forked from vmware-archive/atc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
manager.go
89 lines (69 loc) · 2.89 KB
/
manager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package vault
import (
"errors"
"fmt"
"net/url"
"time"
"code.cloudfoundry.org/lager"
"github.com/cloudfoundry/bosh-cli/director/template"
"github.com/concourse/atc/creds"
vaultapi "github.com/hashicorp/vault/api"
)
type VaultManager struct {
URL string `long:"url" description:"Vault server address used to access secrets."`
PathPrefix string `long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."`
TLS struct {
CACert string `long:"ca-cert" description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
CAPath string `long:"ca-path" description:"Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert."`
ClientCert string `long:"client-cert" description:"Path to the client certificate for Vault authorization."`
ClientKey string `long:"client-key" description:"Path to the client private key for Vault authorization."`
ServerName string `long:"server-name" description:"If set, is used to set the SNI host when connecting via TLS."`
Insecure bool `long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
}
Auth AuthConfig
}
type AuthConfig struct {
ClientToken string `long:"client-token" description:"Client token for accessing secrets within the Vault server."`
Backend string `long:"auth-backend" description:"Auth backend to use for logging in to Vault."`
BackendMaxTTL time.Duration `long:"auth-backend-max-ttl" description:"Time after which to force a re-login. If not set, the token will just be continuously renewed."`
Params []template.VarKV `long:"auth-param" description:"Paramter to pass when logging in via the backend. Can be specified multiple times." value-name:"NAME=VALUE"`
}
func (manager VaultManager) IsConfigured() bool {
return manager.URL != ""
}
func (manager VaultManager) Validate() error {
_, err := url.Parse(manager.URL)
if err != nil {
return fmt.Errorf("invalid URL: %s", err)
}
if manager.Auth.ClientToken != "" {
return nil
}
if manager.Auth.Backend != "" {
return nil
}
return errors.New("must configure client token or auth backend")
}
func (manager VaultManager) NewVariablesFactory(logger lager.Logger) (creds.VariablesFactory, error) {
config := vaultapi.DefaultConfig()
err := config.ConfigureTLS(&vaultapi.TLSConfig{
CACert: manager.TLS.CACert,
CAPath: manager.TLS.CAPath,
TLSServerName: manager.TLS.ServerName,
Insecure: manager.TLS.Insecure,
ClientCert: manager.TLS.ClientCert,
ClientKey: manager.TLS.ClientKey,
})
if err != nil {
return nil, err
}
client, err := vaultapi.NewClient(config)
if err != nil {
return nil, err
}
err = client.SetAddress(manager.URL)
if err != nil {
return nil, err
}
return NewVaultFactory(logger, client, manager.Auth, manager.PathPrefix), nil
}