How to unit test with Kubernetes auth?

atye · January 11, 2024, 3:12am

I’ve implemented hello-vault-go/sample-app at main · hashicorp/hello-vault-go · GitHub except I am using Kubernetes Authentication. Things work when with integration style tests but for unit testing, I’d like some advice. I am using github.com/hashicorp/vault/sdk/helper/testcluster/docker to create a Vault server but I get permission denied errors from Vault when logging in. I suspect this is because when I configure Kubernetes Auth in the test, it’s not pointing to a real cluster.

Is there a framework I can use or a flag I can set in Vault to assist in enabling Kubernetes Auth for testing? Or do I have to mock all of the client calls?

rdgacarvalho · January 12, 2024, 12:05pm

Hi Aye,

Would you mind sharing how are you authenticating your k8s cluster in your Vault server?
In the meantime I am sharing how I am doing at the moment,

#!/bin/bash

# Vault Settings
MY_VAULT_ADDR="$VAULT_ADDR"
MY_VAULT_TOKEN="$VAULT_TOKEN"

# Kubernetes settings
CLUSTER=$2
NS=$3

setupVault() {

  kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: vault-token-g955r
  namespace: security
  annotations:
    kubernetes.io/service-account.name: vault
type: kubernetes.io/service-account-token
EOF

  VAULT_HELM_SECRET_NAME=$(kubectl -n security get secrets  --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
  TOKEN_REVIEW_JWT=$(kubectl -n security get secret $VAULT_HELM_SECRET_NAME -ojsonpath="{ .data.token }" | base64 -D > k8s_token)
  KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 -D > k8s_ca)
  KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}' > k8s_host)

  kubectl -n security describe secret $VAULT_HELM_SECRET_NAME

  echo Enable kubernetes auth method
  vault auth enable -address $MY_VAULT_ADDR -path=$CLUSTER -namespace="*" kubernetes

  echo Configure kubernetes cluster into vault
  vault write -address $MY_VAULT_ADDR auth/$CLUSTER/config \
     token_reviewer_jwt=@k8s_token \
     kubernetes_host=@k8s_host \
     kubernetes_ca_cert=@k8s_ca \
     issuer="https://kubernetes.default.svc.cluster.local"

  echo Create kubernetes application role
  vault write -address $MY_VAULT_ADDR auth/$CLUSTER/role/$CLUSTER-app \
     bound_service_account_names=$CLUSTER-app \
     bound_service_account_namespaces="$NS" \
     policies=$CLUSTER-app \
     ttl=5m

  echo Reading application role
  vault read -address $MY_VAULT_ADDR auth/$CLUSTER/role/$CLUSTER-app

}
setupVault

bash vault.sh setupVault kubernetes

The script set up the k8s cluster you are authenticated at the moment.
PS: It doesn’t support context for now.

Hope that helps you somehow.

atye · January 12, 2024, 1:59pm

For unit testing, I won’t have a k8s cluster available so I don’t think be able to set this up. I decided to user interfaces and mocks in my Vault client which is working for now. Thank you for your response!