New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/upstream secrets endpoint #70

Merged
merged 8 commits into from Feb 11, 2019

Conversation

Projects
None yet
4 participants
@acornies
Copy link
Collaborator

acornies commented Feb 1, 2019

Addresses #69 by implementing the /system/secrets (upstream) gateway API using Vault secrets v1.

Includes:

  • Vault service for login and token renewal for preconfigured App Role
  • New secrets handler for GET,PUT,POST,DELETE
  • Light refactor of current function secrets implementation based on secret API management
  • Removal of deprecated vars
  • Vagrant provisioning updates: provision vagrant
  • add nomadACL cli param

acornies added some commits Jan 25, 2019

Initial commit of secrets w/ housekeeping:
- updated vagrant provisioning process
- added vault approle commands
- added vault info types
- WIP token/login on startup
- Secret handler stub created

Signed-off-by: Andrew Cornies <acornies@gmail.com>
Secrets handler first pass
- CLUD implemented in secrets handler
- Refactored Vault property of provider config
- fixed up Vagrantfile overrides
- TODO: secret handler tests

Signed-off-by: Andrew Cornies <acornies@gmail.com>
WIP: Secrets handler update:
- Support both POST,PUT faas-cli commands
- Change secrets convention to work with upstream secrets API
- Error formatting

Signed-off-by: Andrew Cornies <acornies@gmail.com>
New VaultService and renewal:
- Light refactor of Vault calls into VaultService
- Added much needed token renewal for Vault AppRole tokens
- Updating provision policy to 5m
- TODO unit tests for VaultService and secrets handler

Signed-off-by: Andrew Cornies <acornies@gmail.com>
@hashicorp-cla

This comment has been minimized.

Copy link

hashicorp-cla commented Feb 1, 2019

CLA assistant check
All committers have signed the CLA.

acornies added some commits Feb 1, 2019

Responding to Codeclimate analysis:
- removed provider config dependency
- changed signatures of of the CLUD methods

Signed-off-by: Andrew Cornies <acornies@gmail.com>
More Codeclimate revisions:
- Forgot to delete duplicate method
- reduced number of returns in getSecrets

Signed-off-by: Andrew Cornies <acornies@gmail.com>
@alexellis

This comment has been minimized.

Copy link
Contributor

alexellis commented Feb 1, 2019

I think this looks pretty decent. Have you thought about doing some validation on secret names? I think we left the out of the other providers so if you do this it would be great to get a PR to them too

@nicholasjackson

This comment has been minimized.

Copy link
Collaborator

nicholasjackson commented Feb 5, 2019

Hey @acornies

Getting a couple of test failures on CI, I am guessing this is a go mod issue, it seems to work fine when I run the tests locally. Could you check this out pls?

# github.com/hashicorp/faas-nomad/handlers
handlers/secrets.go:101:15: undefined: requests.Secret
handlers/secrets.go:103:29: undefined: requests.Secret
handlers/secrets.go:113:13: undefined: requests.Secret
handlers/secrets.go:137:13: undefined: requests.Secret
# github.com/hashicorp/faas-nomad/handlers [github.com/hashicorp/faas-nomad/handlers.test]
handlers/secrets.go:101: undefined: requests.Secret
handlers/secrets.go:103: undefined: requests.Secret
handlers/secrets.go:113: undefined: requests.Secret

acornies added some commits Feb 6, 2019

Fixing up go modules:
- update faas-provider mod
- update faas mod
- update mapstructure
- update vault mod

Signed-off-by: Andrew Cornies <acornies@gmail.com>
Use configurable vault secret prefix
Fix to vault prefix instead of policy name

Signed-off-by: Andrew Cornies <acornies@gmail.com>

@acornies acornies merged commit fa2efe6 into hashicorp:master Feb 11, 2019

3 checks passed

codeclimate All good!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
license/cla Contributor License Agreement is signed.
Details

@acornies acornies deleted the acornies:feature/upstream_secrets_endpoint branch Feb 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment