diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 0983751..6acec69 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -51,7 +51,7 @@ jobs: export "GITHUB_PRIVATE_KEY=${{ secrets.GH_TEST_APP_PK }}" export "GH_APP_ID=${{ secrets.GH_APP_ID }}" export "GH_INSTALL_ID=${{ secrets.GH_INSTALL_ID }}" - export "VAULT_ADDRESS=http://localhost:8200" + export "VAULT_ADDR=http://localhost:8200" export "VAULT_ROLE_AUDIENCE=githubapp" export "VAULT_ROLE=githubapp" diff --git a/README.md b/README.md index 0094f63..410b4d0 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,9 @@ Key features: - Configure the environment variables in the controller deployment spec: - `VAULT_ROLE` - The role you have bound for Kubernetes auth for the operator - `VAULT_ROLE_AUDIENCE` - The audience you have bound in Vault - - `VAULT_ADDRESS` - FQDN or your Vault server, i.e. `http://vault.default:8200` + - `VAULT_ADDR` - FQDN or your Vault server, i.e. `http://vault.default:8200` + - Additional Vault env vars can be set i.e. `VAULT_NAMESPACE` for enterprise Vault. + - See [Vault API](https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants) - Deleting the `GithubApp` object will also delete the access token secret it owns. - The operator will reconcile an access token for a `GithubApp` when: - Modifications are made to the access token secret that is owned by a `GithubApp`. @@ -208,7 +210,7 @@ make run export GITHUB_PRIVATE_KEY= export GH_APP_ID= export GH_INSTALL_ID= -export "VAULT_ADDRESS=http://localhost:8200" # this can be local k8s Vault or some other Vault +export "VAULT_ADDR=http://localhost:8200" # this can be local k8s Vault or some other Vault export "VAULT_ROLE_AUDIENCE=githubapp" export "VAULT_ROLE=githubapp" ``` diff --git a/cmd/main.go b/cmd/main.go index c04d1a5..fff71d9 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -108,11 +108,10 @@ func main() { // http client httpClient := &http.Client{} - // Initialise vault client with VAULT_ADDRESS env var - vaultAddress := os.Getenv("VAULT_ADDRESS") // Vault server fqdn - vaultClient, err := vault.NewClient(&vault.Config{ - Address: vaultAddress, - }) + // Initialise vault client with default config - uses default Vault env vars for config + // See - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants + vaultConfig := vault.DefaultConfig() + vaultClient, err := vault.NewClient(vaultConfig) if err != nil { setupLog.Error(err, "failed to initialise Vault client") os.Exit(1) diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index db3eaea..691df8a 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -111,8 +111,12 @@ spec: value: githubapp - name: VAULT_ROLE_AUDIENCE value: githubapp - - name: VAULT_ADDRESS + - name: VAULT_ADDR value: "http://vault.default:8200" + # Enterprise vault only - set namespace + - name: VAULT_NAMESPACE + value: "" + # optional vault env vars - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants # volume to cache private keys volumeMounts: - name: github-app-secrets diff --git a/internal/controller/githubapp_controller.go b/internal/controller/githubapp_controller.go index 101b4cd..cbd84ce 100644 --- a/internal/controller/githubapp_controller.go +++ b/internal/controller/githubapp_controller.go @@ -497,7 +497,7 @@ func (r *GithubAppReconciler) getPrivateKey(ctx context.Context, githubApp *gith if githubApp.Spec.VaultPrivateKey != nil && len(privateKey) == 0 { if r.VaultClient.Address() == "" || vaultAudience == "" || vaultRole == "" { - return []byte(""), "", fmt.Errorf("failed on vault auth: VAULT_ROLE, VAULT_ROLE_AUDIENCE and VAULT_ADDRESS are required env variables for Vault authentication") + return []byte(""), "", fmt.Errorf("failed on vault auth: VAULT_ROLE, VAULT_ROLE_AUDIENCE and VAULT_ADDR are required env variables for Vault authentication") } mountPath := githubApp.Spec.VaultPrivateKey.MountPath diff --git a/internal/controller/githubapp_controller_test.go b/internal/controller/githubapp_controller_test.go index f19b02d..9713436 100644 --- a/internal/controller/githubapp_controller_test.go +++ b/internal/controller/githubapp_controller_test.go @@ -73,7 +73,7 @@ var _ = Describe("GithubApp controller", Ordered, func() { // Requires vault to be running on cluster and configured. // from ./scripts directory run ./install_and_setup_vault_k8s.sh // kubectl port-forward vault-0 8200:8200 in another terminal - // export VAULT_ADDRESS=http://localhost:8200 + // export VAULT_ADDR=http://localhost:8200 // then run the tests Context("When creating a GithubApp with VaultPrivateKey spec", func() { if os.Getenv("USE_EXISTING_CLUSTER") != existingClusterValue { diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go index 5059061..44de1c9 100644 --- a/internal/controller/suite_test.go +++ b/internal/controller/suite_test.go @@ -121,11 +121,10 @@ var _ = BeforeSuite(func() { var token string if os.Getenv("USE_EXISTING_CLUSTER") == "true" { - // Initialise vault client with VAULT_ADDRESS env var - vaultAddress := os.Getenv("VAULT_ADDRESS") // Vault server fqdn - vaultClient, err = vault.NewClient(&vault.Config{ - Address: vaultAddress, - }) + // Initialise vault client with default config - uses default Vault env vars for config + // See - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants + vaultConfig := vault.DefaultConfig() + vaultClient, err = vault.NewClient(vaultConfig) Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Vault client initialisation failed: %v", err)) // Initialise K8s client