feat: Up vault config to use default config with Vault env vars

samirtahir91 · May 14, 2024 · 46351c6 · 46351c6
1 parent 85c677c
commit 46351c6
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -32,7 +32,9 @@ Key features:
     - Configure the environment variables in the controller deployment spec:
       - `VAULT_ROLE` - The role you have bound for Kubernetes auth for the operator
       - `VAULT_ROLE_AUDIENCE` - The audience you have bound in Vault
-      - `VAULT_ADDRESS` - FQDN or your Vault server, i.e. `http://vault.default:8200`
+      - `VAULT_ADDR` - FQDN or your Vault server, i.e. `http://vault.default:8200`
+    - Additional Vault env vars can be set i.e. `VAULT_NAMESPACE` for enterprise Vault.
+      - See [Vault API](https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants)
 - Deleting the `GithubApp` object will also delete the access token secret it owns.
 - The operator will reconcile an access token for a `GithubApp` when:
     - Modifications are made to the access token secret that is owned by a `GithubApp`.
@@ -208,7 +210,7 @@ make run
 export GITHUB_PRIVATE_KEY=<YOUR_BASE64_ENCODED_GH_APP_PRIVATE_KEY>
 export GH_APP_ID=<YOUR GITHUB APP ID>
 export GH_INSTALL_ID=<YOUR GITHUB APP INSTALL ID>
-export "VAULT_ADDRESS=http://localhost:8200" # this can be local k8s Vault or some other Vault
+export "VAULT_ADDR=http://localhost:8200" # this can be local k8s Vault or some other Vault
 export "VAULT_ROLE_AUDIENCE=githubapp"
 export "VAULT_ROLE=githubapp"
 ```

diff --git a/cmd/main.go b/cmd/main.go
@@ -108,11 +108,10 @@ func main() {
 	// http client
 	httpClient := &http.Client{}
 
-	// Initialise vault client with VAULT_ADDRESS env var
-	vaultAddress := os.Getenv("VAULT_ADDRESS") // Vault server fqdn
-	vaultClient, err := vault.NewClient(&vault.Config{
-		Address: vaultAddress,
-	})
+	// Initialise vault client with default config - uses default Vault env vars for config
+	// See - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants
+	vaultConfig := vault.DefaultConfig()
+	vaultClient, err := vault.NewClient(vaultConfig)
 	if err != nil {
 		setupLog.Error(err, "failed to initialise Vault client")
 		os.Exit(1)

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -111,8 +111,12 @@ spec:
             value: githubapp
           - name: VAULT_ROLE_AUDIENCE
             value: githubapp
-          - name: VAULT_ADDRESS
+          - name: VAULT_ADDR
             value: "http://vault.default:8200"
+          # Enterprise vault only - set namespace
+          - name: VAULT_NAMESPACE
+            value: ""
+          # optional vault env vars - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants
         # volume to cache private keys
         volumeMounts:
           - name: github-app-secrets

diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go
@@ -121,11 +121,10 @@ var _ = BeforeSuite(func() {
 
 	var token string
 	if os.Getenv("USE_EXISTING_CLUSTER") == "true" {
-		// Initialise vault client with VAULT_ADDRESS env var
-		vaultAddress := os.Getenv("VAULT_ADDRESS") // Vault server fqdn
-		vaultClient, err = vault.NewClient(&vault.Config{
-			Address: vaultAddress,
-		})
+		// Initialise vault client with default config - uses default Vault env vars for config
+		// See - https://pkg.go.dev/github.com/hashicorp/vault/api#pkg-constants
+		vaultConfig := vault.DefaultConfig()
+		vaultClient, err = vault.NewClient(vaultConfig)
 		Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Vault client initialisation failed: %v", err))
 
 		// Initialise K8s client