summary: the initial version did not support path, we need to remove the helper and allow the user to specify the entire path
This commit is contained in:
Rohith
parent
549de4f6e5
commit
4d769c0f7a
25
README.md
25
README.md
|
|
@ -44,11 +44,10 @@ spec:
|
|||
image: gambol99/vault-sidekick:latest
|
||||
args:
|
||||
- -output=/etc/secrets
|
||||
- -cn=pki:example.com:cn=commons.example.com,rv=true,up=2h
|
||||
- -cn=secret:db/prod/username:file=.credentials
|
||||
- -cn=secret:db/prod/password
|
||||
- -cn=aws:s3_backsup:file=.s3_creds
|
||||
- -cn=template:database_credentials:tpl=/etc/templates/db.tmpl,file=/etc/credentials
|
||||
- -cn=pki:project1/certs/example.com:cn=commons.example.com,rv=true,up=2h
|
||||
- -cn=secret:secret/db/prod/username:file=.credentials
|
||||
- -cn=secret:secret/db/prod/password
|
||||
- -cn=aws:aws/creds/s3_backup_policy:file=.s3_creds
|
||||
volumeMounts:
|
||||
- name: secrets
|
||||
mountPath: /etc/secrets
|
||||
|
|
@ -74,16 +73,20 @@ expire, in order ensure the rotation of secrets. If you don't want this behaviou
|
|||
your using the mysql dynamic secrets, you want to renew the secret not replace it
|
||||
|
||||
```shell
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=mysql:my_database:fmt=yaml,renew=true
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=mysql:mysql/creds/my_database:fmt=yaml,renew=true
|
||||
or an iam policy renewed every hour
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:aws_policy_path:fmt=yaml,renew=true,update=1h
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:aws/creds/policy:fmt=yaml,renew=true,update=1h
|
||||
|
||||
```
|
||||
|
||||
Or you want to rotate the secret every **1h** and **revoke** the previous one
|
||||
|
||||
```shell
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:my_s3_bucket:fmt=yaml,update=1h,revoke=true
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:project/creds/my_s3_bucket:fmt=yaml,update=1h,revoke=true
|
||||
|
||||
The format is;
|
||||
|
||||
-cn=RESOURCE_TYPE:PATH:OPTIONS
|
||||
```
|
||||
|
||||
**Output Formatting**
|
||||
|
|
@ -108,9 +111,9 @@ this is
|
|||
In order to change the output format:
|
||||
|
||||
```shell
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:password:fmt=ini -logtostderr=true -dry-run
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:password:fmt=json -logtostderr=true -dry-run
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:password:fmt=yaml -logtostderr=true -dry-run
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=ini -logtostderr=true -dry-run
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=json -logtostderr=true -dry-run
|
||||
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=yaml -logtostderr=true -dry-run
|
||||
```
|
||||
|
||||
Format: 'cert' is less of a format of more file scheme i.e. is just extracts the 'certificate', 'issuing_ca' and 'private_key' and creates the three files FILE.{ca,key,crt}
|
||||
|
|
|
|||
2
utils.go
2
utils.go
|
|
@ -197,7 +197,7 @@ func writeResource(rn *VaultResource, data map[string]interface{}) error {
|
|||
filename := fmt.Sprintf("%s.%s", resourcePath, suffix)
|
||||
content, found := data[key]
|
||||
if !found {
|
||||
glog.Errorf("didn't find the certification option: %s in the resource: %s", key, rn.name)
|
||||
glog.Errorf("didn't find the certification option: %s in the resource: %s", key, rn.path)
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
|
|||
8
vault.go
8
vault.go
|
|
@ -370,16 +370,16 @@ func (r VaultService) get(rn *watchedResource) (err error) {
|
|||
|
||||
switch rn.resource.resource {
|
||||
case "pki":
|
||||
secret, err = r.client.Logical().Write(fmt.Sprintf("%s/issue/%s", rn.resource.resource, rn.resource.name),
|
||||
secret, err = r.client.Logical().Write(fmt.Sprintf(rn.resource.path),
|
||||
map[string]interface{}{
|
||||
"common_name": rn.resource.options[optionCommonName],
|
||||
})
|
||||
case "aws":
|
||||
secret, err = r.client.Logical().Read(fmt.Sprintf("%s/creds/%s", rn.resource.resource, rn.resource.name))
|
||||
secret, err = r.client.Logical().Read(rn.resource.path)
|
||||
case "mysql":
|
||||
secret, err = r.client.Logical().Read(fmt.Sprintf("%s/creds/%s", rn.resource.resource, rn.resource.name))
|
||||
secret, err = r.client.Logical().Read(rn.resource.path)
|
||||
case "secret":
|
||||
secret, err = r.client.Logical().Read(fmt.Sprintf("%s/%s", rn.resource.resource, rn.resource.name))
|
||||
secret, err = r.client.Logical().Read(rn.resource.path)
|
||||
}
|
||||
// step: return on error
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ type VaultResource struct {
|
|||
// the namespace of the resource
|
||||
resource string
|
||||
// the name of the resource
|
||||
name string
|
||||
path string
|
||||
// the format of the resource
|
||||
format string
|
||||
// whether the resource should be renewed?
|
||||
|
|
@ -93,7 +93,7 @@ func (r VaultResource) GetFilename() string {
|
|||
return path
|
||||
}
|
||||
|
||||
return fmt.Sprintf("%s.%s", r.name, r.resource)
|
||||
return fmt.Sprintf("%s.%s", r.path, r.resource)
|
||||
}
|
||||
|
||||
// IsValid checks to see if the resource is valid
|
||||
|
|
@ -182,5 +182,5 @@ func (r *VaultResource) isValidOptions() error {
|
|||
|
||||
// String returns a string representation of the struct
|
||||
func (r VaultResource) String() string {
|
||||
return fmt.Sprintf("%s/%s", r.resource, r.name)
|
||||
return fmt.Sprintf("type: %s, path:%s", r.resource, r.path)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ import (
|
|||
|
||||
func TestResourceFilename(t *testing.T) {
|
||||
rn := VaultResource{
|
||||
name: "test_secret",
|
||||
path: "test_secret",
|
||||
resource: "secret",
|
||||
options: map[string]string{},
|
||||
}
|
||||
|
|
@ -35,7 +35,7 @@ func TestResourceFilename(t *testing.T) {
|
|||
|
||||
func TestIsValid(t *testing.T) {
|
||||
resource := defaultVaultResource()
|
||||
resource.name = "/test/name"
|
||||
resource.path = "/test/name"
|
||||
resource.resource = "secret"
|
||||
|
||||
assert.Nil(t, resource.IsValid())
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ func (r *VaultResources) Set(value string) error {
|
|||
// step: extract the matches
|
||||
matches := resourceRegex.FindAllStringSubmatch(value, -1)
|
||||
rn.resource = matches[0][1]
|
||||
rn.name = matches[0][2]
|
||||
rn.path = matches[0][2]
|
||||
rn.options = make(map[string]string, 0)
|
||||
|
||||
// step: do we have any options for the resource?
|
||||
|
|
|
|||
|
|
@ -51,13 +51,13 @@ func TestResources(t *testing.T) {
|
|||
|
||||
rn := items.items[0]
|
||||
assert.Equal(t, "secret", rn.resource)
|
||||
assert.Equal(t, "test", rn.name)
|
||||
assert.Equal(t, "test", rn.path)
|
||||
assert.Equal(t, 2, len(rn.options))
|
||||
assert.Equal(t, "filename.test", rn.options[optionFilename])
|
||||
assert.Equal(t, "yaml", rn.options[optionFormat])
|
||||
rn = items.items[1]
|
||||
assert.Equal(t, "secret", rn.resource)
|
||||
assert.Equal(t, "test", rn.name)
|
||||
assert.Equal(t, "test", rn.path)
|
||||
assert.Equal(t, 1, len(rn.options))
|
||||
assert.Equal(t, "fileame.test", rn.options[optionFilename])
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue