feat(vault): use vault flag stored in cluster config for secret location

Lookup the flag (and cache it) from the jx-install-configmap to determine whether secrets are stored in vault or not.
jenkins-x · Nov 29, 2018 · 4e426af · 4e426af
1 parent 968f2df
commit 4e426af
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 19 deletions.
diff --git a/pkg/io/secrets/secret_locations.go b/pkg/io/secrets/secret_locations.go
@@ -9,6 +9,8 @@ import (
 
 const vaultSecretsMarker = "useVaultForSecrets"
 
+var usingVault *bool // use a tri-state boolean. nil means uninitialised (so need to lookup from cluster)
+
 // UseVaultForSecrets configures the cluster's installation config map to denote that secrets should be stored in vault
 func UseVaultForSecrets(kubeClient kubernetes.Interface, namespace string, useVault bool) {
 	_, err := kube.DefaultModifyConfigMap(kubeClient, namespace, kube.ConfigMapNameJXInstallConfig, func(configMap *v1.ConfigMap) error {
@@ -17,6 +19,7 @@ func UseVaultForSecrets(kubeClient kubernetes.Interface, namespace string, useVa
 		} else {
 			delete(configMap.Data, vaultSecretsMarker)
 		}
+		usingVault = newBool(useVault)
 		return nil
 	}, nil)
 	if err != nil {
@@ -26,8 +29,11 @@ func UseVaultForSecrets(kubeClient kubernetes.Interface, namespace string, useVa
 
 // UsingVaultForSecrets returns true if the cluster has been configured to store secrets in vault
 func UsingVaultForSecrets(kubeClient kubernetes.Interface, namespace string) bool {
-	configMap := getInstallConfigMap(kubeClient, namespace)
-	return configMap[vaultSecretsMarker] != ""
+	if usingVault == nil {
+		configMap := getInstallConfigMap(kubeClient, namespace)
+		usingVault = newBool(configMap[vaultSecretsMarker] != "")
+	}
+	return *usingVault
 }
 
 func getInstallConfigMap(kubeClient kubernetes.Interface, namespace string) map[string]string {
@@ -37,3 +43,8 @@ func getInstallConfigMap(kubeClient kubernetes.Interface, namespace string) map[
 	}
 	return configMap
 }
+
+// Helper method to create a *bool value
+func newBool(b bool) *bool {
+	return &b
+}
diff --git a/pkg/jx/cmd/create_cluster_gke.go b/pkg/jx/cmd/create_cluster_gke.go
@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"github.com/jenkins-x/jx/pkg/io/secrets"
 	"io"
 	"strings"
 
@@ -288,12 +289,12 @@ func (o *CreateClusterGKEOptions) createClusterGKE() error {
 		return err
 	}
 
-	ns := o.InstallOptions.Flags.Namespace
-	if ns == "" {
-		_, ns, _ = o.KubeClient()
-		if err != nil {
-			return err
-		}
+	kubeClient, ns, err := o.KubeClient()
+	if err != nil {
+		return err
+	}
+	if o.InstallOptions.Flags.Namespace != "" {
+		ns = o.InstallOptions.Flags.Namespace
 	}
 
 	err = o.RunCommand("kubectl", "config", "set-context", context, "--namespace", ns)
@@ -312,7 +313,7 @@ func (o *CreateClusterGKEOptions) createClusterGKE() error {
 		if err = InstallVaultOperator(&o.CommonOptions, ""); err != nil {
 			return err
 		}
-		o.Factory.UseVault(true)
+		secrets.UseVaultForSecrets(kubeClient, ns, true)
 	}
 
 	return nil

diff --git a/pkg/jx/cmd/factory.go b/pkg/jx/cmd/factory.go
@@ -4,7 +4,9 @@ import (
 	"flag"
 	"fmt"
 	"github.com/hashicorp/vault/api"
+	"github.com/jenkins-x/jx/pkg/io/secrets"
 	"github.com/jenkins-x/jx/pkg/vault"
+	"github.com/sirupsen/logrus"
 	"io"
 	"net/url"
 	"os"
@@ -60,7 +62,6 @@ type factory struct {
 	kubeConfig      kube.Kuber
 	impersonateUser string
 	bearerToken     string
-	useVault        bool
 }
 
 // NewFactory creates a factory with the default Kubernetes resources defined
@@ -285,7 +286,16 @@ func (f *factory) AuthMergePipelineSecrets(config *auth.AuthConfig, secrets *cor
 // CreateAuthConfigService creates a new service saving auth config under the provided name. Depending on the factory,
 // It will either save the config to the local file-system, or a Vault
 func (f *factory) CreateAuthConfigService(configName string) (auth.ConfigService, error) {
-	if f.useVault {
+
+	client, namespace, err := f.CreateClient()
+	useVault := false
+	if err != nil {
+		logrus.Errorf("Could not create kube client. Saving configs to local filesystem")
+	} else {
+		useVault = secrets.UsingVaultForSecrets(client, namespace)
+	}
+
+	if useVault {
 		vault, err := f.GetSystemVault()
 		v := auth.NewVaultAuthConfigService(configName, vault)
 		return v, err
@@ -552,10 +562,6 @@ func (f *factory) GetHelm(verbose bool,
 	return h
 }
 
-func (f *factory) UseVault(use bool) {
-	f.useVault = use
-}
-
 // tillerAddress returns the address that tiller is listening on
 func tillerAddress() string {
 	tillerAddress := os.Getenv("TILLER_ADDR")

diff --git a/pkg/jx/cmd/install.go b/pkg/jx/cmd/install.go
@@ -720,7 +720,6 @@ func (options *InstallOptions) Run() error {
 			log.Infof("System vault created named %s in namespace %s.\n",
 				util.ColorInfo(vault.SystemVaultName), util.ColorInfo(ns))
 		}
-		options.Factory.UseVault(true)
 		secrets.UseVaultForSecrets(client, ns, options.Flags.Vault)
 	}
 

diff --git a/pkg/jx/cmd/interface.go b/pkg/jx/cmd/interface.go
@@ -84,7 +84,4 @@ type Factory interface {
 	CreateVaultOperatorClient() (vaultoperatorclient.Interface, error)
 
 	GetHelm(verbose bool, helmBinary string, noTiller bool, helmTemplate bool) helm.Helmer
-
-	// UseVault tells the factory to use Vault to store secrets rather than the filesystem
-	UseVault(use bool)
 }