add support for appRole authentication

[josueCarvajal]

Problem statement

Due to business requirements we want to move away from kubernetes auth to use appRole authentication.
So far, the implementation goes well with hashicorp vault and tools consuming an approle and using the hashicorp agent injector,
but when trying to use the BanzaiCloud webhook we are facing a limitation with the banzai webhook that might make us re-plan our strategy of moving to this method.

Scenario details

These are our annotations for the banzai webhook

    vault.security.banzaicloud.io/vault-auth-method: "approle"

    vault.security.banzaicloud.io/vault-path: "approle" 

    vault.security.banzaicloud.io/vault-role: "my-app-role" 

    vault.security.banzaicloud.io/vault-addr: "https://dev-vault.dev-vault:8200" 

    vault.security.banzaicloud.io/vault-skip-verify: "true" 

and the error we are getting is the following:

"Error making API request.\n\nURL: PUT https://dev-vault.dev-vault:8200/v1/auth/approle/login\nCode: 500. Errors:\n\n* failed to determine alias name from login request"

By digging around I was able to logIn via CLI using the following post resquest

curl \
    --request POST \
    --data '{"role_id":"1201c30b-..."}' \
    https://vault.domain/v1/auth/approle/login 

But when using the following post request, using role_name instead of role_id

curl \ 
    --request POST \
    --data '{"role_name":"my-role-name"}' \
    https://vault.domain/v1/auth/approle/login

I get the same error, meaning that the webhook is building the post request in the same way

{"errors":["failed to determine alias name from login request"]}

Also I was looking at this annotation vault.security.banzaicloud.io/token-auth-mount but not sure how it works, when I've enabled it as a volume mount with the token the webhook is not injected, if this is a missing piece in this puzzle could you please guide me through an example in how to use it?

Versions used:

• webhook: 1.19.1
• vault-env: 1.19.1
• vault: 1.15.0
• eks: 1.27
• cloud: aws

Questions

• By checking the official doc, looks like the appRole auth is not in the list, is it supported?

vault.security.banzaicloud.io/vault-auth-method: The [Vault authentication method](https://developer.hashicorp.com/vault/docs/auth) to be used, one of ["kubernetes", "aws-ec2", "aws-iam", "gcp-gce", "gcp-iam", "jwt", "azure", "namespaced"]

• If not supported, is there a plan to supported it?
• Am I missing something in our implementation?

Thanks in advance!

[ramizpolic]

We currently don't support it, but we definitely should have this in place as well. Will add to backlog for future implementations, but we don't really have a deadline on when we can start working on this.