Added vaultToken support (#796)
This commit is contained in:
Donovan Brown
GitHub
parent
e8628adafa
commit
448bf2b261
|
|
@ -32,6 +32,7 @@ const (
|
|||
componentCaPem string = "caPem"
|
||||
componentSkipVerify string = "skipVerify"
|
||||
componentTLSServerName string = "tlsServerName"
|
||||
componentVaultToken string = "vaultToken"
|
||||
componentVaultTokenMountPath string = "vaultTokenMountPath"
|
||||
componentVaultKVPrefix string = "vaultKVPrefix"
|
||||
defaultVaultKVPrefix string = "dapr"
|
||||
|
|
@ -43,6 +44,7 @@ const (
|
|||
type vaultSecretStore struct {
|
||||
client *http.Client
|
||||
vaultAddress string
|
||||
vaultToken string
|
||||
vaultTokenMountPath string
|
||||
vaultKVPrefix string
|
||||
|
||||
|
|
@ -92,6 +94,26 @@ func (v *vaultSecretStore) Init(metadata secretstores.Metadata) error {
|
|||
|
||||
v.vaultAddress = address
|
||||
|
||||
v.vaultToken = props[componentVaultToken]
|
||||
v.vaultTokenMountPath = props[componentVaultTokenMountPath]
|
||||
|
||||
// Test that at least one of them are set if not return error
|
||||
if v.vaultToken == "" && v.vaultTokenMountPath == "" {
|
||||
return fmt.Errorf("token mount path and token not set")
|
||||
}
|
||||
|
||||
// Test that both are not set. If so return error
|
||||
if v.vaultToken != "" && v.vaultTokenMountPath != "" {
|
||||
return fmt.Errorf("token mount path and token both set")
|
||||
}
|
||||
|
||||
vaultKVPrefix := props[componentVaultKVPrefix]
|
||||
if vaultKVPrefix == "" {
|
||||
vaultKVPrefix = defaultVaultKVPrefix
|
||||
}
|
||||
|
||||
v.vaultKVPrefix = vaultKVPrefix
|
||||
|
||||
// Generate TLS config
|
||||
tlsConf := metadataToTLSConfig(props)
|
||||
|
||||
|
|
@ -102,20 +124,6 @@ func (v *vaultSecretStore) Init(metadata secretstores.Metadata) error {
|
|||
|
||||
v.client = client
|
||||
|
||||
tokenMountPath := props[componentVaultTokenMountPath]
|
||||
if tokenMountPath == "" {
|
||||
return fmt.Errorf("token mount path not set")
|
||||
}
|
||||
|
||||
v.vaultTokenMountPath = tokenMountPath
|
||||
|
||||
vaultKVPrefix := props[componentVaultKVPrefix]
|
||||
if vaultKVPrefix == "" {
|
||||
vaultKVPrefix = defaultVaultKVPrefix
|
||||
}
|
||||
|
||||
v.vaultKVPrefix = vaultKVPrefix
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -262,6 +270,10 @@ func (v *vaultSecretStore) BulkGetSecret(req secretstores.BulkGetSecretRequest)
|
|||
}
|
||||
|
||||
func (v *vaultSecretStore) readVaultToken() (string, error) {
|
||||
if v.vaultToken != "" {
|
||||
return v.vaultToken, nil
|
||||
}
|
||||
|
||||
data, err := ioutil.ReadFile(v.vaultTokenMountPath)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("couldn't read vault token: %s", err)
|
||||
|
|
|
|||
|
|
@ -18,7 +18,9 @@ import (
|
|||
|
||||
const (
|
||||
// base64 encoded certificate
|
||||
certificate = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpvQ0NRRFlZdzdMeXN4VXRUQU5CZ2txaGtpRzl3MEJBUXNGQURCck1Rc3dDUVlEVlFRR0V3SkQKUVRFWk1CY0dBMVVFQ0F3UVFuSnBkR2x6YUNCRGIyeDFiV0pwWVRFU01CQUdBMVVFQnd3SlZtRnVZMjkxZG1WeQpNUk13RVFZRFZRUUtEQXB0YVhOb2NtRmpiM0p3TVJnd0ZnWURWUVFEREE5MllYVnNkSEJ5YjJwbFkzUXVhVzh3CkhoY05NVGt4TVRBeE1UQTBPREV5V2hjTk1qQXhNRE14TVRBME9ERXlXakJyTVFzd0NRWURWUVFHRXdKRFFURVoKTUJjR0ExVUVDQXdRUW5KcGRHbHphQ0JEYjJ4MWJXSnBZVEVTTUJBR0ExVUVCd3dKVm1GdVkyOTFkbVZ5TVJNdwpFUVlEVlFRS0RBcHRhWE5vY21GamIzSndNUmd3RmdZRFZRUUREQTkyWVhWc2RIQnliMnBsWTNRdWFXOHdnZ0VpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3JtaitTTmtGUHEvK2FXUFV1MlpFamtSK3AKTm1PeEVNSnZZcGhHNkJvRFAySE9ZbGRzdk9FWkRkbTBpWFlmeFIwZm5rUmtTMWEzSlZiYmhINWJnTElKb0dxcwo5aWpzN2hyQ0Rrdk9uRWxpUEZuc05pQ2NWNDNxNkZYaFMvNFpoNGpOMnlyUkU2UmZiS1BEeUw0a282NkFhSld1CnVkTldKVWpzSFZBSWowZHlnTXFKYm0rT29iSzk5ckUxcDg5Z3RNUStJdzFkWnUvUFF4SjlYOStMeXdxZUxPckQKOWhpNWkxajNFUUp2RXQxSVUzclEwc2E0NU5zZkt4YzEwZjdhTjJuSDQzSnhnMVRiZXNPOWYrcWlyeDBHYmVSYQpyVmNaazNVaFc2cHZmam9XbDBEc0NwNTJwZDBQN05rUmhmak44b2RMN0h3bFVIc1NqemlSYytsTG5YREJBZ01CCkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSVdKdmRPZ01PUnQxWk53SENkNTNieTlkMlBkcW5tWHFZZ20KNDZHK2Fvb1dSeTJKMEMwS3ZOVGZGbEJFOUlydzNXUTVNMnpqY25qSUp5bzNLRUM5TDdPMnQ1WC9LTGVDck5ZVgpIc1d4cU5BTVBGY2VBa09HT0I1TThGVllkdjJTaVV2UDJjMEZQSzc2WFVzcVNkdnRsWGFkTk5ENzE3T0NTNm0yCnBIVjh1NWJNd1VmR2NCVFpEV2o4bjIzRVdHaXdnYkJkdDc3Z3h3YWc5NTROZkM2Ny9nSUc5ZlRrTTQ4aVJCUzEKc0NGYVBjMkFIT3hiMSs0ajVCMVY2Z29iZDZYWkFvbHdNaTNHUUtkbEM1NXZNeTNwK09WbDNNbEc3RWNTVUpMdApwZ2ZKaWw3L3dTWWhpUnhJU3hrYkk5cWhvNEwzZm5PZVB3clFVd2FzU1ZiL1lxbHZ2WHM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
|
||||
certificate = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpvQ0NRRFlZdzdMeXN4VXRUQU5CZ2txaGtpRzl3MEJBUXNGQURCck1Rc3dDUVlEVlFRR0V3SkQKUVRFWk1CY0dBMVVFQ0F3UVFuSnBkR2x6YUNCRGIyeDFiV0pwWVRFU01CQUdBMVVFQnd3SlZtRnVZMjkxZG1WeQpNUk13RVFZRFZRUUtEQXB0YVhOb2NtRmpiM0p3TVJnd0ZnWURWUVFEREE5MllYVnNkSEJ5YjJwbFkzUXVhVzh3CkhoY05NVGt4TVRBeE1UQTBPREV5V2hjTk1qQXhNRE14TVRBME9ERXlXakJyTVFzd0NRWURWUVFHRXdKRFFURVoKTUJjR0ExVUVDQXdRUW5KcGRHbHphQ0JEYjJ4MWJXSnBZVEVTTUJBR0ExVUVCd3dKVm1GdVkyOTFkbVZ5TVJNdwpFUVlEVlFRS0RBcHRhWE5vY21GamIzSndNUmd3RmdZRFZRUUREQTkyWVhWc2RIQnliMnBsWTNRdWFXOHdnZ0VpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3JtaitTTmtGUHEvK2FXUFV1MlpFamtSK3AKTm1PeEVNSnZZcGhHNkJvRFAySE9ZbGRzdk9FWkRkbTBpWFlmeFIwZm5rUmtTMWEzSlZiYmhINWJnTElKb0dxcwo5aWpzN2hyQ0Rrdk9uRWxpUEZuc05pQ2NWNDNxNkZYaFMvNFpoNGpOMnlyUkU2UmZiS1BEeUw0a282NkFhSld1CnVkTldKVWpzSFZBSWowZHlnTXFKYm0rT29iSzk5ckUxcDg5Z3RNUStJdzFkWnUvUFF4SjlYOStMeXdxZUxPckQKOWhpNWkxajNFUUp2RXQxSVUzclEwc2E0NU5zZkt4YzEwZjdhTjJuSDQzSnhnMVRiZXNPOWYrcWlyeDBHYmVSYQpyVmNaazNVaFc2cHZmam9XbDBEc0NwNTJwZDBQN05rUmhmak44b2RMN0h3bFVIc1NqemlSYytsTG5YREJBZ01CCkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSVdKdmRPZ01PUnQxWk53SENkNTNieTlkMlBkcW5tWHFZZ20KNDZHK2Fvb1dSeTJKMEMwS3ZOVGZGbEJFOUlydzNXUTVNMnpqY25qSUp5bzNLRUM5TDdPMnQ1WC9LTGVDck5ZVgpIc1d4cU5BTVBGY2VBa09HT0I1TThGVllkdjJTaVV2UDJjMEZQSzc2WFVzcVNkdnRsWGFkTk5ENzE3T0NTNm0yCnBIVjh1NWJNd1VmR2NCVFpEV2o4bjIzRVdHaXdnYkJkdDc3Z3h3YWc5NTROZkM2Ny9nSUc5ZlRrTTQ4aVJCUzEKc0NGYVBjMkFIT3hiMSs0ajVCMVY2Z29iZDZYWkFvbHdNaTNHUUtkbEM1NXZNeTNwK09WbDNNbEc3RWNTVUpMdApwZ2ZKaWw3L3dTWWhpUnhJU3hrYkk5cWhvNEwzZm5PZVB3clFVd2FzU1ZiL1lxbHZ2WHM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
|
||||
expectedTok = "myRootToken"
|
||||
expectedTokMountPath = "./vault.txt"
|
||||
)
|
||||
|
||||
func TestReadVaultToken(t *testing.T) {
|
||||
|
|
@ -60,6 +62,17 @@ func TestReadVaultToken(t *testing.T) {
|
|||
assert.Nil(t, err)
|
||||
assert.NotEqual(t, "thisistheroottoken", token)
|
||||
})
|
||||
|
||||
t.Run("read token from vaultToken", func(t *testing.T) {
|
||||
v := vaultSecretStore{
|
||||
vaultToken: expectedTok,
|
||||
}
|
||||
|
||||
actualToken, err := v.readVaultToken()
|
||||
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, expectedTok, actualToken)
|
||||
})
|
||||
}
|
||||
|
||||
func TestVaultTLSConfig(t *testing.T) {
|
||||
|
|
@ -84,6 +97,99 @@ func TestVaultTLSConfig(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestVaultTokenMountPathOrVaultTokenRequired(t *testing.T) {
|
||||
t.Run("without vaultTokenMount or vaultToken", func(t *testing.T) {
|
||||
properties := map[string]string{}
|
||||
|
||||
m := secretstores.Metadata{
|
||||
Properties: properties,
|
||||
}
|
||||
|
||||
target := &vaultSecretStore{
|
||||
client: nil,
|
||||
logger: nil,
|
||||
}
|
||||
|
||||
err := target.Init(m)
|
||||
|
||||
assert.Equal(t, "", target.vaultToken)
|
||||
assert.Equal(t, "", target.vaultTokenMountPath)
|
||||
assert.NotNil(t, err)
|
||||
assert.Equal(t, "token mount path and token not set", err.Error())
|
||||
})
|
||||
|
||||
t.Run("with vaultTokenMount", func(t *testing.T) {
|
||||
properties := map[string]string{
|
||||
"vaultTokenMountPath": expectedTokMountPath,
|
||||
}
|
||||
|
||||
m := secretstores.Metadata{
|
||||
Properties: properties,
|
||||
}
|
||||
|
||||
target := &vaultSecretStore{
|
||||
client: nil,
|
||||
logger: nil,
|
||||
}
|
||||
|
||||
// This call will throw an error on Windows systems because of the of
|
||||
// the call x509.SystemCertPool() because system root pool is not
|
||||
// available on Windows so ignore the error for when the tests are run
|
||||
// on the Windows platform during CI
|
||||
_ = target.Init(m)
|
||||
|
||||
assert.Equal(t, "", target.vaultToken)
|
||||
assert.Equal(t, expectedTokMountPath, target.vaultTokenMountPath)
|
||||
})
|
||||
|
||||
t.Run("with vaultToken", func(t *testing.T) {
|
||||
properties := map[string]string{
|
||||
"vaultToken": expectedTok,
|
||||
}
|
||||
|
||||
m := secretstores.Metadata{
|
||||
Properties: properties,
|
||||
}
|
||||
|
||||
target := &vaultSecretStore{
|
||||
client: nil,
|
||||
logger: nil,
|
||||
}
|
||||
|
||||
// This call will throw an error on Windows systems because of the of
|
||||
// the call x509.SystemCertPool() because system root pool is not
|
||||
// available on Windows so ignore the error for when the tests are run
|
||||
// on the Windows platform during CI
|
||||
_ = target.Init(m)
|
||||
|
||||
assert.Equal(t, "", target.vaultTokenMountPath)
|
||||
assert.Equal(t, expectedTok, target.vaultToken)
|
||||
})
|
||||
|
||||
t.Run("with vaultTokenMount and vaultToken", func(t *testing.T) {
|
||||
properties := map[string]string{
|
||||
"vaultToken": expectedTok,
|
||||
"vaultTokenMountPath": expectedTokMountPath,
|
||||
}
|
||||
|
||||
m := secretstores.Metadata{
|
||||
Properties: properties,
|
||||
}
|
||||
|
||||
target := &vaultSecretStore{
|
||||
client: nil,
|
||||
logger: nil,
|
||||
}
|
||||
|
||||
err := target.Init(m)
|
||||
|
||||
assert.Equal(t, expectedTok, target.vaultToken)
|
||||
assert.Equal(t, expectedTokMountPath, target.vaultTokenMountPath)
|
||||
assert.NotNil(t, err)
|
||||
assert.Equal(t, "token mount path and token both set", err.Error())
|
||||
})
|
||||
}
|
||||
|
||||
func TestDefaultVaultAddress(t *testing.T) {
|
||||
t.Run("with blank vaultAddr", func(t *testing.T) {
|
||||
properties := map[string]string{
|
||||
|
|
|
|||
Loading…
Reference in New Issue