mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-12-28 11:20:30 +00:00
fixup: some comments, added opts test, address pr concerns
This commit is contained in:
parent
c4fe6496b5
commit
db698f9ef4
4 changed files with 67 additions and 30 deletions
|
@ -16,22 +16,22 @@ Vault JSON Response
|
|||
}
|
||||
}
|
||||
*/
|
||||
type VaultAuth struct {
|
||||
type vaultAuth struct {
|
||||
Token string `json:"client_token"`
|
||||
Lease string `json:"lease_duration"`
|
||||
}
|
||||
type VaultResp struct {
|
||||
Auth VaultAuth
|
||||
type vaultResp struct {
|
||||
Auth vaultAuth
|
||||
}
|
||||
|
||||
func getKubernetesToken(addr, role, mountPoint, tokenFile string) (string, time.Duration, error) {
|
||||
func getKubernetesToken(addr, role, mount, tokenFile string) (string, time.Duration, error) {
|
||||
b, err := ioutil.ReadFile(tokenFile)
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
}
|
||||
|
||||
var resp VaultResp
|
||||
path := fmt.Sprintf("%s/v1/auth/%s/login", addr, mountPoint)
|
||||
var resp vaultResp
|
||||
path := fmt.Sprintf("%s/v1/auth/%s/login", addr, mount)
|
||||
data := map[string]string{
|
||||
"jwt": string(b),
|
||||
"role": role,
|
||||
|
|
|
@ -4,11 +4,7 @@
|
|||
|
||||
package vault
|
||||
|
||||
import (
|
||||
"github.com/Sirupsen/logrus"
|
||||
"os"
|
||||
"time"
|
||||
)
|
||||
import "time"
|
||||
|
||||
// Opts sets custom options for the vault client.
|
||||
type Opts func(v *vault)
|
||||
|
@ -29,20 +25,13 @@ func WithRenewal(d time.Duration) Opts {
|
|||
}
|
||||
}
|
||||
|
||||
func WithKubernetesAuth() Opts {
|
||||
// WithKubernetes returns an options that sets
|
||||
// kubernetes-auth parameters required to retrieve
|
||||
// an initial Vault token
|
||||
func WithKubernetesAuth(addr, role, mount string) Opts {
|
||||
return func(v *vault) {
|
||||
addr := os.Getenv("VAULT_ADDR")
|
||||
role := os.Getenv("DRONE_VAULT_KUBERNETES_ROLE")
|
||||
mount := os.Getenv("DRONE_VAULT_AUTH_MOUNT_POINT")
|
||||
jwtFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
||||
token, ttl, err := getKubernetesToken(addr, role, mount, jwtFile)
|
||||
if err != nil {
|
||||
logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
|
||||
return
|
||||
}
|
||||
|
||||
v.client.SetToken(token)
|
||||
v.ttl = ttl
|
||||
v.renew = ttl / 2
|
||||
v.kubeAuth.addr = addr
|
||||
v.kubeAuth.role = role
|
||||
v.kubeAuth.mount = mount
|
||||
}
|
||||
}
|
||||
|
|
|
@ -26,3 +26,21 @@ func TestWithRenewal(t *testing.T) {
|
|||
t.Errorf("Want renewal %v, got %v", want, got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWithKubernetesAuth(t *testing.T) {
|
||||
v := new(vault)
|
||||
addr := "https://address.fake"
|
||||
role := "fakeRole"
|
||||
mount := "kubernetes"
|
||||
opt := WithKubernetesAuth(addr, role, mount)
|
||||
opt(v)
|
||||
if got, want := v.kubeAuth.addr, addr; got != want {
|
||||
t.Errorf("Want addr %v, got %v", want, got)
|
||||
}
|
||||
if got, want := v.kubeAuth.role, role; got != want {
|
||||
t.Errorf("Want role %v, got %v", want, got)
|
||||
}
|
||||
if got, want := v.kubeAuth.mount, mount; got != want {
|
||||
t.Errorf("Want mount %v, got %v", want, got)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -41,11 +41,17 @@ type vaultConfig struct {
|
|||
}
|
||||
|
||||
type vault struct {
|
||||
store model.ConfigStore
|
||||
client *api.Client
|
||||
ttl time.Duration
|
||||
renew time.Duration
|
||||
done chan struct{}
|
||||
store model.ConfigStore
|
||||
client *api.Client
|
||||
ttl time.Duration
|
||||
renew time.Duration
|
||||
auth string
|
||||
kubeAuth kubeAuth
|
||||
done chan struct{}
|
||||
}
|
||||
|
||||
type kubeAuth struct {
|
||||
addr, role, mount string
|
||||
}
|
||||
|
||||
// New returns a new store with secrets loaded from vault.
|
||||
|
@ -61,10 +67,34 @@ func New(store model.ConfigStore, opts ...Opts) (secrets.Plugin, error) {
|
|||
for _, opt := range opts {
|
||||
opt(v)
|
||||
}
|
||||
if v.auth == "kubernetes" {
|
||||
err = v.initKubernetes()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
v.start() // start the refresh process.
|
||||
return v, nil
|
||||
}
|
||||
|
||||
func (v *vault) initKubernetes() error {
|
||||
token, ttl, err := getKubernetesToken(
|
||||
v.kubeAuth.addr,
|
||||
v.kubeAuth.role,
|
||||
v.kubeAuth.mount,
|
||||
"/var/run/secrets/kubernetes.io/serviceaccount/token",
|
||||
)
|
||||
if err != nil {
|
||||
logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
|
||||
return err
|
||||
}
|
||||
|
||||
v.client.SetToken(token)
|
||||
v.ttl = ttl
|
||||
v.renew = ttl / 2
|
||||
return nil
|
||||
}
|
||||
|
||||
func (v *vault) SecretListBuild(repo *model.Repo, build *model.Build) ([]*model.Secret, error) {
|
||||
return v.list(repo, build)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue