New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #12865: Vault plugin : Add a variable_from_vault generic method. #65
Fixes #12865: Vault plugin : Add a variable_from_vault generic method. #65
Conversation
be14573
to
6d53dcd
Compare
vault/packaging/postinst
Outdated
@@ -0,0 +1,3 @@ | |||
#!/bin/sh | |||
cp -a /opt/rudder/share/plugins/vault/usr/share/ncf/tree /usr/share/ncf/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ncharles do you think we should put it with CFEgine stubs for dsc methods instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, because if we put it in /usr/share/ncf, it'll be erased at ncf upgrade
|
||
pass2.vault_reachable:: | ||
"vault.auth_token" string => "${data_output[auth][client_token]}", | ||
ifvarclass => isvariable("data_output[auth][client_token]"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should display an error message if the config is not defined
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
# @description Gets a key-value dictionnary from Vault given the secret path | ||
# | ||
# @documentation | ||
# Vault |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you'll need to improve a bit the documentation
6d53dcd
to
0fc63ae
Compare
Commit modified |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great ! I made some really minor remarks, otherwise this is a great addition to Rudder
cp -a /opt/rudder/share/plugins/vault/* /var/rudder/configuration-repository/ncf/ | ||
cd /var/rudder/configuration-repository/ncf/ | ||
rm sample_vault.json | ||
git add . && git commit -m "Vault plugin installation" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should probably mention somewhere in the output that there is a sample_vault.json
# | ||
##################################################################################### | ||
|
||
bundle agent vault_fetch_config() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you document here the format of the vault.json file ?
# @documentation To use the generated variable, you must use the form `${variable_prefix.variable_name}` with each name replaced with the parameters of this method. | ||
# | ||
# Access to the vault has to be configured on each agent in /var/rudder/plugin-resources/vault.json. A sample config file is provided in /opt/rudder/share/plugins/vault/sample_vault.json | ||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you specify the success & error case ? that fetching a key is a repair, failing is an error?
|
||
pass3.variable_defined:: | ||
"success" usebundle => _classes_repaired("${old_class_prefix}"); | ||
"success" usebundle => _classes_repaired("${class_prefix}"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the sanity of the person doing maintenance in the futur, could you change the promiser to "repair" ?
Commit modified |
0fc63ae
to
f7a08c0
Compare
##################################################################################### | ||
|
||
# Fetches the configuration to be used for this run. | ||
# The config is located at "config_path". It is a JSON file containing two fields : a server_addr and an auth dictionary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you paste the sample, so that it'll be easier for users ?
Commit modified |
f7a08c0
to
f81db13
Compare
f81db13
to
2f0eaa2
Compare
This PR breaks qa-test
You should run ./qa-test in your repository to make sure it works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't merge this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ready now
OK, merging this PR |
OK, merging this PR |
https://www.rudder-project.org/redmine/issues/12865