diff --git a/plugins/secrets/vault/vault.go b/plugins/secrets/vault/vault.go index dc687116..2ec80115 100644 --- a/plugins/secrets/vault/vault.go +++ b/plugins/secrets/vault/vault.go @@ -27,9 +27,16 @@ import ( // type vaultConfig struct { Secrets map[string]struct { + Driver string + DriverOpts struct { + Path string + Key string + } `yaml:"driver_opts"` + + // deprecated. do not use. + Vault string Path string File string - Vault string } } @@ -78,7 +85,7 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err return nil, err } for key, val := range out.Secrets { - var path string + var path, field string switch { case val.Path != "": path = val.Path @@ -86,6 +93,12 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err path = val.File case val.Vault != "": path = val.Vault + case val.DriverOpts.Path != "": + path = val.DriverOpts.Path + field = val.DriverOpts.Key + } + if field == "" { + field = "value" } if path == "" { @@ -94,7 +107,7 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err logrus.Debugf("vault: read secret: %s", path) - vaultSecret, err := v.get(path) + vaultSecret, err := v.get(path, field) if err != nil { logrus.Debugf("vault: read secret failed: %s: %s", path, err) return nil, err @@ -120,7 +133,7 @@ func (v *vault) list(repo *model.Repo, build *model.Build) ([]*model.Secret, err return secrets, nil } -func (v *vault) get(path string) (*vaultSecret, error) { +func (v *vault) get(path, key string) (*vaultSecret, error) { secret, err := v.client.Logical().Read(path) if err != nil { return nil, err @@ -128,7 +141,7 @@ func (v *vault) get(path string) (*vaultSecret, error) { if secret == nil || secret.Data == nil { return nil, nil } - return parseVaultSecret(secret.Data), nil + return parseVaultSecret(secret.Data, key), nil } // start starts the renewal loop. @@ -178,10 +191,10 @@ type vaultSecret struct { Repo []string } -func parseVaultSecret(data map[string]interface{}) *vaultSecret { +func parseVaultSecret(data map[string]interface{}, key string) *vaultSecret { secret := new(vaultSecret) - if vvalue, ok := data["value"]; ok { + if vvalue, ok := data[key]; ok { if svalue, ok := vvalue.(string); ok { secret.Value = svalue } diff --git a/plugins/secrets/vault/vault_test.go b/plugins/secrets/vault/vault_test.go index fd93853b..cceb5a98 100644 --- a/plugins/secrets/vault/vault_test.go +++ b/plugins/secrets/vault/vault_test.go @@ -34,6 +34,7 @@ func TestVaultGet(t *testing.T) { _, err = client.Logical().Write("secret/testing/drone/a", map[string]interface{}{ "value": "hello", + "fr": "bonjour", "image": "golang", "event": "push,pull_request", "repo": "octocat/hello-world,github/*", @@ -44,17 +45,25 @@ func TestVaultGet(t *testing.T) { } plugin := vault{client: client} - secret, err := plugin.get("secret/testing/drone/a") + secret, err := plugin.get("secret/testing/drone/a", "value") if err != nil { t.Error(err) return } - if got, want := secret.Value, "hello"; got != want { t.Errorf("Expect secret value %s, got %s", want, got) } - secret, err = plugin.get("secret/testing/drone/404") + secret, err = plugin.get("secret/testing/drone/a", "fr") + if err != nil { + t.Error(err) + return + } + if got, want := secret.Value, "bonjour"; got != want { + t.Errorf("Expect secret value %s, got %s", want, got) + } + + secret, err = plugin.get("secret/testing/drone/404", "value") if err != nil { t.Errorf("Expect silent failure when secret does not exist, got %s", err) } @@ -76,7 +85,7 @@ func TestVaultSecretParse(t *testing.T) { Image: []string{"plugins/s3", "plugins/ec2"}, Repo: []string{"octocat/hello-world", "github/*"}, } - got := parseVaultSecret(data) + got := parseVaultSecret(data, "value") if !reflect.DeepEqual(want, *got) { t.Errorf("Failed read Secret.Data") pretty.Fdiff(os.Stderr, want, got)