79428aa231
Added a feature to obtain the initial Vault token from the Kubernetes auth method. This works by making a request to the Vault server at the specified auth method mount point's login path and presenting the JWT located in a file on a running pod, along with the Kubernetes role to authenticate as. Vault will then respond with a token and its TTL, if the request is valid.
48 lines
1.1 KiB
Go
48 lines
1.1 KiB
Go
// Copyright 2018 Drone.IO Inc
|
|
// Use of this software is governed by the Drone Enterpise License
|
|
// that can be found in the LICENSE file.
|
|
|
|
package vault
|
|
|
|
import (
|
|
"github.com/Sirupsen/logrus"
|
|
"os"
|
|
"time"
|
|
)
|
|
|
|
// Opts sets custom options for the vault client.
|
|
type Opts func(v *vault)
|
|
|
|
// WithTTL returns an options that sets a TTL used to
|
|
// refresh periodic tokens.
|
|
func WithTTL(d time.Duration) Opts {
|
|
return func(v *vault) {
|
|
v.ttl = d
|
|
}
|
|
}
|
|
|
|
// WithRenewal returns an options that sets the renewal
|
|
// period used to refresh periodic tokens
|
|
func WithRenewal(d time.Duration) Opts {
|
|
return func(v *vault) {
|
|
v.renew = d
|
|
}
|
|
}
|
|
|
|
func WithKubernetesAuth() Opts {
|
|
return func(v *vault) {
|
|
addr := os.Getenv("VAULT_ADDR")
|
|
role := os.Getenv("DRONE_VAULT_KUBERNETES_ROLE")
|
|
mount := os.Getenv("DRONE_VAULT_AUTH_MOUNT_POINT")
|
|
jwtFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
token, ttl, err := getKubernetesToken(addr, role, mount, jwtFile)
|
|
if err != nil {
|
|
logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
|
|
return
|
|
}
|
|
|
|
v.client.SetToken(token)
|
|
v.ttl = ttl
|
|
v.renew = ttl / 2
|
|
}
|
|
}
|