From 9db0d8a257bd6089a2fdf216f90c8052eddd6f58 Mon Sep 17 00:00:00 2001
From: Srevin Saju <srevinsaju@sugarlabs.org>
Date: Sun, 2 Jun 2024 00:59:45 +0300
Subject: [PATCH] feat: add extra annotations to customize path of injected
 token and permissions of the token file sink on vault

adds:
* `vault.hashicorp.com/agent-inject-token-file` to specify a different
  path other than `${vault_volume_name}/token`
* `vault.hashicorp.com/agent-inject-token-perms` to specify a different
  permission for the token file, other than the current default, 0640
---
 agent-inject/agent/agent.go       | 10 ++++++-
 agent-inject/agent/annotations.go | 43 ++++++++++++++++++++++++++++---
 agent-inject/agent/config.go      |  3 ++-
 3 files changed, 51 insertions(+), 5 deletions(-)

diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
index 67f21d37..368a47e7 100644
--- a/agent-inject/agent/agent.go
+++ b/agent-inject/agent/agent.go
@@ -33,6 +33,8 @@ const (
 	DefaultAgentCacheExitOnErr              = false
 	DefaultAgentUseLeaderElector            = false
 	DefaultAgentInjectToken                 = false
+	DefaultAgentInjectTokenFile             = "token"
+	DefaultAgentInjectTokenPermissions      = 0640
 	DefaultTemplateConfigExitOnRetryFailure = true
 	DefaultServiceAccountMount              = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
 	DefaultEnableQuit                       = false
@@ -169,6 +171,12 @@ type Agent struct {
 	// secrets volume (e.g. /vault/secrets/token)
 	InjectToken bool
 
+	// InjectTokenFile is the file path where the auto-auth token is injected
+	InjectTokenFile string
+
+	// InjectTokenPermissions is the file permissions for the auto-auth token file
+	InjectTokenPermissions int64
+
 	// EnableQuit controls whether the quit endpoint is enabled on a localhost
 	// listener
 	EnableQuit bool
@@ -497,7 +505,7 @@ func New(pod *corev1.Pod) (*Agent, error) {
 		return agent, fmt.Errorf("invalid default template type: %s", agent.DefaultTemplate)
 	}
 
-	agent.InjectToken, err = agent.injectToken()
+	err = agent.injectToken()
 	if err != nil {
 		return agent, err
 	}
diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
index 4a12a8a1..755f4118 100644
--- a/agent-inject/agent/annotations.go
+++ b/agent-inject/agent/annotations.go
@@ -84,6 +84,15 @@ const (
 	// auto-auth token into the secrets volume (e.g. /vault/secrets/token)
 	AnnotationAgentInjectToken = "vault.hashicorp.com/agent-inject-token"
 
+	// AnnotationAgentInjectTokenFile is the annotation key for specifying the
+	// path to which the auto-auth token should be written to disk.
+	// (defaults to 'token')
+	AnnotationAgentInjectTokenFile = "vault.hashicorp.com/agent-inject-token-file"
+
+	// AnnotationAgentInjectTokenPermission is the annotation key for specifying the
+	// permission of the token file written to disk. (defaults to '0640')
+	AnnotationAgentInjectTokenPermission = "vault.hashicorp.com/agent-inject-token-perms"
+
 	// AnnotationAgentInjectCommand is the key annotation that configures Vault Agent
 	// to run a command after the secret is rendered. The name of the template is any
 	// unique string after "vault.hashicorp.com/agent-inject-command-". This should map
@@ -880,12 +889,40 @@ func (a *Agent) cacheExitOnErr() (bool, error) {
 	return parseutil.ParseBool(raw)
 }
 
-func (a *Agent) injectToken() (bool, error) {
+func (a *Agent) injectToken() error {
 	raw, ok := a.Annotations[AnnotationAgentInjectToken]
 	if !ok {
-		return DefaultAgentInjectToken, nil
+		a.InjectToken = DefaultAgentInjectToken
+		return nil
 	}
-	return parseutil.ParseBool(raw)
+	injectToken, err := parseutil.ParseBool(raw)
+	if err != nil {
+		return err
+	}
+	a.InjectToken = injectToken
+
+	raw, ok = a.Annotations[AnnotationAgentInjectTokenFile]
+	if !ok {
+		a.InjectTokenFile = DefaultAgentInjectTokenFile
+		return nil
+	}
+	injectTokenPath, err := parseutil.ParseString(raw)
+	if err != nil {
+		return err
+	}
+	a.InjectTokenFile = injectTokenPath
+
+	raw, ok = a.Annotations[AnnotationAgentInjectTokenPermission]
+	if !ok {
+		a.InjectTokenPermissions = DefaultAgentInjectTokenPermissions
+		return nil
+	}
+	injectTokenPermissions, err := parseutil.ParseInt(raw)
+	if err != nil {
+		return err
+	}
+	a.InjectTokenPermissions = injectTokenPermissions
+	return nil
 }
 
 // telemetryConfig accumulates the agent-telemetry annotations into a map which is
diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go
index e4437291..44cd6129 100644
--- a/agent-inject/agent/config.go
+++ b/agent-inject/agent/config.go
@@ -264,7 +264,8 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 		config.AutoAuth.Sinks = append(config.AutoAuth.Sinks, &Sink{
 			Type: "file",
 			Config: map[string]interface{}{
-				"path": path.Join(a.Annotations[AnnotationVaultSecretVolumePath], "token"),
+				"path": path.Join(a.Annotations[AnnotationVaultSecretVolumePath], a.InjectTokenFile),
+				"mode": a.InjectTokenPermissions,
 			},
 		})
 	}