',
+    subText: 'Vault will use the default template when generating service accounts, roles and role bindings.',
+  })
+  serviceAccountName;
+
+  @attr('string', {
+    label: 'Allowed Kubernetes namespaces',
+    subText:
+      'A list of the valid Kubernetes namespaces in which this role can be used for creating service accounts. If set to "*" all namespaces are allowed.',
+  })
+  allowedKubernetesNamespaces;
+
+  @attr({
+    label: 'Max Lease TTL',
+    editType: 'ttl',
+  })
+  tokenMaxTtl;
+
+  @attr({
+    label: 'Default Lease TTL',
+    editType: 'ttl',
+  })
+  tokenDefaultTtl;
+
+  @attr('string', {
+    label: 'Name template',
+    editType: 'optionalText',
+    defaultSubText:
+      'Vault will use the default template when generating service accounts, roles and role bindings.',
+    subText: 'Vault will use the default template when generating service accounts, roles and role bindings.',
+  })
+  nameTemplate;
+
+  @attr extraAnnotations;
+  @attr extraLabels;
+
+  @attr('string') generatedRoleRules;
+
+  @tracked _generationPreference;
+  get generationPreference() {
+    // when the user interacts with the radio cards the value will be set to the pseudo prop which takes precedence
+    if (this._generationPreference) {
+      return this._generationPreference;
+    }
+    // for existing roles, default the value based on which model prop has value -- only one can be set
+    let pref = null;
+    if (this.serviceAccountName) {
+      pref = 'basic';
+    } else if (this.kubernetesRoleName) {
+      pref = 'expanded';
+    } else if (this.generatedRoleRules) {
+      pref = 'full';
+    }
+    return pref;
+  }
+  set generationPreference(pref) {
+    // unset model props specific to filteredFormFields when changing preference
+    // only one of service_account_name, kubernetes_role_name or generated_role_rules can be set
+    const props = {
+      basic: ['kubernetesRoleType', 'kubernetesRoleName', 'generatedRoleRules', 'nameTemplate'],
+      expanded: ['serviceAccountName', 'generatedRoleRules'],
+      full: ['serviceAccountName', 'kubernetesRoleName'],
+    }[pref];
+    props.forEach((prop) => (this[prop] = null));
+    this._generationPreference = pref;
+  }
+
+  get filteredFormFields() {
+    // return different form fields based on generationPreference
+    const hiddenFieldIndices = {
+      basic: [2, 3, 7], // kubernetesRoleType, kubernetesRoleName and nameTemplate
+      expanded: [1], // serviceAccountName
+      full: [1, 3], // serviceAccountName and kubernetesRoleName
+    }[this.generationPreference];
+
+    return hiddenFieldIndices
+      ? this.formFields.filter((field, index) => !hiddenFieldIndices.includes(index))
+      : null;
+  }
+
+  @lazyCapabilities(apiPath`${'backend'}/roles/${'name'}`, 'backend', 'name') rolePath;
+  @lazyCapabilities(apiPath`${'backend'}/creds/${'name'}`, 'backend', 'name') credsPath;
+  @lazyCapabilities(apiPath`${'backend'}/roles`, 'backend') rolesPath;
+
+  get canCreate() {
+    return this.rolePath.get('canCreate');
+  }
+  get canDelete() {
+    return this.rolePath.get('canDelete');
+  }
+  get canEdit() {
+    return this.rolePath.get('canUpdate');
+  }
+  get canRead() {
+    return this.rolePath.get('canRead');
+  }
+  get canList() {
+    return this.rolesPath.get('canList');
+  }
+  get canGenerateCreds() {
+    return this.credsPath.get('canCreate');
+  }
+}
@@ -154,6 +154,7 @@ Router.map(function () {
         this.route('backends', { path: '/' });
         this.route('backend', { path: '/:backend' }, function () {
           this.mount('kmip');
+          this.mount('kubernetes');
           if (config.environment !== 'production') {
             this.mount('pki');
           }

@@ -131,7 +131,8 @@ export default Route.extend(ModelBoundaryRoute, ClusterRoute, {
       return true;
     },
     loading(transition) {
-      if (transition.queryParamsOnly || Ember.testing) {
+      const isSameRoute = transition.from?.name === transition.to?.name;
+      if (isSameRoute || Ember.testing) {
         return;
       }
       // eslint-disable-next-line ember/no-controller-access-in-routes

@@ -0,0 +1,12 @@
+import ApplicationSerializer from '../application';
+
+export default class KubernetesConfigSerializer extends ApplicationSerializer {
+  primaryKey = 'backend';
+
+  serialize() {
+    const json = super.serialize(...arguments);
+    // remove backend value from payload
+    delete json.backend;
+    return json;
+  }
+}
@@ -0,0 +1,12 @@
+import ApplicationSerializer from '../application';
+
+export default class KubernetesConfigSerializer extends ApplicationSerializer {
+  primaryKey = 'name';
+
+  serialize() {
+    const json = super.serialize(...arguments);
+    // remove backend value from payload
+    delete json.backend;
+    return json;
+  }
+}