- adding the ability to import a root CA rather bypassing the tls verfication

CONDUCT_CODE.md

@@ -0,0 +1,36 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and
+welcoming community, we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation, submitting pull requests or patches, and other
+activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression, sexual orientation,
+disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses, without explicit
+  permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits,
+code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By
+adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project. Project maintainers who do not
+follow or enforce the Code of Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces when an individual is
+representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an
+issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org),
+version 1.2.0, available at
+[http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

CONTRIBUTING.md

@@ -0,0 +1,54 @@
+# Contributing
+
+When contributing to this repository, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Pull Request Process
+
+1. Ensure any install or build dependencies are removed before the end of the layer when doing a
+   build.
+2. Update the README.md with details of changes to the interface, this includes new environment
+   variables, exposed ports, useful file locations and container parameters.
+3. Increase the version numbers in any examples files and the README.md to the new version that this
+   Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/).
+4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you
+   do not have permission to do that, you may request the second reviewer to merge it for you.
+
+## Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and
+welcoming community, we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation, submitting pull requests or patches, and other
+activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression, sexual orientation,
+disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses, without explicit
+  permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits,
+code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By
+adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project. Project maintainers who do not
+follow or enforce the Code of Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces when an individual is
+representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an
+issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org),
+version 1.2.0, available at
+[http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

README.md

@@ -28,6 +28,10 @@ Usage of bin/vault-sidekick:
   -vmodule=: comma-separated list of pattern=N settings for file-filtered logging
 ```
 
+**Building**
+
+There is a Makefile in the base repository, so assuming you have make and go: # make 
+
 **Example Usage**
 
 The below is taken from a [Kubernetes](https://github.com/kubernetes/kubernetes) pod specification;

config.go

@@ -31,6 +31,8 @@ type config struct {
 	vaultAuthFile string
 	// the authentication options
 	vaultAuthOptions map[string]string
+	// the vault ca file
+	vaultCaFile string
 	// the place to write the resources
 	outputDir string
 	// switch on dry run
@@ -52,13 +54,14 @@ func init() {
 	options.resources = new(VaultResources)
 	options.vaultAuthOptions = map[string]string{VaultAuth: "token"}
 
-	flag.StringVar(&options.vaultURL, "vault", getEnv("VAULT_ADDR", "https://127.0.0.1:8200"), "the url the vault service is running behind (VAULT_ADDR if available)")
+	flag.StringVar(&options.vaultURL, "vault", getEnv("VAULT_ADDR", "https://127.0.0.1:8200"), "url the vault service or VAULT_ADDR")
-	flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in a json or yaml containing authentication arguments")
+	flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in json or yaml containing authentication arguments")
-	flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write the protected resources (VAULT_OUTPUT if available)")
+	flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write resources or VAULT_OUTPUT")
 	flag.BoolVar(&options.dryRun, "dryrun", false, "perform a dry run, printing the content to screen")
 	flag.BoolVar(&options.tlsVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate")
+	flag.StringVar(&options.vaultCaFile, "ca-cert", "", "the path to the file container the CA used to verify the vault service")
 	flag.DurationVar(&options.statsInterval, "stats", time.Duration(5)*time.Minute, "the interval to produce statistics on the accessed resources")
-	flag.Var(options.resources, "cn", "a resource to retrieve and monitor from vault (e.g. pki:name:cert.name, secret:db_password, aws:s3_backup)")
+	flag.Var(options.resources, "cn", "a resource to retrieve and monitor from vault")
 }
 
 // parseOptions ... validate the command line options and validates them
@@ -87,5 +90,15 @@ func validateOptions(cfg *config) error {
 		}
 	}
 
+	if cfg.vaultCaFile != "" {
+		if exists, _ := fileExists(cfg.vaultCaFile); !exists {
+			return fmt.Errorf("the ca certificate file: %s does not exist", cfg.vaultCaFile)
+		}
+	}
+
+	if cfg.tlsVerify == true && cfg.vaultCaFile != "" {
+		return fmt.Errorf("you are skipping the tls but supplying a CA, doesn't make sense")
+	}
+
 	return nil
 }

main.go

@@ -27,7 +27,6 @@ import (
 const (
 	Prog    = "vault-sidekick"
 	Version = "0.0.1"
-	GitSha  = ""
 )
 
 func main() {

vault.go

@@ -18,7 +18,9 @@ package main
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"time"
 
@@ -46,6 +48,7 @@ type VaultService struct {
 	config *api.Config
 	// the token to authenticate with
 	token string
+
 	// the listener channel - technically we only have the one listener but there a long term reasons for adding this
 	listeners []chan VaultEvent
 	// a channel to inform of a new resource to processor
@@ -71,11 +74,10 @@ func NewVaultService(url string) (*VaultService, error) {
 	service.config.Address = url
 	service.listeners = make([]chan VaultEvent, 0)
 
-	// step: skip the cert verification if requested
+	// step: setup and generate the tls options
-	if options.tlsVerify {
+	service.config.HttpClient.Transport, err = service.getHttpTransport()
-		service.config.HttpClient.Transport = &http.Transport{
+	if err != nil {
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		return nil, err
-		}
 	}
 
 	// step: create the service processor channels
@@ -99,6 +101,29 @@ func NewVaultService(url string) (*VaultService, error) {
 	return service, nil
 }
 
+func (r *VaultService) getHttpTransport() (*http.Transport, error) {
+	transport := &http.Transport{}
+
+	// step: are we skip the tls verify?
+	if options.tlsVerify {
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+	// step: are we loading a CA file
+	if options.vaultCaFile != "" {
+		// step: load the ca file
+		caCert, err := ioutil.ReadFile(options.vaultCaFile)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read in the ca: %s, reason: %s", options.vaultCaFile, err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		// step: add the ca to the root
+		transport.TLSClientConfig.RootCAs = caCertPool
+	}
+
+	return transport, nil
+}
+
 // AddListener ... add a listener to the events listeners
 func (r *VaultService) AddListener(ch chan VaultEvent) {
 	glog.V(10).Infof("adding the listener: %v", ch)