feat(install): store also the admin secrets in vault

jenkins-x · Dec 6, 2018 · ae72752 · ae72752
1 parent 4878433
commit ae72752
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 10 deletions.
diff --git a/pkg/jx/cmd/extraValues.yaml b/pkg/jx/cmd/extraValues.yaml
@@ -3,5 +3,5 @@ expose:
     domain: test-domain
 preview:
   image:
-    repository: my.registry/MyOrganisation/MyApp
+    repository: MyOrganisation:5000/MyOrganisation/MyApp
     tag: v0.1.2
diff --git a/pkg/jx/cmd/install.go b/pkg/jx/cmd/install.go
@@ -1024,7 +1024,17 @@ func (options *InstallOptions) getHelmValuesFiles(configStore configio.ConfigSto
 	}
 	secretsFiles = append(secretsFiles,
 		[]string{gitSecretsFileName, adminSecretsFileName, extraValuesFileName, cloudEnvironmentSecretsLocation}...)
-	temporaryFiles = append(temporaryFiles, gitSecretsFileName, extraValuesFileName, cloudEnvironmentSecretsLocation)
+
+	if options.Flags.Vault {
+		temporaryFiles = append(temporaryFiles, adminSecretsFileName, gitSecretsFileName, extraValuesFileName, cloudEnvironmentSecretsLocation)
+		err := options.storeSecretsFilesInVault([]string{adminSecretsFileName})
+		if err != nil {
+			return valuesFiles, secretsFiles, temporaryFiles,
+				errors.Wrapf(err, "storing in Vault the secrets files: %s", adminSecretsFileName)
+		}
+	} else {
+		temporaryFiles = append(temporaryFiles, gitSecretsFileName, extraValuesFileName, cloudEnvironmentSecretsLocation)
+	}
 
 	return valuesFiles, secretsFiles, temporaryFiles, nil
 }
@@ -1065,7 +1075,7 @@ func (options *InstallOptions) cleanupTempFiles(temporaryFiles []string) error {
 	for _, tempFile := range temporaryFiles {
 		exists, err := util.FileExists(tempFile)
 		if exists && err == nil {
-			err := os.Remove(tempFile)
+			err := util.DestroyFile(tempFile)
 			if err != nil {
 				return errors.Wrapf(err, "removing temporary file '%s'", tempFile)
 			}
@@ -1614,7 +1624,7 @@ func (options *InstallOptions) storeSecretsFilesInVault(secretsFiles []string) e
 	for _, file := range secretsFiles {
 		exists, err := util.FileExists(file)
 		if exists && err == nil {
-			empty, err := util.IsEmpty(file)
+			empty, err := util.FileIsEmpty(file)
 			if !empty && err == nil {
 				content, err := ioutil.ReadFile(file)
 				if err != nil {
@@ -1641,7 +1651,7 @@ func (options *InstallOptions) storeSecretsInVault(secrets map[string]interface{
 	if err != nil {
 		log.Errorf("Could not get System vault: %v", err)
 	}
-	err = vaultClient.WriteSecrets(vault.InstallSecretsPrefix, secrets)
+	err = vaultClient.WriteSecrets(vault.InstallSecretsPath, secrets)
 	if err != nil {
 		return errors.Wrapf(err, "Error saving secrets to vault\n")
 	}

diff --git a/pkg/jx/cmd/step_helm_apply.go b/pkg/jx/cmd/step_helm_apply.go
@@ -198,14 +198,14 @@ func (o *StepHelmApplyOptions) ensureHelmSecrets(dir string, filename string) (b
 		if err != nil {
 			return exists, errors.Wrap(err, "retrieving the system Vault")
 		}
-		secretNames, err := client.List(vault.InstallSecretsPrefix)
+		secretNames, err := client.List(vault.InstallSecretsPath)
 		if err != nil {
 			return exists, errors.Wrap(err, "listing the install secrets in Vault")
 		}
 
 		for _, secretName := range secretNames {
 			if secretName == filename {
-				secretPath := vault.InstallSecretsPrefix + filename
+				secretPath := vault.InstallSecretsPath + filename
 				secret, err := client.Read(secretPath)
 				if err != nil {
 					return exists, errors.Wrapf(err, "retrieving the secret '%s' from Vault", secretPath)

diff --git a/pkg/util/files.go b/pkg/util/files.go
@@ -43,6 +43,15 @@ func FirstFileExists(paths ...string) (string, error) {
 	return "", nil
 }
 
+// FileIsEmpty checks if a file is empty
+func FileIsEmpty(path string) (bool, error) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return true, errors.Wrapf(err, "getting details of file '%s'", path)
+	}
+	return (fi.Size() == 0), nil
+}
+
 func IsEmpty(name string) (bool, error) {
 	f, err := os.Open(name)
 	if err != nil {

diff --git a/pkg/vault/constants.go b/pkg/vault/constants.go
@@ -3,6 +3,6 @@ package vault
 const (
 	// SystemVaultName name of the system vault used by the jenkins-x platfrom
 	SystemVaultName = "jx-vault"
-	// InstallSecretsPrefix the prefix of secrets generated during the installation
-	InstallSecretsPrefix = "install-secrets/"
+	// InstallSecretsPath the path of secrets generated during the installation
+	InstallSecretsPath = "install/"
 )
diff --git a/pkg/vault/vault_client.go b/pkg/vault/vault_client.go
@@ -67,7 +67,7 @@ func (v *client) WriteObject(secretName string, secret interface{}) (map[string]
 func (v *client) WriteSecrets(path string, secretsToSave map[string]interface{}) error {
 	var err error
 	for secretName, secret := range secretsToSave {
-		secretName = secretName + path
+		secretName = path + secretName
 		switch secret.(type) {
 		case []byte:
 			// secret is a plain byte array. We shouldn't be doing this. Legacy. We should be saving properly typed objects