Affected by GO-2023-1986
and 10 other vulnerabilities
GO-2023-1986 : HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault
GO-2023-2063 : HashiCorp Vault Improper Input Validation vulnerability in github.com/hashicorp/vault
GO-2023-2088 : Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault
GO-2023-2329 : HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault
GO-2024-2617 : Authentication bypass in github.com/hashicorp/vault
GO-2024-2690 : HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault
GO-2024-2921 : HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault
GO-2024-2982 : Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault
GO-2024-3162 : Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault
GO-2024-3191 : Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault
GO-2024-3246 : Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault
Discover Packages
github.com/hashicorp/vault
serviceregistration
kubernetes
testing
package
Version:
v1.11.12
Opens a new window with list of versions in this module.
Published: Jun 19, 2023
License: MPL-2.0
Opens a new window with license information.
Imports: 12
Opens a new window with list of imports.
Imported by: 0
Opens a new window with list of known importers.
README
README
¶
How to Test Manually
$ minikube start
In the Vault folder, $ make dev XC_ARCH=amd64 XC_OS=linux XC_OSARCH=linux/amd64
Create a file called vault-test.yaml
with the following contents:
apiVersion: v1
kind: Pod
metadata:
name: vault
spec:
containers:
- name: nginx
image: nginx
command: [ "sh", "-c"]
args:
- while true; do
echo -en '\n';
printenv VAULT_K8S_POD_NAME VAULT_K8S_NAMESPACE;
sleep 10;
done;
env:
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: Never
Create the pod: $ kubectl apply -f vault-test.yaml
View the full initial state of the pod: $ kubectl get pod vault -o=yaml > initialstate.txt
Drop the Vault binary into the pod: $ kubectl cp bin/vault /vault:/
Drop to the shell within the pod: $ kubectl exec -it vault -- /bin/bash
Install a text editor: $ apt-get update
, $ apt-get install nano
Write a test Vault config to vault.config
like:
storage "inmem" {}
service_registration "kubernetes" {}
disable_mlock = true
ui = true
api_addr = "http://127.0.0.1:8200"
log_level = "debug"
Run Vault: $ ./vault server -config=vault.config -dev -dev-root-token-id=root
If 403's are received, you may need to grant RBAC, example here: https://github.com/fabric8io/fabric8/issues/6840#issuecomment-307560275
In a separate window outside the pod, view the resulting state of the pod: $ kubectl get pod vault -o=yaml > currentstate.txt
View the differences: $ diff initialstate.txt currentstate.txt
Expand ▾
Collapse ▴
Documentation
¶
View Source
const (
ExpectedNamespace = "default"
ExpectedPodName = "shell-demo"
)
Server returns an http test server that can be used to test
Kubernetes client code. It also retains the current state,
and a func to close the server and to clean up any temporary
files.
type Conf struct {
ClientScheme, PathToTokenFile, PathToRootCAFile, ServiceHost, ServicePort string
}
Conf returns the info needed to configure the client to point at
the test server. This must be done by the caller to avoid an import
cycle between the client and the testserver. Example usage:
client.Scheme = testConf.ClientScheme
client.TokenFile = testConf.PathToTokenFile
client.RootCAFile = testConf.PathToRootCAFile
if err := os.Setenv(client.EnvVarKubernetesServiceHost, testConf.ServiceHost); err != nil {
t.Fatal(err)
}
if err := os.Setenv(client.EnvVarKubernetesServicePort, testConf.ServicePort); err != nil {
t.Fatal(err)
}
Source Files
¶
Click to show internal directories.
Click to hide internal directories.