woodpecker/plugins/secrets/vault/opts.go
Matt Leung 79428aa231 Enable Vault auth through kubernetes auth method
Added a feature to obtain the initial Vault token from the Kubernetes
auth method.

This works by making a request to the Vault server at the specified auth
method mount point's login path and presenting the JWT located in a file
on a running pod, along with the Kubernetes role to authenticate as.

Vault will then respond with a token and its TTL, if the request is valid.
2018-04-24 14:56:28 -07:00

48 lines
1.1 KiB
Go

// Copyright 2018 Drone.IO Inc
// Use of this software is governed by the Drone Enterpise License
// that can be found in the LICENSE file.
package vault
import (
"github.com/Sirupsen/logrus"
"os"
"time"
)
// Opts sets custom options for the vault client.
type Opts func(v *vault)
// WithTTL returns an options that sets a TTL used to
// refresh periodic tokens.
func WithTTL(d time.Duration) Opts {
return func(v *vault) {
v.ttl = d
}
}
// WithRenewal returns an options that sets the renewal
// period used to refresh periodic tokens
func WithRenewal(d time.Duration) Opts {
return func(v *vault) {
v.renew = d
}
}
func WithKubernetesAuth() Opts {
return func(v *vault) {
addr := os.Getenv("VAULT_ADDR")
role := os.Getenv("DRONE_VAULT_KUBERNETES_ROLE")
mount := os.Getenv("DRONE_VAULT_AUTH_MOUNT_POINT")
jwtFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"
token, ttl, err := getKubernetesToken(addr, role, mount, jwtFile)
if err != nil {
logrus.Debugf("vault: failed to obtain token via kubernetes-auth backend: %s", err)
return
}
v.client.SetToken(token)
v.ttl = ttl
v.renew = ttl / 2
}
}