forked from vmware-archive/atc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
manager.go
136 lines (108 loc) · 4.61 KB
/
manager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
package vault
import (
"encoding/json"
"errors"
"fmt"
"net/url"
"time"
"code.cloudfoundry.org/lager"
"github.com/cloudfoundry/bosh-cli/director/template"
"github.com/concourse/atc/creds"
vaultapi "github.com/hashicorp/vault/api"
)
type VaultManager struct {
URL string `long:"url" description:"Vault server address used to access secrets."`
PathPrefix string `long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."`
Cache bool `long:"cache" description:"Cache returned secrets for their lease duration in memory"`
MaxLease time.Duration `long:"max-lease" description:"If the cache is enabled, and this is set, override secrets lease duration with a maximum value"`
TLS TLS
Auth AuthConfig
Client *APIClient
}
type TLS struct {
CACert string `long:"ca-cert" description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
CAPath string `long:"ca-path" description:"Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert."`
ClientCert string `long:"client-cert" description:"Path to the client certificate for Vault authorization."`
ClientKey string `long:"client-key" description:"Path to the client private key for Vault authorization."`
ServerName string `long:"server-name" description:"If set, is used to set the SNI host when connecting via TLS."`
Insecure bool `long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
}
type AuthConfig struct {
ClientToken string `long:"client-token" description:"Client token for accessing secrets within the Vault server."`
Backend string `long:"auth-backend" description:"Auth backend to use for logging in to Vault."`
BackendMaxTTL time.Duration `long:"auth-backend-max-ttl" description:"Time after which to force a re-login. If not set, the token will just be continuously renewed."`
RetryMax time.Duration `long:"retry-max" default:"5m" description:"The maximum time between retries when logging in or re-authing a secret."`
RetryInitial time.Duration `long:"retry-initial" default:"1s" description:"The initial time between retries when logging in or re-authing a secret."`
Params []template.VarKV `long:"auth-param" description:"Paramter to pass when logging in via the backend. Can be specified multiple times." value-name:"NAME=VALUE"`
}
func (manager *VaultManager) Init(log lager.Logger) error {
var err error
tlsConfig := &vaultapi.TLSConfig{
CACert: manager.TLS.CACert,
CAPath: manager.TLS.CAPath,
TLSServerName: manager.TLS.ServerName,
Insecure: manager.TLS.Insecure,
ClientCert: manager.TLS.ClientCert,
ClientKey: manager.TLS.ClientKey,
}
manager.Client, err = NewAPIClient(log, manager.URL, tlsConfig, manager.Auth)
if err != nil {
return err
}
return nil
}
func (manager *VaultManager) MarshalJSON() ([]byte, error) {
health, err := manager.Health()
if err != nil {
return nil, err
}
return json.Marshal(&map[string]interface{}{
"url": manager.URL,
"path_prefix": manager.PathPrefix,
"cache": manager.Cache,
"max_lease": manager.MaxLease,
"ca_cert": manager.TLS.CACert,
"server_name": manager.TLS.ServerName,
"auth_backend": manager.Auth.Backend,
"auth_max_ttl": manager.Auth.BackendMaxTTL,
"auth_retry_max": manager.Auth.RetryMax,
"auth_retry_initial": manager.Auth.RetryInitial,
"health": health,
})
}
func (manager VaultManager) IsConfigured() bool {
return manager.URL != ""
}
func (manager VaultManager) Validate() error {
_, err := url.Parse(manager.URL)
if err != nil {
return fmt.Errorf("invalid URL: %s", err)
}
if manager.Auth.ClientToken != "" {
return nil
}
if manager.Auth.Backend != "" {
return nil
}
return errors.New("must configure client token or auth backend")
}
func (manager VaultManager) Health() (*creds.HealthResponse, error) {
health := &creds.HealthResponse{
Method: "/v1/sys/health",
}
response, err := manager.Client.health()
if err != nil {
health.Error = err.Error()
return health, nil
}
health.Response = response
return health, nil
}
func (manager VaultManager) NewVariablesFactory(logger lager.Logger) (creds.VariablesFactory, error) {
ra := NewReAuther(manager.Client, manager.Auth.BackendMaxTTL, manager.Auth.RetryInitial, manager.Auth.RetryMax)
var sr SecretReader = manager.Client
if manager.Cache {
sr = NewCache(manager.Client, manager.MaxLease)
}
return NewVaultFactory(sr, ra.LoggedIn(), manager.PathPrefix), nil
}