diff options
author | Mike Crute <mike@crute.us> | 2022-05-21 19:05:29 -0700 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2022-05-21 19:05:29 -0700 |
commit | daecc0776d67cd2c14c04f62f60603373b7512e3 (patch) | |
tree | 9316fa1d5ec12bb7e2008e3d70bc098aa2a5f718 | |
parent | fe3a2b9e8d01ff06d9a4191f874a071820d66e32 (diff) | |
download | golib-daecc0776d67cd2c14c04f62f60603373b7512e3.tar.bz2 golib-daecc0776d67cd2c14c04f62f60603373b7512e3.tar.xz golib-daecc0776d67cd2c14c04f62f60603373b7512e3.zip |
vault: split environment login/creationvault/v0.2.3
-rw-r--r-- | vault/client.go | 57 |
1 files changed, 33 insertions, 24 deletions
diff --git a/vault/client.go b/vault/client.go index 2f645d4..d1a6d14 100644 --- a/vault/client.go +++ b/vault/client.go | |||
@@ -14,6 +14,7 @@ import ( | |||
14 | ) | 14 | ) |
15 | 15 | ||
16 | type VaultClient interface { | 16 | type VaultClient interface { |
17 | LoginApproleEnv(c context.Context) error | ||
17 | LoginApprole(c context.Context, roleId string, secretId string) error | 18 | LoginApprole(c context.Context, roleId string, secretId string) error |
18 | 19 | ||
19 | DbStaticCredential(c context.Context, suffix string) (*VaultUsernamePassword, error) | 20 | DbStaticCredential(c context.Context, suffix string) (*VaultUsernamePassword, error) |
@@ -79,41 +80,22 @@ type vaultClient struct { | |||
79 | renewInfo chan *Renewal | 80 | renewInfo chan *Renewal |
80 | } | 81 | } |
81 | 82 | ||
82 | // NewApproleClientEnv is a convenience function to create a new | 83 | // NewClientEnv is a convenience function to create a new VaultClient |
83 | // VaultClient based on the environment, start it, and login using | 84 | // based on the environment. |
84 | // Approle authentication. | ||
85 | // | 85 | // |
86 | // The following environment variables are used and must be present: | 86 | // The following environment variables are used and must be present: |
87 | // | 87 | // |
88 | // VAULT_ADDR - URL to Vault server (of form https://host:port/) | 88 | // VAULT_ADDR - URL to Vault server (of form https://host:port/) |
89 | // VAULT_ROLE_ID - Role ID used for Approle authentication | ||
90 | // VAULT_SECRET_ID - Secret ID used for Approle authentication | ||
91 | // | 89 | // |
92 | func NewApproleClientEnv(ctx context.Context, wg *sync.WaitGroup, renewInfo chan *Renewal) (VaultClient, error) { | 90 | func NewClientEnv(renewInfo chan *Renewal) (VaultClient, error) { |
93 | vaultHost := os.Getenv("VAULT_ADDR") | 91 | vaultHost := os.Getenv("VAULT_ADDR") |
94 | if vaultHost == "" { | 92 | if vaultHost == "" { |
95 | return nil, fmt.Errorf("NewApproleClientEnv: VAULT_ADDR is not set in environment") | 93 | return nil, fmt.Errorf("NewClientEnv: VAULT_ADDR is not set in environment") |
96 | } | ||
97 | |||
98 | roleId := os.Getenv("VAULT_ROLE_ID") | ||
99 | if roleId == "" { | ||
100 | return nil, fmt.Errorf("NewApproleClientEnv: VAULT_ROLE_ID is not set in environment") | ||
101 | } | ||
102 | |||
103 | secretId := os.Getenv("VAULT_SECRET_ID") | ||
104 | if secretId == "" { | ||
105 | return nil, fmt.Errorf("NewApproleClientEnv: VAULT_SECRET_ID is not set in environment") | ||
106 | } | 94 | } |
107 | 95 | ||
108 | vc, err := NewVaultClient(vaultHost, renewInfo) | 96 | vc, err := NewVaultClient(vaultHost, renewInfo) |
109 | if err != nil { | 97 | if err != nil { |
110 | return nil, fmt.Errorf("NewApproleClientEnv: error creating client %w", err) | 98 | return nil, fmt.Errorf("NewClientEnv: error creating client %w", err) |
111 | } | ||
112 | |||
113 | go vc.Run(ctx, wg) | ||
114 | |||
115 | if err = vc.LoginApprole(ctx, roleId, secretId); err != nil { | ||
116 | return nil, fmt.Errorf("NewApproleClientEnv: error logging in to vault %w", err) | ||
117 | } | 99 | } |
118 | 100 | ||
119 | return vc, nil | 101 | return vc, nil |
@@ -328,3 +310,30 @@ func (c *vaultClient) KVCredential(ctx context.Context, suffix string) (*VaultUs | |||
328 | 310 | ||
329 | return &ak, nil | 311 | return &ak, nil |
330 | } | 312 | } |
313 | |||
314 | // LoginApproleEnv is a convenience function to login using AppRole | ||
315 | // authentication and fetching the role id and secret id from the | ||
316 | // environment. | ||
317 | // | ||
318 | // The following environment variables are used and must be present: | ||
319 | // | ||
320 | // VAULT_ROLE_ID - Role ID used for Approle authentication | ||
321 | // VAULT_SECRET_ID - Secret ID used for Approle authentication | ||
322 | // | ||
323 | func (c *vaultClient) LoginApproleEnv(ctx context.Context) error { | ||
324 | roleId := os.Getenv("VAULT_ROLE_ID") | ||
325 | if roleId == "" { | ||
326 | return fmt.Errorf("NewApproleClientEnv: VAULT_ROLE_ID is not set in environment") | ||
327 | } | ||
328 | |||
329 | secretId := os.Getenv("VAULT_SECRET_ID") | ||
330 | if secretId == "" { | ||
331 | return fmt.Errorf("NewApproleClientEnv: VAULT_SECRET_ID is not set in environment") | ||
332 | } | ||
333 | |||
334 | if err := c.LoginApprole(ctx, roleId, secretId); err != nil { | ||
335 | return fmt.Errorf("NewApproleClientEnv: error logging in to vault %w", err) | ||
336 | } | ||
337 | |||
338 | return nil | ||
339 | } | ||