-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathvault_app.go
126 lines (103 loc) · 2.92 KB
/
vault_app.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package main
import (
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
vault "github.com/hashicorp/vault/api"
"github.com/spf13/cobra"
)
func getSecret(client *vault.Client, kubeToken, path, key string) (string, error) {
data := map[string]interface{}{
"role": "default-default",
"jwt": kubeToken,
}
loginResp, err := client.Logical().Write("auth/kubernetes/login", data)
if err != nil {
return "", err
}
if loginResp.Auth == nil {
return "", fmt.Errorf("failed to get vault token")
}
token := loginResp.Auth.ClientToken
client.SetToken(token)
resp, err := client.Logical().Read(path)
if err != nil {
return "", err
}
if resp.Data == nil {
return "", fmt.Errorf("no data found under '%s'", path)
}
m, ok := resp.Data["data"].(map[string]interface{})
if !ok {
return "", fmt.Errorf("secret not found at '%s'", path)
}
secret, ok := m[key].(string)
if !ok {
return "", fmt.Errorf("secret '%s' does no exist", key)
}
return secret, nil
}
func newAppCmd() *cobra.Command {
var (
tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
secretPath = "kv/data/k8s/default"
secretKey = "password"
mode = "vault"
envVar = "SECRET"
secretFile = "/var/run/secrets/app/password"
addr = ":8080"
)
config := vault.DefaultConfig()
_ = config.ReadEnvironment()
cmd := &cobra.Command{
Use: "app",
Short: "An app which reads a secrets.",
RunE: func(cmd *cobra.Command, args []string) error {
var secret string
switch mode {
case "env":
secret = os.Getenv(envVar)
case "file":
raw, err := ioutil.ReadFile(secretFile)
if err != nil {
return err
}
secret = string(raw)
case "vault":
client, err := vault.NewClient(config)
if err != nil {
return err
}
token, err := ioutil.ReadFile(tokenFile)
if err != nil {
return err
}
secret, err = getSecret(client, string(token), secretPath, secretKey)
if err != nil {
return err
}
default:
return fmt.Errorf("unknown mode '%s'", mode)
}
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "the secret is: %s", secret)
})
log.Fatal(http.ListenAndServe(addr, nil))
return nil
},
}
cmd.Flags().StringVar(&mode, "mode", mode, "Mode to get the secret (env|file|vault).")
cmd.Flags().StringVar(&addr, "addr", addr, "Address to listen on.")
// env
cmd.Flags().StringVar(&envVar, "env", envVar, "Environment variable to read the secret from.")
// file
cmd.Flags().StringVar(&secretFile, "file", secretFile, "File to read the secret from.")
// vault
cmd.Flags().StringVar(&tokenFile, "token-file", tokenFile, "Path to read the service account token from.")
cmd.Flags().StringVar(&config.Address, "vault-address", config.Address, "Vault address")
cmd.Flags().StringVar(&secretPath, "secret-path", secretPath, "Secret Path")
cmd.Flags().StringVar(&secretKey, "secret-key", secretKey, "Secret Key")
return cmd
}