diff --git a/backend.go b/backend.go index b8c64bcf..3c06d7d9 100644 --- a/backend.go +++ b/backend.go @@ -17,14 +17,14 @@ const ( // aliasNameSourceUnset provides backwards compatibility with preexisting roles. aliasNameSourceUnset = "" - aliasNameSourceSAToken = "sa_token" - aliasNameSourceSAPath = "sa_path" - aliasNameSourceDefault = aliasNameSourceSAToken + aliasNameSourceSAUid = "serviceaccount_uid" + aliasNameSourceSAName = "serviceaccount_name" + aliasNameSourceDefault = aliasNameSourceSAUid ) var ( // when adding new alias name sources make sure to update the corresponding FieldSchema description in path_role.go - aliasNameSources = []string{aliasNameSourceSAToken, aliasNameSourceSAPath} + aliasNameSources = []string{aliasNameSourceSAUid, aliasNameSourceSAName} errInvalidAliasNameSource = fmt.Errorf(`invalid alias_name_source, must be one of: %s`, strings.Join(aliasNameSources, ", ")) ) diff --git a/path_login.go b/path_login.go index a1eaecea..a76aa95f 100644 --- a/path_login.go +++ b/path_login.go @@ -156,13 +156,13 @@ func (b *kubeAuthBackend) getFieldValueStr(data *framework.FieldData, param stri func (b *kubeAuthBackend) getAliasName(role *roleStorageEntry, serviceAccount *serviceAccount) (string, error) { switch role.AliasNameSource { - case aliasNameSourceSAToken, aliasNameSourceUnset: + case aliasNameSourceSAUid, aliasNameSourceUnset: uid, err := serviceAccount.uid() if err != nil { return "", err } return uid, nil - case aliasNameSourceSAPath: + case aliasNameSourceSAName: return fmt.Sprintf("%s/%s", serviceAccount.Namespace, serviceAccount.Name), nil default: return "", fmt.Errorf("unknown alias_name_source %q", role.AliasNameSource) diff --git a/path_login_test.go b/path_login_test.go index f049aca0..d5fe753c 100644 --- a/path_login_test.go +++ b/path_login_test.go @@ -610,25 +610,25 @@ func TestAliasLookAhead(t *testing.T) { config: defaultTestBackendConfig(), wantErr: errors.New("missing jwt"), }, - "sa_token": { + "serviceaccount_uid": { role: "plugin-test", jwt: jwtData, config: &testBackendConfig{ pems: testDefaultPEMs, saName: testName, saNamespace: testNamespace, - aliasNameSource: aliasNameSourceSAToken, + aliasNameSource: aliasNameSourceSAUid, }, expectedAliasName: testUID, }, - "sa_path": { + "serviceaccount_name": { role: "plugin-test", jwt: jwtData, config: &testBackendConfig{ pems: testDefaultPEMs, saName: testName, saNamespace: testNamespace, - aliasNameSource: aliasNameSourceSAPath, + aliasNameSource: aliasNameSourceSAName, }, expectedAliasName: fmt.Sprintf("%s/%s", testNamespace, testName), }, diff --git a/path_role.go b/path_role.go index 7f3b3ed5..3822d19b 100644 --- a/path_role.go +++ b/path_role.go @@ -56,7 +56,7 @@ valid choices: %q : e.g. 474b11b5-0f20-4f9d-8ca5-65715ab325e0 (most secure choice) %q : / e.g. vault/vault-agent default: %q -`, aliasNameSourceSAToken, aliasNameSourceSAPath, aliasNameSourceDefault), +`, aliasNameSourceSAUid, aliasNameSourceSAName, aliasNameSourceDefault), Default: aliasNameSourceDefault, }, "policies": { diff --git a/path_role_test.go b/path_role_test.go index d67a01e3..3abafa38 100644 --- a/path_role_test.go +++ b/path_role_test.go @@ -73,7 +73,7 @@ func TestPath_Create(t *testing.T) { AliasNameSource: aliasNameSourceDefault, }, }, - "alias_name_source_sa_path": { + "alias_name_source_serviceaccount_name": { data: map[string]interface{}{ "bound_service_account_names": "name", "bound_service_account_namespaces": "namespace", @@ -82,7 +82,7 @@ func TestPath_Create(t *testing.T) { "ttl": "1s", "num_uses": 12, "max_ttl": "5s", - "alias_name_source": aliasNameSourceSAPath, + "alias_name_source": aliasNameSourceSAName, }, expected: &roleStorageEntry{ TokenParams: tokenutil.TokenParams{ @@ -101,7 +101,7 @@ func TestPath_Create(t *testing.T) { MaxTTL: 5 * time.Second, NumUses: 12, BoundCIDRs: nil, - AliasNameSource: aliasNameSourceSAPath, + AliasNameSource: aliasNameSourceSAName, }, }, "invalid_alias_name_source": {