add vault driver_opts support

2018-03-08 12:46:39 -08:00 · 2018-03-08 12:46:39 -08:00 · a1d1d49852
commit a1d1d49852
parent 5e557bb2d8
2 changed files with 33 additions and 11 deletions
--- a/plugins/secrets/vault/vault.go
+++ b/plugins/secrets/vault/vault.go
@ -27,9 +27,16 @@ import (
 //
 type vaultConfig struct {
 	Secrets map[string]struct {
+		Driver     string
+		DriverOpts struct {
+			Path string
+			Key  string
+		} `yaml:"driver_opts"`
+
+		// deprecated. do not use.
+		Vault string
 		Path  string
 		File  string
-		Vault string
 	}
 }

@ -78,7 +85,7 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err
 		return nil, err
 	}
 	for key, val := range out.Secrets {
-		var path string
+		var path, field string
 		switch {
 		case val.Path != "":
 			path = val.Path
@ -86,6 +93,12 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err
 			path = val.File
 		case val.Vault != "":
 			path = val.Vault
+		case val.DriverOpts.Path != "":
+			path = val.DriverOpts.Path
+			field = val.DriverOpts.Key
+		}
+		if field == "" {
+			field = "value"
 		}

 		if path == "" {
@ -94,7 +107,7 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err

 		logrus.Debugf("vault: read secret: %s", path)

-		vaultSecret, err := v.get(path)
+		vaultSecret, err := v.get(path, field)
 		if err != nil {
 			logrus.Debugf("vault: read secret failed: %s: %s", path, err)
 			return nil, err
@ -120,7 +133,7 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err
 	return secrets, nil
 }

-func (v *vault) get(path string) (*vaultSecret, error) {
+func (v *vault) get(path, key string) (*vaultSecret, error) {
 	secret, err := v.client.Logical().Read(path)
 	if err != nil {
 		return nil, err
@ -128,7 +141,7 @@ func (v *vault) get(path string) (*vaultSecret, error) {
 	if secret == nil || secret.Data == nil {
 		return nil, nil
 	}
-	return parseVaultSecret(secret.Data), nil
+	return parseVaultSecret(secret.Data, key), nil
 }

 // start starts the renewal loop.
@ -178,10 +191,10 @@ type vaultSecret struct {
 	Repo  []string
 }

-func parseVaultSecret(data map[string]interface{}) *vaultSecret {
+func parseVaultSecret(data map[string]interface{}, key string) *vaultSecret {
 	secret := new(vaultSecret)

-	if vvalue, ok := data["value"]; ok {
+	if vvalue, ok := data[key]; ok {
 		if svalue, ok := vvalue.(string); ok {
 			secret.Value = svalue
 		}
--- a/plugins/secrets/vault/vault_test.go
+++ b/plugins/secrets/vault/vault_test.go
@ -34,6 +34,7 @@ func TestVaultGet(t *testing.T) {

 	_, err = client.Logical().Write("secret/testing/drone/a", map[string]interface{}{
 		"value": "hello",
+		"fr":    "bonjour",
 		"image": "golang",
 		"event": "push,pull_request",
 		"repo":  "octocat/hello-world,github/*",
@ -44,17 +45,25 @@ func TestVaultGet(t *testing.T) {
 	}

 	plugin := vault{client: client}
-	secret, err := plugin.get("secret/testing/drone/a")
+	secret, err := plugin.get("secret/testing/drone/a", "value")
 	if err != nil {
 		t.Error(err)
 		return
 	}
-
 	if got, want := secret.Value, "hello"; got != want {
 		t.Errorf("Expect secret value %s, got %s", want, got)
 	}

-	secret, err = plugin.get("secret/testing/drone/404")
+	secret, err = plugin.get("secret/testing/drone/a", "fr")
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if got, want := secret.Value, "bonjour"; got != want {
+		t.Errorf("Expect secret value %s, got %s", want, got)
+	}
+
+	secret, err = plugin.get("secret/testing/drone/404", "value")
 	if err != nil {
 		t.Errorf("Expect silent failure when secret does not exist, got %s", err)
 	}
@ -76,7 +85,7 @@ func TestVaultSecretParse(t *testing.T) {
 		Image: []string{"plugins/s3", "plugins/ec2"},
 		Repo:  []string{"octocat/hello-world", "github/*"},
 	}
-	got := parseVaultSecret(data)
+	got := parseVaultSecret(data, "value")
 	if !reflect.DeepEqual(want, *got) {
 		t.Errorf("Failed read Secret.Data")
 		pretty.Fdiff(os.Stderr, want, got)