woodpecker/plugins/secrets/vault/opts.go

// Copyright 2018 Drone.IO Inc
// Use of this software is governed by the Drone Enterpise License
// that can be found in the LICENSE file.

package vault

import (
	"github.com/Sirupsen/logrus"
	"os"
	"time"
)

// Opts sets custom options for the vault client.
type Opts func(v *vault)

// WithTTL returns an options that sets a TTL used to
// refresh periodic tokens.
func WithTTL(d time.Duration) Opts {
	return func(v *vault) {
		v.ttl = d
	}
}

// WithRenewal returns an options that sets the renewal
// period used to refresh periodic tokens
func WithRenewal(d time.Duration) Opts {
	return func(v *vault) {
		v.renew = d
	}
}

func WithKubernetesAuth() Opts {
	return func(v *vault) {
		addr := os.Getenv("VAULT_ADDR")
		role := os.Getenv("DRONE_VAULT_KUBERNETES_ROLE")
		mount := os.Getenv("DRONE_VAULT_AUTH_MOUNT_POINT")
		jwtFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"
		token, ttl, err := getKubernetesToken(addr, role, mount, jwtFile)
		if err != nil {
			logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
			return
		}

		v.client.SetToken(token)
		v.ttl = ttl
		v.renew = ttl / 2
	}
}
enable periodic tokens 2018-02-21 22:12:10 +00:00			`// Copyright 2018 Drone.IO Inc`
			`// Use of this software is governed by the Drone Enterpise License`
			`// that can be found in the LICENSE file.`

			`package vault`

Enable Vault auth through kubernetes auth method Added a feature to obtain the initial Vault token from the Kubernetes auth method. This works by making a request to the Vault server at the specified auth method mount point's login path and presenting the JWT located in a file on a running pod, along with the Kubernetes role to authenticate as. Vault will then respond with a token and its TTL, if the request is valid. 2018-04-24 21:48:50 +00:00			`import (`
			`"github.com/Sirupsen/logrus"`
			`"os"`
			`"time"`
			`)`
enable periodic tokens 2018-02-21 22:12:10 +00:00
			`// Opts sets custom options for the vault client.`
			`type Opts func(v *vault)`

			`// WithTTL returns an options that sets a TTL used to`
			`// refresh periodic tokens.`
			`func WithTTL(d time.Duration) Opts {`
			`return func(v *vault) {`
			`v.ttl = d`
			`}`
			`}`

			`// WithRenewal returns an options that sets the renewal`
			`// period used to refresh periodic tokens`
			`func WithRenewal(d time.Duration) Opts {`
			`return func(v *vault) {`
			`v.renew = d`
			`}`
			`}`
Enable Vault auth through kubernetes auth method Added a feature to obtain the initial Vault token from the Kubernetes auth method. This works by making a request to the Vault server at the specified auth method mount point's login path and presenting the JWT located in a file on a running pod, along with the Kubernetes role to authenticate as. Vault will then respond with a token and its TTL, if the request is valid. 2018-04-24 21:48:50 +00:00
			`func WithKubernetesAuth() Opts {`
			`return func(v *vault) {`
			`addr := os.Getenv("VAULT_ADDR")`
			`role := os.Getenv("DRONE_VAULT_KUBERNETES_ROLE")`
			`mount := os.Getenv("DRONE_VAULT_AUTH_MOUNT_POINT")`
			`jwtFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"`
			`token, ttl, err := getKubernetesToken(addr, role, mount, jwtFile)`
			`if err != nil {`
			`logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)`
			`return`
			`}`

			`v.client.SetToken(token)`
			`v.ttl = ttl`
			`v.renew = ttl / 2`
			`}`
			`}`