Adding kubernetes-vault support - slightly different file format.
This commit is contained in:
Darron Froese
parent
f0b715ce2a
commit
15817c5173
|
|
@ -39,8 +39,9 @@ func NewUserTokenPlugin(client *api.Client) AuthInterface {
|
||||||
// Create retrieves the token from an environment variable or file
|
// Create retrieves the token from an environment variable or file
|
||||||
func (r authTokenPlugin) Create(cfg map[string]string) (string, error) {
|
func (r authTokenPlugin) Create(cfg map[string]string) (string, error) {
|
||||||
filename, _ := cfg["filename"]
|
filename, _ := cfg["filename"]
|
||||||
|
fileFormat, _ := cfg["fileFormat"]
|
||||||
if filename != "" {
|
if filename != "" {
|
||||||
content, err := readConfigFile(filename)
|
content, err := readConfigFile(filename, fileFormat)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,8 @@ type config struct {
|
||||||
vaultURL string
|
vaultURL string
|
||||||
// a file containing the authenticate options
|
// a file containing the authenticate options
|
||||||
vaultAuthFile string
|
vaultAuthFile string
|
||||||
|
// whether or not the auth file format is default
|
||||||
|
vaultAuthFileFormat string
|
||||||
// the authentication options
|
// the authentication options
|
||||||
vaultAuthOptions map[string]string
|
vaultAuthOptions map[string]string
|
||||||
// the vault ca file
|
// the vault ca file
|
||||||
|
|
@ -56,7 +58,8 @@ func init() {
|
||||||
options.vaultAuthOptions = map[string]string{VaultAuth: "token"}
|
options.vaultAuthOptions = map[string]string{VaultAuth: "token"}
|
||||||
|
|
||||||
flag.StringVar(&options.vaultURL, "vault", getEnv("VAULT_ADDR", "https://127.0.0.1:8200"), "url the vault service or VAULT_ADDR")
|
flag.StringVar(&options.vaultURL, "vault", getEnv("VAULT_ADDR", "https://127.0.0.1:8200"), "url the vault service or VAULT_ADDR")
|
||||||
flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in json or yaml containing authentication arguments")
|
flag.StringVar(&options.vaultAuthFile, "auth", getEnv("AUTH_FILE", ""), "a configuration file in json or yaml containing authentication arguments")
|
||||||
|
flag.StringVar(&options.vaultAuthFileFormat, "format", getEnv("AUTH_FORMAT", "default"), "the auth file format")
|
||||||
flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write resources or VAULT_OUTPUT")
|
flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write resources or VAULT_OUTPUT")
|
||||||
flag.BoolVar(&options.dryRun, "dryrun", false, "perform a dry run, printing the content to screen")
|
flag.BoolVar(&options.dryRun, "dryrun", false, "perform a dry run, printing the content to screen")
|
||||||
flag.BoolVar(&options.tlsVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate")
|
flag.BoolVar(&options.tlsVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate")
|
||||||
|
|
@ -85,7 +88,7 @@ func validateOptions(cfg *config) (err error) {
|
||||||
if exists, _ := fileExists(cfg.vaultAuthFile); !exists {
|
if exists, _ := fileExists(cfg.vaultAuthFile); !exists {
|
||||||
return fmt.Errorf("the token file: %s does not exists, please check", cfg.vaultAuthFile)
|
return fmt.Errorf("the token file: %s does not exists, please check", cfg.vaultAuthFile)
|
||||||
}
|
}
|
||||||
options.vaultAuthOptions, err = readConfigFile(options.vaultAuthFile)
|
options.vaultAuthOptions, err = readConfigFile(options.vaultAuthFile, options.vaultAuthFileFormat)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("unable to read in authentication options from: %s, error: %s", cfg.vaultAuthFile, err)
|
return fmt.Errorf("unable to read in authentication options from: %s, error: %s", cfg.vaultAuthFile, err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
21
utils.go
21
utils.go
|
|
@ -27,10 +27,11 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
|
||||||
"gopkg.in/yaml.v2"
|
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
|
"github.com/golang/glog"
|
||||||
|
"gopkg.in/yaml.v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
|
@ -69,7 +70,7 @@ func getKeys(data map[string]interface{}) []string {
|
||||||
|
|
||||||
// readConfigFile read in a configuration file
|
// readConfigFile read in a configuration file
|
||||||
// filename : the path to the file
|
// filename : the path to the file
|
||||||
func readConfigFile(filename string) (map[string]string, error) {
|
func readConfigFile(filename, fileFormat string) (map[string]string, error) {
|
||||||
// step: check the file exists
|
// step: check the file exists
|
||||||
if exists, err := fileExists(filename); !exists {
|
if exists, err := fileExists(filename); !exists {
|
||||||
return nil, fmt.Errorf("the file: %s does not exist", filename)
|
return nil, fmt.Errorf("the file: %s does not exist", filename)
|
||||||
|
|
@ -84,14 +85,14 @@ func readConfigFile(filename string) (map[string]string, error) {
|
||||||
case ".yml":
|
case ".yml":
|
||||||
return readYAMLFile(filename)
|
return readYAMLFile(filename)
|
||||||
default:
|
default:
|
||||||
return readJSONFile(filename)
|
return readJSONFile(filename, fileFormat)
|
||||||
}
|
}
|
||||||
return nil, fmt.Errorf("unsupported config file format: %s", suffix)
|
return nil, fmt.Errorf("unsupported config file format: %s", suffix)
|
||||||
}
|
}
|
||||||
|
|
||||||
// readJsonFile read in and unmarshall the data into a map
|
// readJsonFile read in and unmarshall the data into a map
|
||||||
// filename : the path to the file container the json data
|
// filename : the path to the file container the json data
|
||||||
func readJSONFile(filename string) (map[string]string, error) {
|
func readJSONFile(filename, format string) (map[string]string, error) {
|
||||||
data := make(map[string]string, 0)
|
data := make(map[string]string, 0)
|
||||||
|
|
||||||
content, err := ioutil.ReadFile(filename)
|
content, err := ioutil.ReadFile(filename)
|
||||||
|
|
@ -100,7 +101,15 @@ func readJSONFile(filename string) (map[string]string, error) {
|
||||||
}
|
}
|
||||||
// unmarshall the data
|
// unmarshall the data
|
||||||
err = json.Unmarshal(content, &data)
|
err = json.Unmarshal(content, &data)
|
||||||
if err != nil {
|
if err != nil && format == "default" {
|
||||||
|
return data, err
|
||||||
|
}
|
||||||
|
if err != nil && format == "kubernetes-vault" {
|
||||||
|
if data["clientToken"] != "" {
|
||||||
|
data[VaultAuth] = "token"
|
||||||
|
data["token"] = data["clientToken"]
|
||||||
|
return data, nil
|
||||||
|
}
|
||||||
return data, err
|
return data, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
1
vault.go
1
vault.go
|
|
@ -433,6 +433,7 @@ func newVaultClient(opts *config) (*api.Client, error) {
|
||||||
token, err = NewAppRolePlugin(client).Create(opts.vaultAuthOptions)
|
token, err = NewAppRolePlugin(client).Create(opts.vaultAuthOptions)
|
||||||
case "token":
|
case "token":
|
||||||
opts.vaultAuthOptions["filename"] = options.vaultAuthFile
|
opts.vaultAuthOptions["filename"] = options.vaultAuthFile
|
||||||
|
opts.vaultAuthOptions["fileFormat"] = options.vaultAuthFileFormat
|
||||||
token, err = NewUserTokenPlugin(client).Create(opts.vaultAuthOptions)
|
token, err = NewUserTokenPlugin(client).Create(opts.vaultAuthOptions)
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("unsupported authentication plugin: %s", plugin)
|
return nil, fmt.Errorf("unsupported authentication plugin: %s", plugin)
|
||||||
|
|
|
||||||
Reference in a new issue