From 4d769c0f7a0231b56250d93c8d10b1072c5b8b76 Mon Sep 17 00:00:00 2001 From: Rohith Date: Wed, 21 Oct 2015 14:40:06 +0100 Subject: [PATCH] summary: the initial version did not support path, we need to remove the helper and allow the user to specify the entire path --- README.md | 25 ++++++++++++++----------- utils.go | 2 +- vault.go | 8 ++++---- vault_resource.go | 6 +++--- vault_resource_test.go | 4 ++-- vault_resources.go | 2 +- vault_resources_test.go | 4 ++-- 7 files changed, 27 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 0975ad4..37d08ad 100644 --- a/README.md +++ b/README.md @@ -44,11 +44,10 @@ spec: image: gambol99/vault-sidekick:latest args: - -output=/etc/secrets - - -cn=pki:example.com:cn=commons.example.com,rv=true,up=2h - - -cn=secret:db/prod/username:file=.credentials - - -cn=secret:db/prod/password - - -cn=aws:s3_backsup:file=.s3_creds - - -cn=template:database_credentials:tpl=/etc/templates/db.tmpl,file=/etc/credentials + - -cn=pki:project1/certs/example.com:cn=commons.example.com,rv=true,up=2h + - -cn=secret:secret/db/prod/username:file=.credentials + - -cn=secret:secret/db/prod/password + - -cn=aws:aws/creds/s3_backup_policy:file=.s3_creds volumeMounts: - name: secrets mountPath: /etc/secrets @@ -74,16 +73,20 @@ expire, in order ensure the rotation of secrets. If you don't want this behaviou your using the mysql dynamic secrets, you want to renew the secret not replace it ```shell -[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=mysql:my_database:fmt=yaml,renew=true +[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=mysql:mysql/creds/my_database:fmt=yaml,renew=true or an iam policy renewed every hour -[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:aws_policy_path:fmt=yaml,renew=true,update=1h +[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:aws/creds/policy:fmt=yaml,renew=true,update=1h ``` Or you want to rotate the secret every **1h** and **revoke** the previous one ```shell -[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:my_s3_bucket:fmt=yaml,update=1h,revoke=true +[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:project/creds/my_s3_bucket:fmt=yaml,update=1h,revoke=true + +The format is; + +-cn=RESOURCE_TYPE:PATH:OPTIONS ``` **Output Formatting** @@ -108,9 +111,9 @@ this is In order to change the output format: ```shell -[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:password:fmt=ini -logtostderr=true -dry-run -[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:password:fmt=json -logtostderr=true -dry-run -[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:password:fmt=yaml -logtostderr=true -dry-run +[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=ini -logtostderr=true -dry-run +[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=json -logtostderr=true -dry-run +[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=yaml -logtostderr=true -dry-run ``` Format: 'cert' is less of a format of more file scheme i.e. is just extracts the 'certificate', 'issuing_ca' and 'private_key' and creates the three files FILE.{ca,key,crt} diff --git a/utils.go b/utils.go index 9c594be..3459454 100644 --- a/utils.go +++ b/utils.go @@ -197,7 +197,7 @@ func writeResource(rn *VaultResource, data map[string]interface{}) error { filename := fmt.Sprintf("%s.%s", resourcePath, suffix) content, found := data[key] if !found { - glog.Errorf("didn't find the certification option: %s in the resource: %s", key, rn.name) + glog.Errorf("didn't find the certification option: %s in the resource: %s", key, rn.path) continue } diff --git a/vault.go b/vault.go index 3eecea9..756e7dc 100644 --- a/vault.go +++ b/vault.go @@ -370,16 +370,16 @@ func (r VaultService) get(rn *watchedResource) (err error) { switch rn.resource.resource { case "pki": - secret, err = r.client.Logical().Write(fmt.Sprintf("%s/issue/%s", rn.resource.resource, rn.resource.name), + secret, err = r.client.Logical().Write(fmt.Sprintf(rn.resource.path), map[string]interface{}{ "common_name": rn.resource.options[optionCommonName], }) case "aws": - secret, err = r.client.Logical().Read(fmt.Sprintf("%s/creds/%s", rn.resource.resource, rn.resource.name)) + secret, err = r.client.Logical().Read(rn.resource.path) case "mysql": - secret, err = r.client.Logical().Read(fmt.Sprintf("%s/creds/%s", rn.resource.resource, rn.resource.name)) + secret, err = r.client.Logical().Read(rn.resource.path) case "secret": - secret, err = r.client.Logical().Read(fmt.Sprintf("%s/%s", rn.resource.resource, rn.resource.name)) + secret, err = r.client.Logical().Read(rn.resource.path) } // step: return on error if err != nil { diff --git a/vault_resource.go b/vault_resource.go index 9628a4b..270f4c8 100644 --- a/vault_resource.go +++ b/vault_resource.go @@ -71,7 +71,7 @@ type VaultResource struct { // the namespace of the resource resource string // the name of the resource - name string + path string // the format of the resource format string // whether the resource should be renewed? @@ -93,7 +93,7 @@ func (r VaultResource) GetFilename() string { return path } - return fmt.Sprintf("%s.%s", r.name, r.resource) + return fmt.Sprintf("%s.%s", r.path, r.resource) } // IsValid checks to see if the resource is valid @@ -182,5 +182,5 @@ func (r *VaultResource) isValidOptions() error { // String returns a string representation of the struct func (r VaultResource) String() string { - return fmt.Sprintf("%s/%s", r.resource, r.name) + return fmt.Sprintf("type: %s, path:%s", r.resource, r.path) } diff --git a/vault_resource_test.go b/vault_resource_test.go index 4388b57..15f14c6 100644 --- a/vault_resource_test.go +++ b/vault_resource_test.go @@ -24,7 +24,7 @@ import ( func TestResourceFilename(t *testing.T) { rn := VaultResource{ - name: "test_secret", + path: "test_secret", resource: "secret", options: map[string]string{}, } @@ -35,7 +35,7 @@ func TestResourceFilename(t *testing.T) { func TestIsValid(t *testing.T) { resource := defaultVaultResource() - resource.name = "/test/name" + resource.path = "/test/name" resource.resource = "secret" assert.Nil(t, resource.IsValid()) diff --git a/vault_resources.go b/vault_resources.go index 57743dc..4f87e35 100644 --- a/vault_resources.go +++ b/vault_resources.go @@ -45,7 +45,7 @@ func (r *VaultResources) Set(value string) error { // step: extract the matches matches := resourceRegex.FindAllStringSubmatch(value, -1) rn.resource = matches[0][1] - rn.name = matches[0][2] + rn.path = matches[0][2] rn.options = make(map[string]string, 0) // step: do we have any options for the resource? diff --git a/vault_resources_test.go b/vault_resources_test.go index bd5a4a1..0f3e16c 100644 --- a/vault_resources_test.go +++ b/vault_resources_test.go @@ -51,13 +51,13 @@ func TestResources(t *testing.T) { rn := items.items[0] assert.Equal(t, "secret", rn.resource) - assert.Equal(t, "test", rn.name) + assert.Equal(t, "test", rn.path) assert.Equal(t, 2, len(rn.options)) assert.Equal(t, "filename.test", rn.options[optionFilename]) assert.Equal(t, "yaml", rn.options[optionFormat]) rn = items.items[1] assert.Equal(t, "secret", rn.resource) - assert.Equal(t, "test", rn.name) + assert.Equal(t, "test", rn.path) assert.Equal(t, 1, len(rn.options)) assert.Equal(t, "fileame.test", rn.options[optionFilename]) }