-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathpvc.go
More file actions
303 lines (272 loc) · 8.73 KB
/
pvc.go
File metadata and controls
303 lines (272 loc) · 8.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
package pvc
import (
"bytes"
"fmt"
"html/template"
"strings"
)
// SecretsClient is the client that retrieves secret values
type SecretsClient struct {
backend secretBackend
}
// Get returns the value of a secret from the configured backend
func (sc *SecretsClient) Get(id string) ([]byte, error) {
return sc.backend.Get(id)
}
type secretBackend interface {
Get(id string) ([]byte, error)
}
// SecretDefinition defines a secret and how it can be accessed via the various backends
type SecretDefinition struct {
ID string // arbitrary identifier for this secret
VaultPath string // path in Vault (no leading slash, eg "secret/foo/bar")
EnvVarName string // environment variable name
JSONKey string // key in JSON object
}
type vaultBackend struct {
host string
authentication VaultAuthentication
authRetries uint
authRetryDelaySecs uint
token string
k8sjwt string
k8sauthpath string
appid string
userid string
useridpath string
roleid string
mapping string
}
type envVarBackend struct {
mapping string
}
type jsonFileBackend struct {
fileLocation string
mapping string
}
type secretsClientConfig struct {
mapping string
backendCount int
vaultBackend *vaultBackend
envVarBackend *envVarBackend
jsonFileBackend *jsonFileBackend
}
// SecretsClientOption defines options when creating a SecretsClient
type SecretsClientOption func(*secretsClientConfig)
// WithMapping sets the template string mapping to determine the location for each secret in the backend. The secret ID will be interpolated as ".ID".
// Example (Vault Backend): "secret/foo/bar/{{ .ID }}".
// Example (Env Var Backend): "MYAPP_SECRET_{{ .ID }}"
// Example (JSON Backend): "{{ .ID }}"
func WithMapping(mapping string) SecretsClientOption {
return func(s *secretsClientConfig) {
s.mapping = mapping
}
}
// WithVaultBackend enables the Vault backend.
func WithVaultBackend() SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.backendCount++
}
}
// WithVaultHost sets the Vault server host (eg, https//my.vault.com:8300)
func WithVaultHost(host string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.host = host
}
}
// WithVaultAuthentication sets the Vault authentication method
func WithVaultAuthentication(auth VaultAuthentication) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.authentication = auth
}
}
// WithVaultAuthRetries sets the number of retries if authentication fails (default: 0)
func WithVaultAuthRetries(retries uint) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.authRetries = retries
}
}
// WithVaultAuthRetryDelay sets the delay in seconds between authentication attempts (default: 0)
func WithVaultAuthRetryDelay(secs uint) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.authRetryDelaySecs = secs
}
}
// WithVaultToken sets the token to use when using token auth
func WithVaultToken(token string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.token = token
}
}
// WithVaultAppID sets the AppID to use when using AppID auth
func WithVaultAppID(appid string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.appid = appid
}
}
// WithVaultK8sAuth sets the Kubernetes JWT and role to use for authentication
func WithVaultK8sAuth(jwt, role string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.k8sjwt = jwt
s.vaultBackend.roleid = role
s.vaultBackend.authentication = K8s
}
}
// WithVaultK8sAuthPath sets the path for the k8s Vault auth backend (defaults to "kubernetes" otherwise)
func WithVaultK8sAuthPath(path string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.k8sauthpath = path
}
}
// WithVaultUserID sets the UserID to use when using AppID auth
func WithVaultUserID(userid string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.userid = userid
}
}
// WithVaultUserIDPath sets the path to the file containing UserID when using AppID auth
func WithVaultUserIDPath(useridpath string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.useridpath = useridpath
}
}
// WithVaultRoleID sets the RoleID when using AppRole authentication
func WithVaultRoleID(roleid string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.vaultBackend == nil {
s.vaultBackend = &vaultBackend{}
}
s.vaultBackend.roleid = roleid
}
}
// WithEnvVarBackend enables the environment variable backend. Any characters in the secret ID that are not alphanumeric ASCII or underscores (legal env var characters) will be replaced by underscores after mapping.
func WithEnvVarBackend() SecretsClientOption {
return func(s *secretsClientConfig) {
if s.envVarBackend == nil {
s.envVarBackend = &envVarBackend{}
}
s.backendCount++
}
}
// WithJSONFileBackend enables the JSON file backend. The file should contain a single JSON object associating a name with a value: { "mysecret": "pa55w0rd"}.
func WithJSONFileBackend() SecretsClientOption {
return func(s *secretsClientConfig) {
if s.jsonFileBackend == nil {
s.jsonFileBackend = &jsonFileBackend{}
}
s.backendCount++
}
}
// WithJSONFileLocation sets the location to the JSON file
func WithJSONFileLocation(loc string) SecretsClientOption {
return func(s *secretsClientConfig) {
if s.jsonFileBackend == nil {
s.jsonFileBackend = &jsonFileBackend{}
}
s.jsonFileBackend.fileLocation = loc
}
}
// NewSecretsClient returns a SecretsClient configured according to the SecretsClientOptions supplied. Exactly one backend must be enabled.
// Weird things will happen if you mix options with incompatible backends.
func NewSecretsClient(ops ...SecretsClientOption) (*SecretsClient, error) {
config := &secretsClientConfig{}
for _, op := range ops {
op(config)
}
if config.backendCount != 1 {
return nil, fmt.Errorf("exactly one backend must be enabled")
}
sc := SecretsClient{}
switch {
case config.vaultBackend != nil:
config.vaultBackend.mapping = config.mapping
vc, err := newVaultClient(config.vaultBackend)
if err != nil {
return nil, fmt.Errorf("error creating vault client: %v", err)
}
vbe, err := newVaultBackendGetter(config.vaultBackend, vc)
if err != nil {
return nil, fmt.Errorf("error getting vault backend: %v", err)
}
sc.backend = vbe
case config.envVarBackend != nil:
config.envVarBackend.mapping = config.mapping
ebe, err := newEnvVarBackendGetter(config.envVarBackend)
if err != nil {
return nil, fmt.Errorf("error getting env var backend: %v", err)
}
sc.backend = ebe
case config.jsonFileBackend != nil:
config.jsonFileBackend.mapping = config.mapping
jbe, err := newjsonFileBackendGetter(config.jsonFileBackend)
if err != nil {
return nil, fmt.Errorf("error getting JSON file backend: %v", err)
}
sc.backend = jbe
}
return &sc, nil
}
// SecretMapper maps secrets
type SecretMapper interface {
MapSecret(id string) (string, error)
}
// secretMapper manages turning secret IDs into a location suitable for a backend to use
type secretMapper struct {
mappingTmpl *template.Template
}
// newSecretMapper returns a secret mapper using the supplied mapping string
func newSecretMapper(mapping string) (*secretMapper, error) {
if !strings.Contains(mapping, "{{ .ID") && !strings.Contains(mapping, "{{.ID") {
return nil, fmt.Errorf("mapping must contain {{ .ID }}")
}
tmpl, err := template.New("secret-mapper").Parse(mapping)
if err != nil {
return nil, fmt.Errorf("error parsing mapping: %v", err)
}
return &secretMapper{
mappingTmpl: tmpl,
}, nil
}
// mapSecret maps a secret ID to a location via the mapping string
func (sm *secretMapper) MapSecret(id string) (string, error) {
d := struct{ ID string }{ID: id}
b := bytes.Buffer{}
err := sm.mappingTmpl.Execute(&b, d)
if err != nil {
return "", fmt.Errorf("error executing mapping template: %v", err)
}
return string(b.Bytes()), nil
}