Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use newer kubernetes authentication method in internal vault client #25351

Merged
merged 1 commit into from
Jul 28, 2022
Merged

Use newer kubernetes authentication method in internal vault client #25351

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions airflow/providers/hashicorp/_internal_client/vault_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
from typing import List, Optional

import hvac
from hvac.api.auth_methods import Kubernetes
from hvac.exceptions import InvalidPath, VaultError
from requests import Response

Expand Down Expand Up @@ -255,9 +256,11 @@ def _auth_kubernetes(self, _client: hvac.Client) -> None:
with open(self.kubernetes_jwt_path) as f:
jwt = f.read().strip()
if self.auth_mount_point:
_client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt, mount_point=self.auth_mount_point)
Kubernetes(_client.adapter).login(
role=self.kubernetes_role, jwt=jwt, mount_point=self.auth_mount_point
)
else:
_client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt)
Kubernetes(_client.adapter).login(role=self.kubernetes_role, jwt=jwt)

def _auth_github(self, _client: hvac.Client) -> None:
if self.auth_mount_point:
Expand Down
20 changes: 14 additions & 6 deletions tests/providers/hashicorp/_internal_client/test_vault_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,7 +310,8 @@ def test_github_missing_token(self, mock_hvac):
_VaultClient(auth_type="github", url="http://localhost:8180")

@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
def test_kubernetes_default_path(self, mock_hvac):
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.Kubernetes")
def test_kubernetes_default_path(self, mock_kubernetes, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
Expand All @@ -320,12 +321,14 @@ def test_kubernetes_default_path(self, mock_hvac):
client = vault_client.client
mock_file.assert_called_with("/var/run/secrets/kubernetes.io/serviceaccount/token")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data")
mock_kubernetes.assert_called_with(mock_client.adapter)
mock_kubernetes.return_value.login.assert_called_with(role="kube_role", jwt="data")
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version

@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
def test_kubernetes(self, mock_hvac):
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.Kubernetes")
def test_kubernetes(self, mock_kubernetes, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
Expand All @@ -338,12 +341,14 @@ def test_kubernetes(self, mock_hvac):
client = vault_client.client
mock_file.assert_called_with("path")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data")
mock_kubernetes.assert_called_with(mock_client.adapter)
mock_kubernetes.return_value.login.assert_called_with(role="kube_role", jwt="data")
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version

@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
def test_kubernetes_different_auth_mount_point(self, mock_hvac):
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.Kubernetes")
def test_kubernetes_different_auth_mount_point(self, mock_kubernetes, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
Expand All @@ -357,7 +362,10 @@ def test_kubernetes_different_auth_mount_point(self, mock_hvac):
client = vault_client.client
mock_file.assert_called_with("path")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data", mount_point="other")
mock_kubernetes.assert_called_with(mock_client.adapter)
mock_kubernetes.return_value.login.assert_called_with(
role="kube_role", jwt="data", mount_point='other'
)
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version

Expand Down
18 changes: 12 additions & 6 deletions tests/providers/hashicorp/hooks/test_vault.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -539,7 +539,8 @@ def test_github_dejson(self, mock_hvac, mock_get_connection):

@mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
def test_kubernetes_default_path(self, mock_hvac, mock_get_connection):
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.Kubernetes")
def test_kubernetes_default_path(self, mock_kubernetes, mock_hvac, mock_get_connection):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_connection = self.get_mock_connection()
Expand All @@ -560,13 +561,15 @@ def test_kubernetes_default_path(self, mock_hvac, mock_get_connection):
mock_get_connection.assert_called_with("vault_conn_id")
mock_file.assert_called_with("/var/run/secrets/kubernetes.io/serviceaccount/token")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
test_client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data")
mock_kubernetes.assert_called_with(mock_client.adapter)
mock_kubernetes.return_value.login.assert_called_with(role="kube_role", jwt="data")
test_client.is_authenticated.assert_called_with()
assert 2 == test_hook.vault_client.kv_engine_version

@mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
def test_kubernetes_init_params(self, mock_hvac, mock_get_connection):
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.Kubernetes")
def test_kubernetes_init_params(self, mock_kubernetes, mock_hvac, mock_get_connection):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_connection = self.get_mock_connection()
Expand All @@ -588,13 +591,15 @@ def test_kubernetes_init_params(self, mock_hvac, mock_get_connection):
mock_get_connection.assert_called_with("vault_conn_id")
mock_file.assert_called_with("path")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
test_client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data")
mock_kubernetes.assert_called_with(mock_client.adapter)
mock_kubernetes.return_value.login.assert_called_with(role="kube_role", jwt="data")
test_client.is_authenticated.assert_called_with()
assert 2 == test_hook.vault_client.kv_engine_version

@mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
def test_kubernetes_dejson(self, mock_hvac, mock_get_connection):
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.Kubernetes")
def test_kubernetes_dejson(self, mock_kubernetes, mock_hvac, mock_get_connection):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_connection = self.get_mock_connection()
Expand All @@ -615,7 +620,8 @@ def test_kubernetes_dejson(self, mock_hvac, mock_get_connection):
mock_get_connection.assert_called_with("vault_conn_id")
mock_file.assert_called_with("path")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
test_client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data")
mock_kubernetes.assert_called_with(mock_client.adapter)
mock_kubernetes.return_value.login.assert_called_with(role="kube_role", jwt="data")
test_client.is_authenticated.assert_called_with()
assert 2 == test_hook.vault_client.kv_engine_version

Expand Down