fixup: some comments, added opts test, address pr concerns
This commit is contained in:
parent
c4fe6496b5
commit
db698f9ef4
4 changed files with 67 additions and 30 deletions
|
@ -16,22 +16,22 @@ Vault JSON Response
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
type VaultAuth struct {
|
type vaultAuth struct {
|
||||||
Token string `json:"client_token"`
|
Token string `json:"client_token"`
|
||||||
Lease string `json:"lease_duration"`
|
Lease string `json:"lease_duration"`
|
||||||
}
|
}
|
||||||
type VaultResp struct {
|
type vaultResp struct {
|
||||||
Auth VaultAuth
|
Auth vaultAuth
|
||||||
}
|
}
|
||||||
|
|
||||||
func getKubernetesToken(addr, role, mountPoint, tokenFile string) (string, time.Duration, error) {
|
func getKubernetesToken(addr, role, mount, tokenFile string) (string, time.Duration, error) {
|
||||||
b, err := ioutil.ReadFile(tokenFile)
|
b, err := ioutil.ReadFile(tokenFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", 0, err
|
return "", 0, err
|
||||||
}
|
}
|
||||||
|
|
||||||
var resp VaultResp
|
var resp vaultResp
|
||||||
path := fmt.Sprintf("%s/v1/auth/%s/login", addr, mountPoint)
|
path := fmt.Sprintf("%s/v1/auth/%s/login", addr, mount)
|
||||||
data := map[string]string{
|
data := map[string]string{
|
||||||
"jwt": string(b),
|
"jwt": string(b),
|
||||||
"role": role,
|
"role": role,
|
||||||
|
|
|
@ -4,11 +4,7 @@
|
||||||
|
|
||||||
package vault
|
package vault
|
||||||
|
|
||||||
import (
|
import "time"
|
||||||
"github.com/Sirupsen/logrus"
|
|
||||||
"os"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Opts sets custom options for the vault client.
|
// Opts sets custom options for the vault client.
|
||||||
type Opts func(v *vault)
|
type Opts func(v *vault)
|
||||||
|
@ -29,20 +25,13 @@ func WithRenewal(d time.Duration) Opts {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func WithKubernetesAuth() Opts {
|
// WithKubernetes returns an options that sets
|
||||||
|
// kubernetes-auth parameters required to retrieve
|
||||||
|
// an initial Vault token
|
||||||
|
func WithKubernetesAuth(addr, role, mount string) Opts {
|
||||||
return func(v *vault) {
|
return func(v *vault) {
|
||||||
addr := os.Getenv("VAULT_ADDR")
|
v.kubeAuth.addr = addr
|
||||||
role := os.Getenv("DRONE_VAULT_KUBERNETES_ROLE")
|
v.kubeAuth.role = role
|
||||||
mount := os.Getenv("DRONE_VAULT_AUTH_MOUNT_POINT")
|
v.kubeAuth.mount = mount
|
||||||
jwtFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
token, ttl, err := getKubernetesToken(addr, role, mount, jwtFile)
|
|
||||||
if err != nil {
|
|
||||||
logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
v.client.SetToken(token)
|
|
||||||
v.ttl = ttl
|
|
||||||
v.renew = ttl / 2
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,3 +26,21 @@ func TestWithRenewal(t *testing.T) {
|
||||||
t.Errorf("Want renewal %v, got %v", want, got)
|
t.Errorf("Want renewal %v, got %v", want, got)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestWithKubernetesAuth(t *testing.T) {
|
||||||
|
v := new(vault)
|
||||||
|
addr := "https://address.fake"
|
||||||
|
role := "fakeRole"
|
||||||
|
mount := "kubernetes"
|
||||||
|
opt := WithKubernetesAuth(addr, role, mount)
|
||||||
|
opt(v)
|
||||||
|
if got, want := v.kubeAuth.addr, addr; got != want {
|
||||||
|
t.Errorf("Want addr %v, got %v", want, got)
|
||||||
|
}
|
||||||
|
if got, want := v.kubeAuth.role, role; got != want {
|
||||||
|
t.Errorf("Want role %v, got %v", want, got)
|
||||||
|
}
|
||||||
|
if got, want := v.kubeAuth.mount, mount; got != want {
|
||||||
|
t.Errorf("Want mount %v, got %v", want, got)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -45,9 +45,15 @@ type vault struct {
|
||||||
client *api.Client
|
client *api.Client
|
||||||
ttl time.Duration
|
ttl time.Duration
|
||||||
renew time.Duration
|
renew time.Duration
|
||||||
|
auth string
|
||||||
|
kubeAuth kubeAuth
|
||||||
done chan struct{}
|
done chan struct{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type kubeAuth struct {
|
||||||
|
addr, role, mount string
|
||||||
|
}
|
||||||
|
|
||||||
// New returns a new store with secrets loaded from vault.
|
// New returns a new store with secrets loaded from vault.
|
||||||
func New(store model.ConfigStore, opts ...Opts) (secrets.Plugin, error) {
|
func New(store model.ConfigStore, opts ...Opts) (secrets.Plugin, error) {
|
||||||
client, err := api.NewClient(nil)
|
client, err := api.NewClient(nil)
|
||||||
|
@ -61,10 +67,34 @@ func New(store model.ConfigStore, opts ...Opts) (secrets.Plugin, error) {
|
||||||
for _, opt := range opts {
|
for _, opt := range opts {
|
||||||
opt(v)
|
opt(v)
|
||||||
}
|
}
|
||||||
|
if v.auth == "kubernetes" {
|
||||||
|
err = v.initKubernetes()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
v.start() // start the refresh process.
|
v.start() // start the refresh process.
|
||||||
return v, nil
|
return v, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v *vault) initKubernetes() error {
|
||||||
|
token, ttl, err := getKubernetesToken(
|
||||||
|
v.kubeAuth.addr,
|
||||||
|
v.kubeAuth.role,
|
||||||
|
v.kubeAuth.mount,
|
||||||
|
"/var/run/secrets/kubernetes.io/serviceaccount/token",
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
v.client.SetToken(token)
|
||||||
|
v.ttl = ttl
|
||||||
|
v.renew = ttl / 2
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func (v *vault) SecretListBuild(repo *model.Repo, build *model.Build) ([]*model.Secret, error) {
|
func (v *vault) SecretListBuild(repo *model.Repo, build *model.Build) ([]*model.Secret, error) {
|
||||||
return v.list(repo, build)
|
return v.list(repo, build)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue