feat: add extra annotations to customize path of injected token and p…

…ermissions of the token file sink on vault adds: * `vault.hashicorp.com/agent-inject-token-file` to specify a different path other than `${vault_volume_name}/token` * `vault.hashicorp.com/agent-inject-token-perms` to specify a different permission for the token file, other than the current default, 0640
hashicorp · Jun 1, 2024 · 9db0d8a · 9db0d8a
1 parent 6750a2e
commit 9db0d8a
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 5 deletions.
diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
@@ -33,6 +33,8 @@ const (
 	DefaultAgentCacheExitOnErr              = false
 	DefaultAgentUseLeaderElector            = false
 	DefaultAgentInjectToken                 = false
+	DefaultAgentInjectTokenFile             = "token"
+	DefaultAgentInjectTokenPermissions      = 0640
 	DefaultTemplateConfigExitOnRetryFailure = true
 	DefaultServiceAccountMount              = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
 	DefaultEnableQuit                       = false
@@ -169,6 +171,12 @@ type Agent struct {
 	// secrets volume (e.g. /vault/secrets/token)
 	InjectToken bool
 
+	// InjectTokenFile is the file path where the auto-auth token is injected
+	InjectTokenFile string
+
+	// InjectTokenPermissions is the file permissions for the auto-auth token file
+	InjectTokenPermissions int64
+
 	// EnableQuit controls whether the quit endpoint is enabled on a localhost
 	// listener
 	EnableQuit bool
@@ -497,7 +505,7 @@ func New(pod *corev1.Pod) (*Agent, error) {
 		return agent, fmt.Errorf("invalid default template type: %s", agent.DefaultTemplate)
 	}
 
-	agent.InjectToken, err = agent.injectToken()
+	err = agent.injectToken()
 	if err != nil {
 		return agent, err
 	}

diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
@@ -84,6 +84,15 @@ const (
 	// auto-auth token into the secrets volume (e.g. /vault/secrets/token)
 	AnnotationAgentInjectToken = "vault.hashicorp.com/agent-inject-token"
 
+	// AnnotationAgentInjectTokenFile is the annotation key for specifying the
+	// path to which the auto-auth token should be written to disk.
+	// (defaults to 'token')
+	AnnotationAgentInjectTokenFile = "vault.hashicorp.com/agent-inject-token-file"
+
+	// AnnotationAgentInjectTokenPermission is the annotation key for specifying the
+	// permission of the token file written to disk. (defaults to '0640')
+	AnnotationAgentInjectTokenPermission = "vault.hashicorp.com/agent-inject-token-perms"
+
 	// AnnotationAgentInjectCommand is the key annotation that configures Vault Agent
 	// to run a command after the secret is rendered. The name of the template is any
 	// unique string after "vault.hashicorp.com/agent-inject-command-". This should map
@@ -880,12 +889,40 @@ func (a *Agent) cacheExitOnErr() (bool, error) {
 	return parseutil.ParseBool(raw)
 }
 
-func (a *Agent) injectToken() (bool, error) {
+func (a *Agent) injectToken() error {
 	raw, ok := a.Annotations[AnnotationAgentInjectToken]
 	if !ok {
-		return DefaultAgentInjectToken, nil
+		a.InjectToken = DefaultAgentInjectToken
+		return nil
 	}
-	return parseutil.ParseBool(raw)
+	injectToken, err := parseutil.ParseBool(raw)
+	if err != nil {
+		return err
+	}
+	a.InjectToken = injectToken
+
+	raw, ok = a.Annotations[AnnotationAgentInjectTokenFile]
+	if !ok {
+		a.InjectTokenFile = DefaultAgentInjectTokenFile
+		return nil
+	}
+	injectTokenPath, err := parseutil.ParseString(raw)
+	if err != nil {
+		return err
+	}
+	a.InjectTokenFile = injectTokenPath
+
+	raw, ok = a.Annotations[AnnotationAgentInjectTokenPermission]
+	if !ok {
+		a.InjectTokenPermissions = DefaultAgentInjectTokenPermissions
+		return nil
+	}
+	injectTokenPermissions, err := parseutil.ParseInt(raw)
+	if err != nil {
+		return err
+	}
+	a.InjectTokenPermissions = injectTokenPermissions
+	return nil
 }
 
 // telemetryConfig accumulates the agent-telemetry annotations into a map which is

diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go
@@ -264,7 +264,8 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 		config.AutoAuth.Sinks = append(config.AutoAuth.Sinks, &Sink{
 			Type: "file",
 			Config: map[string]interface{}{
-				"path": path.Join(a.Annotations[AnnotationVaultSecretVolumePath], "token"),
+				"path": path.Join(a.Annotations[AnnotationVaultSecretVolumePath], a.InjectTokenFile),
+				"mode": a.InjectTokenPermissions,
 			},
 		})
 	}