Add support for new Vault authentication methods

CHANGELOG.md

@@ -10,6 +10,7 @@
 * [CHANGE] Ingester: changed default `-blocks-storage.tsdb.series-hash-cache-max-size-bytes` setting from `1GB` to `350MB`. The new default cache size is enough to store the hashes for all series in a ingester, assuming up to 2M in-memory series per ingester and using the default 13h retention period for local TSDB blocks in the ingesters. #6129
 * [CHANGE] Query-frontend: removed `cortex_query_frontend_workers_enqueued_requests_total`. Use `cortex_query_frontend_enqueue_duration_seconds_count` instead. #6121
 * [FEATURE] Query-frontend: add experimental support for query blocking. Queries are blocked on a per-tenant basis and is configured via the limit `blocked_queries`. #5609
+* [FEATURE] Vault: Added support for new Vault authentication methods. Can now auth via `AppRole`, `Kubernetes`, `UserPass` and `Token`. #6143
 * [ENHANCEMENT] Ingester: exported summary `cortex_ingester_inflight_push_requests_summary` tracking total number of inflight requests in percentile buckets. #5845
 * [ENHANCEMENT] Query-scheduler: add `cortex_query_scheduler_enqueue_duration_seconds` metric that records the time taken to enqueue or reject a query request. #5879
 * [ENHANCEMENT] Query-frontend: add `cortex_query_frontend_enqueue_duration_seconds` metric that records the time taken to enqueue or reject a query request. When query-scheduler is in use, the metric has the `scheduler_address` label to differentiate the enqueue duration by query-scheduler backend. #5879 #6087 #6120

cmd/mimir/config-descriptor.json

@@ -9422,25 +9422,194 @@
         },
         {
           "kind": "field",
-          "name": "token",
+          "name": "mount_path",
           "required": false,
-          "desc": "Token used to authenticate with Vault",
+          "desc": "Location of secrets engine within Vault",
           "fieldValue": null,
           "fieldDefaultValue": "",
-          "fieldFlag": "vault.token",
+          "fieldFlag": "vault.mount-path",
           "fieldType": "string",
           "fieldCategory": "experimental"
         },
         {
-          "kind": "field",
-          "name": "mount_path",
+          "kind": "block",
+          "name": "auth",
           "required": false,
-          "desc": "Location of secrets engine within Vault",
+          "desc": "",
+          "blockEntries": [
+            {
+              "kind": "field",
+              "name": "type",
+              "required": false,
+              "desc": "Authentication type to use. Supported types are: approle, kubernetes, userpass, token",
+              "fieldValue": null,
+              "fieldDefaultValue": "",
+              "fieldFlag": "vault.auth.type",
+              "fieldType": "string"
+            },
+            {
+              "kind": "block",
+              "name": "app_role",
+              "required": false,
+              "desc": "",
+              "blockEntries": [
+                {
+                  "kind": "field",
+                  "name": "role_id",
+                  "required": false,
+                  "desc": "Role ID of the AppRole",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.approle.role-id",
+                  "fieldType": "string"
+                },
+                {
+                  "kind": "field",
+                  "name": "secret_id",
+                  "required": false,
+                  "desc": "Secret ID issued against the AppRole",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.approle.secret-id",
+                  "fieldType": "string"
+                },
+                {
+                  "kind": "field",
+                  "name": "wrapping_token",
+                  "required": false,
+                  "desc": "Response wrapping token if the Secret ID is response wrapped",
+                  "fieldValue": null,
+                  "fieldDefaultValue": false,
+                  "fieldFlag": "vault.auth.approle.wrapping-token",
+                  "fieldType": "boolean"
+                },
+                {
+                  "kind": "field",
+                  "name": "mount_path",
+                  "required": false,
+                  "desc": "Path if the Vault backend was mounted using a non-default path",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.approle.mount-path",
+                  "fieldType": "string"
+                }
+              ],
+              "fieldValue": null,
+              "fieldDefaultValue": null
+            },
+            {
+              "kind": "block",
+              "name": "kubernetes",
+              "required": false,
+              "desc": "",
+              "blockEntries": [
+                {
+                  "kind": "field",
+                  "name": "role_name",
+                  "required": false,
+                  "desc": "The Kubernetes named role",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.kubernetes.role-name",
+                  "fieldType": "string"
+                },
+                {
+                  "kind": "field",
+                  "name": "service_account_token",
+                  "required": false,
+                  "desc": "The Service Account JWT",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.kubernetes.service-account-token",
+                  "fieldType": "string"
+                },
+                {
+                  "kind": "field",
+                  "name": "service_account_token_path",
+                  "required": false,
+                  "desc": "Path to where the Kubernetes service account token is mounted. By default it lives at /var/run/secrets/kubernetes.io/serviceaccount/token. Field will be used if the service_account_token is not specified.",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.kubernetes.service-account-token-path",
+                  "fieldType": "string"
+                },
+                {
+                  "kind": "field",
+                  "name": "mount_path",
+                  "required": false,
+                  "desc": "Path if the Vault backend was mounted using a non-default path",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.kubernetes.mount-path",
+                  "fieldType": "string"
+                }
+              ],
+              "fieldValue": null,
+              "fieldDefaultValue": null
+            },
+            {
+              "kind": "block",
+              "name": "user_pass",
+              "required": false,
+              "desc": "",
+              "blockEntries": [
+                {
+                  "kind": "field",
+                  "name": "username",
+                  "required": false,
+                  "desc": "The userpass auth method username",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.userpass.username",
+                  "fieldType": "string"
+                },
+                {
+                  "kind": "field",
+                  "name": "password",
+                  "required": false,
+                  "desc": "The userpass auth method password",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.userpass.password",
+                  "fieldType": "string"
+                },
+                {
+                  "kind": "field",
+                  "name": "mount_path",
+                  "required": false,
+                  "desc": "Path if the Vault backend was mounted using a non-default path",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.userpass.mount-path",
+                  "fieldType": "string"
+                }
+              ],
+              "fieldValue": null,
+              "fieldDefaultValue": null
+            },
+            {
+              "kind": "block",
+              "name": "token",
+              "required": false,
+              "desc": "",
+              "blockEntries": [
+                {
+                  "kind": "field",
+                  "name": "token",
+                  "required": false,
+                  "desc": "The token used to authenticate against Vault",
+                  "fieldValue": null,
+                  "fieldDefaultValue": "",
+                  "fieldFlag": "vault.auth.token",
+                  "fieldType": "string"
+                }
+              ],
+              "fieldValue": null,
+              "fieldDefaultValue": null
+            }
+          ],
           "fieldValue": null,
-          "fieldDefaultValue": "",
-          "fieldFlag": "vault.mount-path",
-          "fieldType": "string",
-          "fieldCategory": "experimental"
+          "fieldDefaultValue": null
         }
       ],
       "fieldValue": null,

cmd/mimir/help-all.txt.tmpl

@@ -2629,12 +2629,36 @@ Usage of ./cmd/mimir/mimir:
     	Maximum number of buckets per native histogram sample. 0 to disable the limit.
   -validation.separate-metrics-group-label string
     	[experimental] Label used to define the group label for metrics separation. For each write request, the group is obtained from the first non-empty group label from the first timeseries in the incoming list of timeseries. Specific distributor and ingester metrics will be further separated adding a 'group' label with group label's value. Currently applies to the following metrics: cortex_discarded_samples_total
+  -vault.auth.approle.mount-path string
+    	Path if the Vault backend was mounted using a non-default path
+  -vault.auth.approle.role-id string
+    	Role ID of the AppRole
+  -vault.auth.approle.secret-id string
+    	Secret ID issued against the AppRole
+  -vault.auth.approle.wrapping-token
+    	Response wrapping token if the Secret ID is response wrapped
+  -vault.auth.kubernetes.mount-path string
+    	Path if the Vault backend was mounted using a non-default path
+  -vault.auth.kubernetes.role-name string
+    	The Kubernetes named role
+  -vault.auth.kubernetes.service-account-token string
+    	The Service Account JWT
+  -vault.auth.kubernetes.service-account-token-path string
+    	Path to where the Kubernetes service account token is mounted. By default it lives at /var/run/secrets/kubernetes.io/serviceaccount/token. Field will be used if the service_account_token is not specified.
+  -vault.auth.token string
+    	The token used to authenticate against Vault
+  -vault.auth.type string
+    	Authentication type to use. Supported types are: approle, kubernetes, userpass, token
+  -vault.auth.userpass.mount-path string
+    	Path if the Vault backend was mounted using a non-default path
+  -vault.auth.userpass.password string
+    	The userpass auth method password
+  -vault.auth.userpass.username string
+    	The userpass auth method username
   -vault.enabled
     	[experimental] Enables fetching of keys and certificates from Vault
   -vault.mount-path string
     	[experimental] Location of secrets engine within Vault
-  -vault.token string
-    	[experimental] Token used to authenticate with Vault
   -vault.url string
     	[experimental] Location of the Vault server
   -version

cmd/mimir/help.txt.tmpl

@@ -709,6 +709,32 @@ Usage of ./cmd/mimir/mimir:
     	Maximum length accepted for metric metadata. Metadata refers to Metric Name, HELP and UNIT. Longer metadata is dropped except for HELP which is truncated. (default 1024)
   -validation.max-native-histogram-buckets int
     	Maximum number of buckets per native histogram sample. 0 to disable the limit.
+  -vault.auth.approle.mount-path string
+    	Path if the Vault backend was mounted using a non-default path
+  -vault.auth.approle.role-id string
+    	Role ID of the AppRole
+  -vault.auth.approle.secret-id string
+    	Secret ID issued against the AppRole
+  -vault.auth.approle.wrapping-token
+    	Response wrapping token if the Secret ID is response wrapped
+  -vault.auth.kubernetes.mount-path string
+    	Path if the Vault backend was mounted using a non-default path
+  -vault.auth.kubernetes.role-name string
+    	The Kubernetes named role
+  -vault.auth.kubernetes.service-account-token string
+    	The Service Account JWT
+  -vault.auth.kubernetes.service-account-token-path string
+    	Path to where the Kubernetes service account token is mounted. By default it lives at /var/run/secrets/kubernetes.io/serviceaccount/token. Field will be used if the service_account_token is not specified.
+  -vault.auth.token string
+    	The token used to authenticate against Vault
+  -vault.auth.type string
+    	Authentication type to use. Supported types are: approle, kubernetes, userpass, token
+  -vault.auth.userpass.mount-path string
+    	Path if the Vault backend was mounted using a non-default path
+  -vault.auth.userpass.password string
+    	The userpass auth method password
+  -vault.auth.userpass.username string
+    	The userpass auth method username
   -version
     	Print application version and exit.
 

docs/sources/mimir/references/configuration-parameters/index.md

@@ -229,14 +229,70 @@ vault:
   # CLI flag: -vault.url
   [url: <string> | default = ""]
 
-  # (experimental) Token used to authenticate with Vault
-  # CLI flag: -vault.token
-  [token: <string> | default = ""]
-
   # (experimental) Location of secrets engine within Vault
   # CLI flag: -vault.mount-path
   [mount_path: <string> | default = ""]
 
+  auth:
+    # Authentication type to use. Supported types are: approle, kubernetes,
+    # userpass, token
+    # CLI flag: -vault.auth.type
+    [type: <string> | default = ""]
+
+    app_role:
+      # Role ID of the AppRole
+      # CLI flag: -vault.auth.approle.role-id
+      [role_id: <string> | default = ""]
+
+      # Secret ID issued against the AppRole
+      # CLI flag: -vault.auth.approle.secret-id
+      [secret_id: <string> | default = ""]
+
+      # Response wrapping token if the Secret ID is response wrapped
+      # CLI flag: -vault.auth.approle.wrapping-token
+      [wrapping_token: <boolean> | default = false]
+
+      # Path if the Vault backend was mounted using a non-default path
+      # CLI flag: -vault.auth.approle.mount-path
+      [mount_path: <string> | default = ""]
+
+    kubernetes:
+      # The Kubernetes named role
+      # CLI flag: -vault.auth.kubernetes.role-name
+      [role_name: <string> | default = ""]
+
+      # The Service Account JWT
+      # CLI flag: -vault.auth.kubernetes.service-account-token
+      [service_account_token: <string> | default = ""]
+
+      # Path to where the Kubernetes service account token is mounted. By
+      # default it lives at /var/run/secrets/kubernetes.io/serviceaccount/token.
+      # Field will be used if the service_account_token is not specified.
+      # CLI flag: -vault.auth.kubernetes.service-account-token-path
+      [service_account_token_path: <string> | default = ""]
+
+      # Path if the Vault backend was mounted using a non-default path
+      # CLI flag: -vault.auth.kubernetes.mount-path
+      [mount_path: <string> | default = ""]
+
+    user_pass:
+      # The userpass auth method username
+      # CLI flag: -vault.auth.userpass.username
+      [username: <string> | default = ""]
+
+      # The userpass auth method password
+      # CLI flag: -vault.auth.userpass.password
+      [password: <string> | default = ""]
+
+      # Path if the Vault backend was mounted using a non-default path
+      # CLI flag: -vault.auth.userpass.mount-path
+      [mount_path: <string> | default = ""]
+
+    token:
+      # The token used to authenticate against Vault
+      # CLI flag: -vault.auth.token
+      [token: <string> | default = ""]
+
 # The ruler block configures the ruler.
 [ruler: <ruler>]
 

go.mod

@@ -179,6 +179,9 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/memberlist v0.5.0 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
+	github.com/hashicorp/vault/api/auth/approle v0.5.0
+	github.com/hashicorp/vault/api/auth/kubernetes v0.5.0
+	github.com/hashicorp/vault/api/auth/userpass v0.5.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jessevdk/go-flags v1.5.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect