From 7f89a812a05e6378fca8e6c78a4ca5a15232785b Mon Sep 17 00:00:00 2001 From: Rohith Date: Fri, 9 Oct 2015 17:42:24 +0100 Subject: [PATCH] - adding the ability to import a root CA rather bypassing the tls verfication --- CONDUCT_CODE.md | 36 +++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 54 +++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 4 ++++ config.go | 21 +++++++++++++++---- main.go | 1 - vault.go | 35 +++++++++++++++++++++++++++----- 6 files changed, 141 insertions(+), 10 deletions(-) create mode 100644 CONDUCT_CODE.md create mode 100644 CONTRIBUTING.md diff --git a/CONDUCT_CODE.md b/CONDUCT_CODE.md new file mode 100644 index 0000000..8ac706e --- /dev/null +++ b/CONDUCT_CODE.md @@ -0,0 +1,36 @@ +# Contributor Code of Conduct + +As contributors and maintainers of this project, and in the interest of fostering an open and +welcoming community, we pledge to respect all people who contribute through reporting issues, +posting feature requests, updating documentation, submitting pull requests or patches, and other +activities. + +We are committed to making participation in this project a harassment-free experience for everyone, +regardless of level of experience, gender, gender identity and expression, sexual orientation, +disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery +* Personal attacks +* Trolling or insulting/derogatory comments +* Public or private harassment +* Publishing other's private information, such as physical or electronic addresses, without explicit + permission +* Other unethical or unprofessional conduct. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, +code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By +adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently +applying these principles to every aspect of managing this project. Project maintainers who do not +follow or enforce the Code of Conduct may be permanently removed from the project team. + +This code of conduct applies both within project spaces and in public spaces when an individual is +representing the project or its community. + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an +issue or contacting one or more of the project maintainers. + +This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), +version 1.2.0, available at +[http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/) \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..9353c56 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,54 @@ +# Contributing + +When contributing to this repository, please first discuss the change you wish to make via issue, +email, or any other method with the owners of this repository before making a change. + +Please note we have a code of conduct, please follow it in all your interactions with the project. + +## Pull Request Process + +1. Ensure any install or build dependencies are removed before the end of the layer when doing a + build. +2. Update the README.md with details of changes to the interface, this includes new environment + variables, exposed ports, useful file locations and container parameters. +3. Increase the version numbers in any examples files and the README.md to the new version that this + Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/). +4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you + do not have permission to do that, you may request the second reviewer to merge it for you. + +## Contributor Code of Conduct + +As contributors and maintainers of this project, and in the interest of fostering an open and +welcoming community, we pledge to respect all people who contribute through reporting issues, +posting feature requests, updating documentation, submitting pull requests or patches, and other +activities. + +We are committed to making participation in this project a harassment-free experience for everyone, +regardless of level of experience, gender, gender identity and expression, sexual orientation, +disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery +* Personal attacks +* Trolling or insulting/derogatory comments +* Public or private harassment +* Publishing other's private information, such as physical or electronic addresses, without explicit + permission +* Other unethical or unprofessional conduct. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, +code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By +adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently +applying these principles to every aspect of managing this project. Project maintainers who do not +follow or enforce the Code of Conduct may be permanently removed from the project team. + +This code of conduct applies both within project spaces and in public spaces when an individual is +representing the project or its community. + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an +issue or contacting one or more of the project maintainers. + +This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), +version 1.2.0, available at +[http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/) \ No newline at end of file diff --git a/README.md b/README.md index 8b987a7..360426d 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,10 @@ Usage of bin/vault-sidekick: -vmodule=: comma-separated list of pattern=N settings for file-filtered logging ``` +**Building** + +There is a Makefile in the base repository, so assuming you have make and go: # make + **Example Usage** The below is taken from a [Kubernetes](https://github.com/kubernetes/kubernetes) pod specification; diff --git a/config.go b/config.go index a823e68..dfc0ba2 100644 --- a/config.go +++ b/config.go @@ -31,6 +31,8 @@ type config struct { vaultAuthFile string // the authentication options vaultAuthOptions map[string]string + // the vault ca file + vaultCaFile string // the place to write the resources outputDir string // switch on dry run @@ -52,13 +54,14 @@ func init() { options.resources = new(VaultResources) options.vaultAuthOptions = map[string]string{VaultAuth: "token"} - flag.StringVar(&options.vaultURL, "vault", getEnv("VAULT_ADDR", "https://127.0.0.1:8200"), "the url the vault service is running behind (VAULT_ADDR if available)") - flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in a json or yaml containing authentication arguments") - flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write the protected resources (VAULT_OUTPUT if available)") + flag.StringVar(&options.vaultURL, "vault", getEnv("VAULT_ADDR", "https://127.0.0.1:8200"), "url the vault service or VAULT_ADDR") + flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in json or yaml containing authentication arguments") + flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write resources or VAULT_OUTPUT") flag.BoolVar(&options.dryRun, "dryrun", false, "perform a dry run, printing the content to screen") flag.BoolVar(&options.tlsVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate") + flag.StringVar(&options.vaultCaFile, "ca-cert", "", "the path to the file container the CA used to verify the vault service") flag.DurationVar(&options.statsInterval, "stats", time.Duration(5)*time.Minute, "the interval to produce statistics on the accessed resources") - flag.Var(options.resources, "cn", "a resource to retrieve and monitor from vault (e.g. pki:name:cert.name, secret:db_password, aws:s3_backup)") + flag.Var(options.resources, "cn", "a resource to retrieve and monitor from vault") } // parseOptions ... validate the command line options and validates them @@ -87,5 +90,15 @@ func validateOptions(cfg *config) error { } } + if cfg.vaultCaFile != "" { + if exists, _ := fileExists(cfg.vaultCaFile); !exists { + return fmt.Errorf("the ca certificate file: %s does not exist", cfg.vaultCaFile) + } + } + + if cfg.tlsVerify == true && cfg.vaultCaFile != "" { + return fmt.Errorf("you are skipping the tls but supplying a CA, doesn't make sense") + } + return nil } diff --git a/main.go b/main.go index 4d4aac3..a5c86e0 100644 --- a/main.go +++ b/main.go @@ -27,7 +27,6 @@ import ( const ( Prog = "vault-sidekick" Version = "0.0.1" - GitSha = "" ) func main() { diff --git a/vault.go b/vault.go index 4ee1d20..649d6ff 100644 --- a/vault.go +++ b/vault.go @@ -18,7 +18,9 @@ package main import ( "crypto/tls" + "crypto/x509" "fmt" + "io/ioutil" "net/http" "time" @@ -46,6 +48,7 @@ type VaultService struct { config *api.Config // the token to authenticate with token string + // the listener channel - technically we only have the one listener but there a long term reasons for adding this listeners []chan VaultEvent // a channel to inform of a new resource to processor @@ -71,11 +74,10 @@ func NewVaultService(url string) (*VaultService, error) { service.config.Address = url service.listeners = make([]chan VaultEvent, 0) - // step: skip the cert verification if requested - if options.tlsVerify { - service.config.HttpClient.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } + // step: setup and generate the tls options + service.config.HttpClient.Transport, err = service.getHttpTransport() + if err != nil { + return nil, err } // step: create the service processor channels @@ -99,6 +101,29 @@ func NewVaultService(url string) (*VaultService, error) { return service, nil } +func (r *VaultService) getHttpTransport() (*http.Transport, error) { + transport := &http.Transport{} + + // step: are we skip the tls verify? + if options.tlsVerify { + transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + } + // step: are we loading a CA file + if options.vaultCaFile != "" { + // step: load the ca file + caCert, err := ioutil.ReadFile(options.vaultCaFile) + if err != nil { + return nil, fmt.Errorf("unable to read in the ca: %s, reason: %s", options.vaultCaFile, err) + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(caCert) + // step: add the ca to the root + transport.TLSClientConfig.RootCAs = caCertPool + } + + return transport, nil +} + // AddListener ... add a listener to the events listeners func (r *VaultService) AddListener(ch chan VaultEvent) { glog.V(10).Infof("adding the listener: %v", ch)