Documentation: Authenticate using approle in provider with secure secret_id

[swarren83]

What problem are you facing?

Missing example/documentation on how to use an approle to authenticate provider to vault.

How could Upbound help solve your problem?

Add an example that uses an Approle to authenticate to vault in the provider. Include configuration that loads approle secret_id from a k8s secret.

---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-vault
spec:
  package: 'xpkg.upbound.io/upbound/provider-vault:v0.1.0'
  controllerConfigRef:
    name: vault-controller
---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: vault-controller
spec:
  podSecurityContext: {}
  replicas: 1
  securityContext: {}
---
apiVersion: vault.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: vault-provider-config
spec:
  address: https://VAULT_ADDR
  namespace: NAMESPACE
  skip_tls_verify: true
  credentials:
    source: Secret
    secretRef:
      name: vault-creds
      namespace: vault
      key: credentials
 ---
 apiVersion: v1
kind: Secret
metadata:
  name: vault-creds
  namespace: vault
type: Opaque
stringData:
  # WARNING: DO NOT CHECK REAL TOKENS INTO GIT
  credentials: |
    {
      "auth_login": "{\"path\":\"auth/approle/login\",\"namespace\":\"NAMESPACE\",\"parameters\":{\"role_id\":\"ROLE_ID\",\"secret_id\":\"SECRET_ID\"}}"
    }
 ---
 apiVersion: approle.vault.upbound.io/v1alpha1
kind: AuthBackendLogin
metadata:
  name: approle-auth-backend
spec:
  forProvider:
    namespace: NAMESPACE
    roleId: "ROLE_ID"
  providerConfigRef:
    name: vault-provider-config

[swarren83]

I keep getting the following error with the provided manifests:

kubectl get authbackendlogins.approle.vault.upbound.io -o yaml
...
      message: 'observe failed: cannot run refresh: refresh failed: Incorrect JSON
        value type: Either a JSON object or a JSON array is required, representing
        the contents of one or more "auth_login" blocks.'

[linuxbsdfreak]

@swarren83 Facing the same issue. The docs are not very clear.

[turkenh]

The error message indicates the value you're using for "auth_login" should be either a JSON object or JSON array, whereas the value in your credentials has it as a string (i.e. value for "auth_login" starts with a ").

Can you try with the following secret?

apiVersion: v1
kind: Secret
metadata:
  name: vault-creds
  namespace: vault
type: Opaque
stringData:
  # WARNING: DO NOT CHECK REAL TOKENS INTO GIT
  credentials: |
    {"auth_login":{"path":"auth/approle/login","namespace":"NAMESPACE","parameters":{"role_id":"ROLE_ID","secret_id":"SECRET_ID"}}}

[swarren83]

@turkenh Thank you for submitting #9. I will test it when a new release is pushed.

[swarren83]

@turkenh Do you know when a new release will be created?

[swarren83]

Tested this in v0.3.0. Will review current documentation and add as needed.