-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #12865: Vault plugin : Add a variable_from_vault generic method.
- Loading branch information
Showing
10 changed files
with
919 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# | ||
# make all : will build .rpkg. | ||
# make licensed : will build a license limited version of the plugin | ||
# | ||
|
||
FILES = share/ | ||
SCRIPTS = postinst | ||
|
||
include ../makefiles/common-plugin.mk | ||
targets = $(addprefix target/, $(FILES)) | ||
|
||
$(targets): target/%: % | ||
cp -a $< target/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
Plugin for Vault and Rudder | ||
============================== | ||
|
||
This project is part of Rudder - IT automation and compliance made easy. | ||
See: http://rudder-project.org for more information. | ||
|
||
Mailing list, irc : https://www.rudder-project.org/site/community/mailing-lists/ | ||
|
||
Synposis | ||
-------- | ||
|
||
Installation | ||
------------ | ||
|
||
Usage | ||
----- | ||
|
||
Authors | ||
------- | ||
|
||
Normation http://normation.com | ||
Victor Querette victor.querette@normation.com | ||
|
||
Contributing | ||
------------ | ||
|
||
Thank you for your interest in our project ! | ||
The contribution process is detailed here: | ||
https://www.rudder-project.org/site/documentation/how-to-contribute/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# | ||
# This file defines the release information about the plugin like | ||
# its version and its ABI compability. | ||
# | ||
# So version are not managed in pom.xml (safe for parent-pom version, | ||
# which can't be a parameter, and must be equals to rudder-branch here) | ||
# | ||
|
||
# Unique identifier of the plugin | ||
plugin-name=vault | ||
# the full name is derived from rudder-plugin-name | ||
plugin-fullname=rudder-plugin-${plugin-name} | ||
|
||
# Human readable short/title descrption (used for one line text) | ||
plugin-title-description="""Plugin for Vault integration with Rudder""" | ||
|
||
# WEB, HTML description. | ||
plugin-web-description=<p>Plugin for Vault integartion with Rudder</p> | ||
|
||
# Plugin version. It is build as follow: A.B-x.y(.z) with: | ||
# - A.B: Rudder major.minor | ||
# - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. | ||
# For the build, we split the information between two properties, rudder branch and plugin version, | ||
# which must be concaneted with "-" to build the plugin version. | ||
plugin-branch=1.0 | ||
|
||
# rudder branch comes from parent | ||
plugin-version=${rudder-branch}-${plugin-branch} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"type": "plugin", | ||
"name": "rudder-plugin-vault", | ||
"version": "4.3-1.0", | ||
"build-date": "2018-04-13T16:59:58+02:00", | ||
"build-commit": "447ccaf652d08fb5aa6c2fa51f36fb3a2264077f", | ||
"content": { | ||
"files.txz": "/opt/rudder/" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"type": "plugin", | ||
"name": "${plugin-id}", | ||
"version": "${plugin-version}", | ||
"build-date": "${maven.build.timestamp}", | ||
"build-commit": "${commit-id}", | ||
"content": { | ||
"files.txz": "/opt/rudder/" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/sh | ||
mkdir -p /var/rudder/plugin-resources | ||
cp -a /opt/rudder/share/plugins/vault/* /var/rudder/configuration-repository/ncf/ | ||
cd /var/rudder/configuration-repository/ncf/ | ||
rm sample_vault.json | ||
git add . && git commit -m "Vault plugin installation" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
##################################################################################### | ||
# Copyright 2018 Normation SAS | ||
##################################################################################### | ||
# | ||
# This program is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU General Public License as published by | ||
# the Free Software Foundation, Version 3. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License | ||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
# | ||
##################################################################################### | ||
|
||
bundle agent vault_fetch_config() | ||
{ | ||
vars: | ||
"config_path" string => "/var/rudder/plugin-resources/vault.json"; | ||
"vault.config" data => readjson("${config_path}"); | ||
} | ||
|
||
bundle agent vault_get_token(auth_mode) | ||
{ | ||
vars: | ||
"class_prefix" string => canonify("vault_get_token${auth_mode}"); | ||
|
||
pass1:: | ||
"vault.server_addr" string => "${vault.config[server_addr]}"; | ||
|
||
pass2.mode_userpass.vault_reachable:: | ||
"vault_apicall_output" string => execresult("/usr/bin/curl -s --request POST --data '{\"password\": \"${vault.config[auth][userpass][password]}\"}' ${vault.server_addr}/v1/auth/userpass/login/${vault.config[auth][userpass][user]}", "noshell"); | ||
|
||
"data_output" data => "${vault_apicall_output}"; | ||
|
||
pass2.vault_reachable:: | ||
"vault.auth_token" string => "${data_output[auth][client_token]}", | ||
ifvarclass => isvariable("data_output[auth][client_token]"); | ||
|
||
classes: | ||
pass1:: | ||
# We need this to determinate whether an auth error is due to bad credentials or the Vault server being unreachable | ||
"vault_reachable" expression => returnszero("/usr/bin/curl -s ${vault.server_addr}", "noshell"); | ||
|
||
# What auth mode are we using | ||
"mode_userpass" expression => strcmp("${auth_mode}", "userpass"); | ||
|
||
any:: | ||
"pass3" expression => "pass2"; | ||
"pass2" expression => "pass1"; | ||
"pass1"; | ||
|
||
methods: | ||
pass1:: | ||
"Vault config" usebundle => vault_fetch_config(), | ||
ifvarclass => not(isvariable("vault.config")); | ||
} |
77 changes: 77 additions & 0 deletions
77
vault/share/plugins/vault/30_generic_methods/variable_from_vault.cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
##################################################################################### | ||
# Copyright 2018 Normation SAS | ||
##################################################################################### | ||
# | ||
# This program is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU General Public License as published by | ||
# the Free Software Foundation, Version 3. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License | ||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
# | ||
##################################################################################### | ||
# | ||
# @name Variable from Vault | ||
# @description Gets a key-value dictionnary from Vault given the secret path | ||
# | ||
# @documentation To use the generated variable, you must use the form `${variable_prefix.variable_name}` with each name replaced with the parameters of this method. | ||
# | ||
# Access to the vault has to be configured on each agent in /var/rudder/plugin-resources/vault.json. A sample config file is provided in /opt/rudder/share/plugins/vault/sample_vault.json | ||
# | ||
# @parameter variable_prefix The prefix of the variable name | ||
# @parameter variable_name The variable to define, the full name will be variable_prefix.variable_name | ||
# @parameter path The path of the secret | ||
# | ||
# @class_prefix variable_from_vault | ||
# @class_parameter path | ||
|
||
bundle agent variable_from_vault(variable_prefix, variable_name, path) | ||
{ | ||
vars: | ||
"old_class_prefix" string => canonify("variable_from_vault_${path}"); | ||
"promisers" slist => { @{this.callers_promisers}, cf_null }, policy => "ifdefined"; | ||
"class_prefix" string => canonify(join("_", "promisers")); | ||
"args" slist => {"${variable_prefix}", "${variable_name}", "${path}"}; | ||
|
||
pass2:: | ||
"vault_apicall_ouput" string => execresult("/usr/bin/curl -s -H 'X-Vault-Token: ${vault.auth_token}' ${vault.server_addr}/v1/secret/${path}", "noshell"); | ||
|
||
"${variable_prefix}.${variable_name}" data => "${vault_apicall_ouput}"; | ||
|
||
classes: | ||
"pass3" expression => "pass2"; | ||
"pass2" expression => "pass1"; | ||
"pass1"; | ||
|
||
pass3:: | ||
"variable_defined" expression => isvariable("${variable_prefix}.${variable_name}"); | ||
"config_defined" expression => isvariable("vault.config"); | ||
|
||
methods: | ||
pass1:: | ||
"Auth" usebundle => vault_get_token("userpass"), | ||
ifvarclass => not(isvariable("vault.auth_token")); | ||
|
||
pass3.variable_defined:: | ||
"success" usebundle => _classes_repaired("${old_class_prefix}"); | ||
"success" usebundle => _classes_repaired("${class_prefix}"); | ||
"report" usebundle => _log("Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args}); | ||
|
||
pass3.!variable_defined.!vault_reachable:: | ||
"failure" usebundle => _classes_failure("${old_class_prefix}"); | ||
"failure" usebundle => _classes_failure("${class_prefix}"); | ||
"report" usebundle => _log("Vault server unreachable. Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args}), | ||
ifvarclass => "config_defined"; | ||
"report" usebundle => _log("Undefined configuration. Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args}), | ||
ifvarclass => "!config_defined"; | ||
|
||
pass3.!variable_defined.vault_reachable:: | ||
"failure" usebundle => _classes_failure("${old_class_prefix}"); | ||
"failure" usebundle => _classes_failure("${class_prefix}"); | ||
"report" usebundle => _log("Vault server is reachable, but your request failed. Check your auth and secret path. Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args}); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"server_addr": "YOUR_VAULT_SERVER", | ||
"auth": | ||
{ | ||
"userpass": | ||
{ | ||
"user": "USER", | ||
"password": "PASSWD" | ||
} | ||
} | ||
} |