feat: Up vault config to use default config with Vault env vars (#60)

* feat: Up vault config to use default config with Vault env vars
samirtahir91 · May 14, 2024 · 0aca1da · 0aca1da
1 parent 85c677c
commit 0aca1da
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 16 deletions.
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -51,7 +51,7 @@ jobs:
           export "GITHUB_PRIVATE_KEY=${{ secrets.GH_TEST_APP_PK }}"
           export "GH_APP_ID=${{ secrets.GH_APP_ID }}"
           export "GH_INSTALL_ID=${{ secrets.GH_INSTALL_ID }}"
-          export "VAULT_ADDRESS=http://localhost:8200"
+          export "VAULT_ADDR=http://localhost:8200"
           export "VAULT_ROLE_AUDIENCE=githubapp"
           export "VAULT_ROLE=githubapp"
 

diff --git a/README.md b/README.md
@@ -32,7 +32,9 @@ Key features:
     - Configure the environment variables in the controller deployment spec:
       - `VAULT_ROLE` - The role you have bound for Kubernetes auth for the operator
       - `VAULT_ROLE_AUDIENCE` - The audience you have bound in Vault
-      - `VAULT_ADDRESS` - FQDN or your Vault server, i.e. `http://vault.default:8200`
+      - `VAULT_ADDR` - FQDN or your Vault server, i.e. `http://vault.default:8200`
+    - Additional Vault env vars can be set i.e. `VAULT_NAMESPACE` for enterprise Vault.
+      - See [Vault API](https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants)
 - Deleting the `GithubApp` object will also delete the access token secret it owns.
 - The operator will reconcile an access token for a `GithubApp` when:
     - Modifications are made to the access token secret that is owned by a `GithubApp`.
@@ -208,7 +210,7 @@ make run
 export GITHUB_PRIVATE_KEY=<YOUR_BASE64_ENCODED_GH_APP_PRIVATE_KEY>
 export GH_APP_ID=<YOUR GITHUB APP ID>
 export GH_INSTALL_ID=<YOUR GITHUB APP INSTALL ID>
-export "VAULT_ADDRESS=http://localhost:8200" # this can be local k8s Vault or some other Vault
+export "VAULT_ADDR=http://localhost:8200" # this can be local k8s Vault or some other Vault
 export "VAULT_ROLE_AUDIENCE=githubapp"
 export "VAULT_ROLE=githubapp"
 ```

diff --git a/cmd/main.go b/cmd/main.go
@@ -108,11 +108,10 @@ func main() {
 	// http client
 	httpClient := &http.Client{}
 
-	// Initialise vault client with VAULT_ADDRESS env var
-	vaultAddress := os.Getenv("VAULT_ADDRESS") // Vault server fqdn
-	vaultClient, err := vault.NewClient(&vault.Config{
-		Address: vaultAddress,
-	})
+	// Initialise vault client with default config - uses default Vault env vars for config
+	// See - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants
+	vaultConfig := vault.DefaultConfig()
+	vaultClient, err := vault.NewClient(vaultConfig)
 	if err != nil {
 		setupLog.Error(err, "failed to initialise Vault client")
 		os.Exit(1)

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -111,8 +111,12 @@ spec:
             value: githubapp
           - name: VAULT_ROLE_AUDIENCE
             value: githubapp
-          - name: VAULT_ADDRESS
+          - name: VAULT_ADDR
             value: "http://vault.default:8200"
+          # Enterprise vault only - set namespace
+          - name: VAULT_NAMESPACE
+            value: ""
+          # optional vault env vars - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants
         # volume to cache private keys
         volumeMounts:
           - name: github-app-secrets

diff --git a/internal/controller/githubapp_controller.go b/internal/controller/githubapp_controller.go
@@ -497,7 +497,7 @@ func (r *GithubAppReconciler) getPrivateKey(ctx context.Context, githubApp *gith
 	if githubApp.Spec.VaultPrivateKey != nil && len(privateKey) == 0 {
 
 		if r.VaultClient.Address() == "" || vaultAudience == "" || vaultRole == "" {
-			return []byte(""), "", fmt.Errorf("failed on vault auth: VAULT_ROLE, VAULT_ROLE_AUDIENCE and VAULT_ADDRESS are required env variables for Vault authentication")
+			return []byte(""), "", fmt.Errorf("failed on vault auth: VAULT_ROLE, VAULT_ROLE_AUDIENCE and VAULT_ADDR are required env variables for Vault authentication")
 		}
 
 		mountPath := githubApp.Spec.VaultPrivateKey.MountPath

diff --git a/internal/controller/githubapp_controller_test.go b/internal/controller/githubapp_controller_test.go
@@ -73,7 +73,7 @@ var _ = Describe("GithubApp controller", Ordered, func() {
 	// Requires vault to be running on cluster and configured.
 	// from ./scripts directory run ./install_and_setup_vault_k8s.sh
 	// kubectl port-forward vault-0 8200:8200 in another terminal
-	// export VAULT_ADDRESS=http://localhost:8200
+	// export VAULT_ADDR=http://localhost:8200
 	// then run the tests
 	Context("When creating a GithubApp with VaultPrivateKey spec", func() {
 		if os.Getenv("USE_EXISTING_CLUSTER") != existingClusterValue {

diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go
@@ -121,11 +121,10 @@ var _ = BeforeSuite(func() {
 
 	var token string
 	if os.Getenv("USE_EXISTING_CLUSTER") == "true" {
-		// Initialise vault client with VAULT_ADDRESS env var
-		vaultAddress := os.Getenv("VAULT_ADDRESS") // Vault server fqdn
-		vaultClient, err = vault.NewClient(&vault.Config{
-			Address: vaultAddress,
-		})
+		// Initialise vault client with default config - uses default Vault env vars for config
+		// See - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants
+		vaultConfig := vault.DefaultConfig()
+		vaultClient, err = vault.NewClient(vaultConfig)
 		Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Vault client initialisation failed: %v", err))
 
 		// Initialise K8s client