diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 24482efd..ab1163dd 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -5,7 +5,7 @@ on: branches: [main] pull_request: # The branches below must be a subset of the branches above - branches: [main] + branches: [main, next] jobs: CI: diff --git a/Makefile b/Makefile index 67c391d6..53ef70ff 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ BINARY=argocd-vault-plugin -VERSION=0.6.0 +VERSION=1.0.0 OS_ARCH=darwin_amd64 default: build diff --git a/README.md b/README.md index e2f2c040..d8b33803 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ initContainers: command: [sh, -c] args: - wget -O argocd-vault-plugin - https://github.com/IBM/argocd-vault-plugin/releases/download/v0.6.0/argocd-vault-plugin_0.6.0_linux_amd64 + https://github.com/IBM/argocd-vault-plugin/releases/download/v1.0.0/argocd-vault-plugin_1.0.0_linux_amd64 chmod +x argocd-vault-plugin && mv argocd-vault-plugin /custom-tools/ volumeMounts: @@ -138,7 +138,7 @@ RUN apt-get update && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* # Install the AVP plugin (as root so we can copy to /usr/local/bin) -RUN curl -L -o argocd-vault-plugin https://github.com/IBM/argocd-vault-plugin/releases/download/v0.6.0/argocd-vault-plugin_0.6.0_linux_amd64 +RUN curl -L -o argocd-vault-plugin https://github.com/IBM/argocd-vault-plugin/releases/download/v1.0.0/argocd-vault-plugin_1.0.0_linux_amd64 RUN chmod +x argocd-vault-plugin RUN mv argocd-vault-plugin /usr/local/bin @@ -224,19 +224,19 @@ We support AppRole and Github Auth Method for getting secrets from Vault. For AppRole Authentication, these are the required parameters: ``` VAULT_ADDR: Your HashiCorp Vault Address -TYPE: vault -AUTH_TYPE: approle -ROLE_ID: Your AppRole Role ID -SECRET_ID: Your AppRole Secret ID +AVP_TYPE: vault +AVP_AUTH_TYPE: approle +AVP_ROLE_ID: Your AppRole Role ID +AVP_SECRET_ID: Your AppRole Secret ID ``` ##### Github Authentication For Github Authentication, these are the required parameters: ``` VAULT_ADDR: Your HashiCorp Vault Address -TYPE: vault -AUTH_TYPE: github -GITHUB_TOKEN: Your Github Personal Access Token +AVP_TYPE: vault +AVP_AUTH_TYPE: github +AVP_GITHUB_TOKEN: Your Github Personal Access Token ``` ##### Kubernetes Authentication @@ -302,11 +302,11 @@ In order to use Kubernetes Authentication a couple of things are required. Once ArgoCD and Kubernetes are configured, you can then set the required environment variables for the plugin: ``` VAULT_ADDR: Your HashiCorp Vault Address -TYPE: vault -AUTH_TYPE: k8s -K8S_MOUNT_PATH: Mount Path of your kubernetes Auth (optional) -K8S_ROLE: Your Kuberetes Auth Role -K8S_TOKEN_PATH: Path to JWT (optional) +AVP_TYPE: vault +AVP_AUTH_TYPE: k8s +AVP_K8S_MOUNT_PATH: Mount Path of your kubernetes Auth (optional) +AVP_K8S_ROLE: Your Kuberetes Auth Role +AVP_K8S_TOKEN_PATH: Path to JWT (optional) ``` ### IBM Cloud Secret Manager @@ -316,9 +316,9 @@ For IBM Cloud Secret Manager we only support using IAM authentication at this ti For IAM Authentication, these are the required parameters: ``` VAULT_ADDR: Your IBM Cloud Secret Manager Endpoint -TYPE: secretmanager -AUTH_TYPE: iam -IBM_API_KEY: Your IBM Cloud API Key +AVP_TYPE: secretmanager +AVP_AUTH_TYPE: iam +AVP_IBM_API_KEY: Your IBM Cloud API Key ``` ## Configuration @@ -331,9 +331,9 @@ should be the exact names given above, case-sensitive: apiVersion: v1 data: VAULT_ADDR: Zm9v - AUTH_TYPE: Zm9v - GITHUB_TOKEN: Zm9v - TYPE: Zm9v + AVP_AUTH_TYPE: Zm9v + AVP_GITHUB_TOKEN: Zm9v + AVP_TYPE: Zm9v kind: Secret metadata: name: vault-configuration @@ -347,9 +347,9 @@ You can use it like this: `argocd-vault-plugin generate /some/path -s vault-conf The configuration can be given in a file reachable from the plugin, in any Viper supported format (YAML, JSON, etc.): ```yaml VAULT_ADDR: Zm9v -AUTH_TYPE: Zm9v -GITHUB_TOKEN: Zm9v -TYPE: Zm9v +AVP_AUTH_TYPE: Zm9v +AVP_GITHUB_TOKEN: Zm9v +AVP_TYPE: Zm9v ``` You can use it like this: `argocd-vault-plugin generate /some/path -c /path/to/config/file.yaml`. This can be useful for usecases not involving Argo CD. @@ -362,25 +362,20 @@ Make sure that these environment variables are available to the plugin when runn environment variables take precedence over configuration pulled from a Kubernetes Secret or a file. ### Full List of Supported Parameters +We support all Vault Environment Variables listed [here](https://www.vaultproject.io/docs/commands#environment-variables) as well as: | Name | Description | Notes | | --------------- | ----------- | ----- | -| VAULT_ADDR | Address of your Vault | N/A | -| VAULT_NAMESPACE | Your Vault Namespace | Optional | -| VAULT_CACERT | CACert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate | In order to use, you must create a secret with the certificate you want to load, and then mount that secret on the argocd-repo-server deployment. Then you can set this path to the mount point of the secret. | -| VAULT_CAPATH | CAPath is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. | In order to use, you must create a secret with the certificate(s) you want to load, and then mount that secret on the argocd-repo-server deployment. Then you can set this path to the mount point of the secret. | -| VAULT_SKIP_VERIFY | Enables or disables SSL verification | Optional | -| PATH_PREFIX | Prefix of the vault path to look for the secrets (Will be deprecated in v1.0.0)| A `/` delimited path to a secret in Vault. This value is concatenated with the `kind` of the given resource; e.g, replacing a Secret with `PATH_PREFIX` `my-team/my-app` will use the path `my-team/my-app/secret`. PATH_PREFIX will be ignored if the `avp_path` annotation is present in a YAML resource. | -| TYPE | The type of Vault backend | Supported values: `vault` and `secretmanager` | -| KV_VERSION | The vault secret engine | Supported values: `1` and `2` (defaults to 2). KV_VERSION will be ignored if the `kv_version` annotation is present in a YAML resource.| -| AUTH_TYPE | The type of authentication | Supported values: vault: `approle, github` secretmanager: `iam` | -| GITHUB_TOKEN | Github token | Required with `AUTH_TYPE` of `github` | -| ROLE_ID | Vault AppRole Role_ID | Required with `AUTH_TYPE` of `approle` | -| SECRET_ID | Vault AppRole Secret_ID | Required with `AUTH_TYPE` of `approle` | -| K8S_MOUNT_PATH | Kuberentes Auth Mount PATH | Optional for `AUTH_TYPE` of `k8s` defaults to `auth/kubernetes` | -| K8S_ROLE | Kuberentes Auth Role | Required with `AUTH_TYPE` of `k8s` | -| K8S_TOKEN_PATH | Path to JWT for Kubernetes Auth | Optional for `AUTH_TYPE` of `k8s` defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token` | -| IBM_API_KEY | IBM Cloud IAM API Key | Required with `TYPE` of `secretmanager` and `AUTH_TYPE` of `iam` | +| AVP_TYPE | The type of Vault backend | Supported values: `vault` and `ibmsecretmanager` | +| AVP_KV_VERSION | The vault secret engine | Supported values: `1` and `2` (defaults to 2). KV_VERSION will be ignored if the `kv_version` annotation is present in a YAML resource.| +| AVP_AUTH_TYPE | The type of authentication | Supported values: vault: `approle, github` secretmanager: `iam` | +| AVP_GITHUB_TOKEN | Github token | Required with `AUTH_TYPE` of `github` | +| AVP_ROLE_ID | Vault AppRole Role_ID | Required with `AUTH_TYPE` of `approle` | +| AVP_SECRET_ID | Vault AppRole Secret_ID | Required with `AUTH_TYPE` of `approle` | +| AVP_K8S_MOUNT_PATH | Kuberentes Auth Mount PATH | Optional for `AUTH_TYPE` of `k8s` defaults to `auth/kubernetes` | +| AVP_K8S_ROLE | Kuberentes Auth Role | Required with `AUTH_TYPE` of `k8s` | +| AVP_K8S_TOKEN_PATH | Path to JWT for Kubernetes Auth | Optional for `AUTH_TYPE` of `k8s` defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token` | +| AVP_IBM_API_KEY | IBM Cloud IAM API Key | Required with `TYPE` of `secretmanager` and `AUTH_TYPE` of `iam` | ### Full List of Supported Annotation We support two different annotations that can be used inside a kubernetes resource. These annotations will override any corresponding configuration set via Environment Variable or Configuration File. diff --git a/cmd/generate.go b/cmd/generate.go index 7e0b495e..0ba61eb0 100644 --- a/cmd/generate.go +++ b/cmd/generate.go @@ -7,7 +7,6 @@ import ( "github.com/IBM/argocd-vault-plugin/pkg/kube" "github.com/IBM/argocd-vault-plugin/pkg/utils" "github.com/spf13/cobra" - "github.com/spf13/viper" ) // NewGenerateCommand initializes the generate command @@ -35,18 +34,14 @@ func NewGenerateCommand() *cobra.Command { manifests, errs := readFilesAsManifests(files) if len(errs) != 0 { - // TODO: handle multiple errors nicely return fmt.Errorf("could not read YAML files: %s", errs) } - viper := viper.New() - err = setConfig(secretName, configPath, viper) - if err != nil { - return err - } - - config, err := config.New(viper, utils.DefaultHttpClient()) + config, err := config.New(&config.Options{ + SecretName: secretName, + ConfigPath: configPath, + }) if err != nil { return err } @@ -62,7 +57,8 @@ func NewGenerateCommand() *cobra.Command { } for _, manifest := range manifests { - // skip empty manifests + + // skip empty manifests if len(manifest) == 0 { continue } diff --git a/cmd/generate_test.go b/cmd/generate_test.go index fb6ffc0f..5e6a31c7 100644 --- a/cmd/generate_test.go +++ b/cmd/generate_test.go @@ -19,11 +19,11 @@ var client *api.Client func TestMain(t *testing.T) { cluster, roleid, secretid = helpers.CreateTestAppRoleVault(t) os.Setenv("AVP_TYPE", "vault") - os.Setenv("AVP_VAULT_ADDR", cluster.Cores[0].Client.Address()) + os.Setenv("VAULT_ADDR", cluster.Cores[0].Client.Address()) os.Setenv("AVP_AUTH_TYPE", "approle") os.Setenv("AVP_SECRET_ID", secretid) os.Setenv("AVP_ROLE_ID", roleid) - os.Setenv("AVP_VAULT_SKIP_VERIFY", "true") + os.Setenv("VAULT_SKIP_VERIFY", "true") t.Run("will throw an error expecting arguments", func(t *testing.T) { args := []string{} @@ -88,9 +88,9 @@ func TestMain(t *testing.T) { }) os.Unsetenv("AVP_TYPE") - os.Unsetenv("AVP_VAULT_ADDR") + os.Unsetenv("VAULT_ADDR") os.Unsetenv("AVP_AUTH_TYPE") os.Unsetenv("AVP_SECRET_ID") os.Unsetenv("AVP_ROLE_ID") - os.Unsetenv("AVP_VAULT_SKIP_VERIFY") + os.Unsetenv("VAULT_SKIP_VERIFY") } diff --git a/cmd/util.go b/cmd/util.go index e2f32e17..f26bbdbd 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -8,8 +8,6 @@ import ( "os" "path/filepath" - "github.com/IBM/argocd-vault-plugin/pkg/kube" - "github.com/spf13/viper" k8yaml "k8s.io/apimachinery/pkg/util/yaml" ) @@ -73,30 +71,3 @@ func stringInSlice(a string, list []string) bool { } return false } - -func setConfig(secretName, configPath string, viper *viper.Viper) error { - // If a secret name is passed, pull config from Kubernetes - if secretName != "" { - localClient, err := kube.NewClient() - if err != nil { - return err - } - yaml, err := localClient.ReadSecret(secretName) - if err != nil { - return err - } - viper.SetConfigType("yaml") - viper.ReadConfig(bytes.NewBuffer(yaml)) - } - - // If a config file path is passed, read in that file and overwrite all other - if configPath != "" { - viper.SetConfigFile(configPath) - err := viper.ReadInConfig() - if err != nil { - return err - } - } - - return nil -} diff --git a/pkg/config/config.go b/pkg/config/config.go index ba8b705e..e1a66ba3 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -1,126 +1,172 @@ package config import ( + "bytes" "errors" - "net/http" + "fmt" + "os" + "strconv" + "strings" "github.com/IBM/argocd-vault-plugin/pkg/auth/ibmsecretmanager" "github.com/IBM/argocd-vault-plugin/pkg/auth/vault" "github.com/IBM/argocd-vault-plugin/pkg/backends" + "github.com/IBM/argocd-vault-plugin/pkg/kube" "github.com/IBM/argocd-vault-plugin/pkg/types" "github.com/hashicorp/vault/api" "github.com/spf13/viper" ) +const ( + // Environment Variable Constants + envAvpType = "AVP_TYPE" + envAvpRoleID = "AVP_ROLE_ID" + envAvpSecretID = "AVP_SECRET_ID" + envAvpAuthType = "AVP_AUTH_TYPE" + envAvpGithubToken = "AVP_GITHUB_TOKEN" + envAvpK8sRole = "AVP_K8S_ROLE" + envAvpK8sMountPath = "AVP_K8S_MOUNT_PATH" + envAvpK8sTokenPath = "AVP_K8S_TOKEN_PATH" + envAvpIbmAPIKey = "AVP_IBM_API_KEY" + envAvpKvVersion = "AVP_KV_VERSION" + envAvpPathPrefix = "AVP_PATH_PREFIX" + + // Backend and Auth Constants + vaultBackend = "vault" + ibmSecretManagerbackend = "ibmsecretmanager" + k8sAuth = "k8s" + approleAuth = "approle" + githubAuth = "github" + iamAuth = "iam" +) + +// Options TODO +type Options struct { + SecretName string + ConfigPath string +} + // Config is used to decide the backend and auth type type Config struct { - Address string - PathPrefix string - types.Backend + Backend types.Backend VaultClient *api.Client + PathPrefix string } // New returns a new Config struct -func New(viper *viper.Viper, httpClient *http.Client) (*Config, error) { +func New(co *Options) (*Config, error) { + viper := viper.New() // Set Defaults - viper.SetDefault("VAULT_ADDR", "http://127.0.0.1:8200") - viper.SetDefault("KV_VERSION", "2") - - // Instantiate Env - viper.SetEnvPrefix("AVP") - viper.AutomaticEnv() - - config := &Config{ - Address: viper.GetString("VAULT_ADDR"), - PathPrefix: viper.GetString("PATH_PREFIX"), - } - - apiConfig := &api.Config{ - Address: viper.GetString("VAULT_ADDR"), - HttpClient: httpClient, - } - - tlsConfig := &api.TLSConfig{} - - if viper.IsSet("VAULT_CAPATH") { - tlsConfig.CAPath = viper.GetString("VAULT_CAPATH") - } - - if viper.IsSet("VAULT_CACERT") { - tlsConfig.CACert = viper.GetString("VAULT_CACERT") - } - - if viper.IsSet("VAULT_SKIP_VERIFY") { - tlsConfig.Insecure = viper.GetBool("VAULT_SKIP_VERIFY") - } - - if err := apiConfig.ConfigureTLS(tlsConfig); err != nil { - return nil, err - } + viper.SetDefault(envAvpKvVersion, "2") - apiClient, err := api.NewClient(apiConfig) + // Read in config file or kubernetes secret and set as env vars + err := readConfigOrSecret(co.SecretName, co.ConfigPath) if err != nil { return nil, err } - if viper.IsSet("VAULT_NAMESPACE") { - apiClient.SetNamespace(viper.GetString("VAULT_NAMESPACE")) - } + // Instantiate Env + viper.AutomaticEnv() - if viper.IsSet("PATH_PREFIX") { - print("PATH_PREFIX will be deprecated in v1.0.0, please migrate to using the avp_path annotation.") + apiClient, err := api.NewClient(api.DefaultConfig()) + if err != nil { + return nil, err } - config.VaultClient = apiClient - - authType := viper.GetString("AUTH_TYPE") + authType := viper.GetString(envAvpAuthType) var auth types.AuthType - switch viper.GetString("TYPE") { - case "vault": + var backend types.Backend + + switch viper.GetString(envAvpType) { + case vaultBackend: switch authType { - case "approle": - if viper.IsSet("ROLE_ID") && viper.IsSet("SECRET_ID") { - auth = vault.NewAppRoleAuth(viper.GetString("ROLE_ID"), viper.GetString("SECRET_ID")) + case approleAuth: + if viper.IsSet(envAvpRoleID) && viper.IsSet(envAvpSecretID) { + auth = vault.NewAppRoleAuth(viper.GetString(envAvpRoleID), viper.GetString(envAvpSecretID)) } else { - return nil, errors.New("ROLE_ID and SECRET_ID for approle authentication cannot be empty") + return nil, fmt.Errorf("%s and %s for approle authentication cannot be empty", envAvpRoleID, envAvpSecretID) } - case "github": - if viper.IsSet("GITHUB_TOKEN") { - auth = vault.NewGithubAuth(viper.GetString("GITHUB_TOKEN")) + case githubAuth: + if viper.IsSet(envAvpGithubToken) { + auth = vault.NewGithubAuth(viper.GetString(envAvpGithubToken)) } else { - return nil, errors.New("GITHUB_TOKEN for github authentication cannot be empty") + return nil, fmt.Errorf("%s for github authentication cannot be empty", envAvpGithubToken) } - case "k8s": - if viper.IsSet("K8S_ROLE") { + case k8sAuth: + if viper.IsSet(envAvpK8sRole) { auth = vault.NewK8sAuth( - viper.GetString("K8S_ROLE"), - viper.GetString("K8S_MOUNT_PATH"), - viper.GetString("K8S_TOKEN_PATH"), + viper.GetString(envAvpK8sRole), + viper.GetString(envAvpK8sMountPath), + viper.GetString(envAvpK8sTokenPath), ) } else { - return nil, errors.New("K8S_ROLE cannot be empty when using Kubernetes Auth") + return nil, fmt.Errorf("%s cannot be empty when using Kubernetes Auth", envAvpK8sRole) } default: return nil, errors.New("Must provide a supported Authentication Type") } - config.Backend = backends.NewVaultBackend(auth, apiClient, viper.GetString("KV_VERSION")) - case "secretmanager": + backend = backends.NewVaultBackend(auth, apiClient, viper.GetString(envAvpKvVersion)) + case ibmSecretManagerbackend: switch authType { - case "iam": - if viper.IsSet("IBM_API_KEY") { - auth = ibmsecretmanager.NewIAMAuth(viper.GetString("IBM_API_KEY")) + case iamAuth: + if viper.IsSet(envAvpIbmAPIKey) { + auth = ibmsecretmanager.NewIAMAuth(viper.GetString(envAvpIbmAPIKey)) } else { - return nil, errors.New("IBM_API_KEY for iam authentication cannot be empty") + return nil, fmt.Errorf("%s for iam authentication cannot be empty", envAvpIbmAPIKey) } default: return nil, errors.New("Must provide a supported Authentication Type") } - config.Backend = backends.NewIBMSecretManagerBackend(auth, apiClient) + backend = backends.NewIBMSecretManagerBackend(auth, apiClient) default: return nil, errors.New("Must provide a supported Vault Type") } - return config, nil + return &Config{ + Backend: backend, + VaultClient: apiClient, + PathPrefix: viper.GetString(envAvpPathPrefix), + }, nil +} + +func readConfigOrSecret(secretName, configPath string) error { + // If a secret name is passed, pull config from Kubernetes + if secretName != "" { + localClient, err := kube.NewClient() + if err != nil { + return err + } + yaml, err := localClient.ReadSecret(secretName) + if err != nil { + return err + } + viper.SetConfigType("yaml") + viper.ReadConfig(bytes.NewBuffer(yaml)) + } + + // If a config file path is passed, read in that file and overwrite all other + if configPath != "" { + viper.SetConfigFile(configPath) + err := viper.ReadInConfig() + if err != nil { + return err + } + } + + for k, v := range viper.AllSettings() { + if strings.HasPrefix(k, "vault") { + var value string + switch v.(type) { + case bool: + value = strconv.FormatBool(v.(bool)) + default: + value = v.(string) + } + os.Setenv(strings.ToUpper(k), value) + } + } + + return nil } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index f15dcf3b..bed36391 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -1,17 +1,11 @@ package config_test import ( - "crypto/tls" "fmt" - "io/ioutil" - "net/http" "os" "testing" - "time" "github.com/IBM/argocd-vault-plugin/pkg/config" - "github.com/IBM/argocd-vault-plugin/pkg/utils" - "github.com/spf13/viper" ) func TestNewConfig(t *testing.T) { @@ -65,7 +59,7 @@ func TestNewConfig(t *testing.T) { }, { map[string]interface{}{ - "AVP_TYPE": "secretmanager", + "AVP_TYPE": "ibmsecretmanager", "AVP_AUTH_TYPE": "iam", "AVP_IBM_API_KEY": "token", }, @@ -76,8 +70,7 @@ func TestNewConfig(t *testing.T) { for k, v := range tc.environment { os.Setenv(k, v.(string)) } - viper := viper.New() - config, err := config.New(viper, utils.DefaultHttpClient()) + config, err := config.New(&config.Options{}) if err != nil { t.Error(err) t.FailNow() @@ -92,107 +85,8 @@ func TestNewConfig(t *testing.T) { } } -func TestVaultNamespace(t *testing.T) { - env := map[string]interface{}{ - "AVP_TYPE": "vault", - "AVP_AUTH_TYPE": "github", - "AVP_GITHUB_TOKEN": "token", - "AVP_VAULT_NAMESPACE": "ns1", - } - - for k, v := range env { - os.Setenv(k, v.(string)) - } - - viper := viper.New() - cf, err := config.New(viper, utils.DefaultHttpClient()) - if err != nil { - t.Fatalf("expected 0 errors but got: %s", err) - } - - headers := cf.VaultClient.Headers() - if headers.Get("X-Vault-Namespace") != "ns1" { - t.Errorf("expected X-Vault-Namespace to be %s, got %s", "ns1", headers.Get("X-Vault-Namespace")) - } - - for k := range env { - os.Unsetenv(k) - } -} - -func TestVaultTLS(t *testing.T) { - fakeCert := `-----BEGIN CERTIFICATE----- -MIICsjCCAZoCCQCpRK9HNTzoXzANBgkqhkiG9w0BAQsFADAbMQswCQYDVQQGEwJV -UzEMMAoGA1UECgwDSUJNMB4XDTIxMDMwMTE1NDU1M1oXDTIxMDMzMTE1NDU1M1ow -GzELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA0lCTTCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBANawTlNFjatQCP/ydFgUnEaF01/67z514i5v/LDEPgEvupkd -Z/GPueZXvIu65RS3DcZKTBeg5ACIwp6X9zJenCy3NWXHq5ro0hfNNG0F4GgjUMAH -V4wz3Oi+LsrnybPLcD3U8PXhRytsAQNqUG3Cx2gd0i+knaIy/WHgUlBJiNJLoOlW -/wfNGNDuZcOWs68kdf2mrBEPMOWGRpC2lBw4BeUEvPqZAs3eNVRWETL3TkkZVDaP -CkIwY44xOSdZnx0c6JOTxWu11caX33sCGWZVwdIlPlWSdHk3ktXjWHIcizCT6GpX -wKEkhXI6hPJpWTa7//RFJwvZm28F732Zbcb1kEMCAwEAATANBgkqhkiG9w0BAQsF -AAOCAQEAvi9GSPRkkMhC0B2L9HWYSuaEk7VIGvrRmRNL/IZXB8KRBV1kF913Mdy5 -bEwEWF6AKL2lvbSRW9QIGoBn777ZHj+vCxdWbic7uLNIuvMFX6CvUM7uCj4+9tjy -+oaiirgSgu6K8aq8b/nPwN2b924YWadhxsTlu/vRDBnqtmNc82zsM32wF1GA38Yx -intZBFinXKrfHBqwJlWRxTRQtnx1UjotE0Hxo4rxaSSWxPOFMk44id0iZ9+QVhAu -4LJiL6ZSRnhaBhiTdtbTMPfFjzAlpMlu6RsA9X8OBbm6IklE0kSw4lVQ0fgzSjR7 -1ul5Nue2ISTGUBUvkLR59+DeHqCNBQ== ------END CERTIFICATE-----` - - err := ioutil.WriteFile("/tmp/test-cert.crt", []byte(fakeCert), 0644) - if err != nil { - t.Fatal(err) - } - - env := map[string]interface{}{ - "AVP_TYPE": "vault", - "AVP_AUTH_TYPE": "github", - "AVP_GITHUB_TOKEN": "token", - "AVP_VAULT_CACERT": "/tmp/test-cert.crt", - "AVP_VAULT_CAPATH": "/tmp/test-cert.crt", - "AVP_VAULT_SKIP_VERIFY": "true", - } - - for k, v := range env { - os.Setenv(k, v.(string)) - } - - var tlsClientConfig = &tls.Config{ - MinVersion: tls.VersionTLS12, - } - - var transport http.RoundTripper = &http.Transport{ - TLSHandshakeTimeout: 10 * time.Second, - TLSClientConfig: tlsClientConfig, - } - - var httpClient = &http.Client{ - Timeout: 10 * time.Second, - Transport: transport, - } - - viper := viper.New() - _, err = config.New(viper, httpClient) - if err != nil { - t.Fatalf("expected 0 errors but got: %s", err) - } - - if len(tlsClientConfig.RootCAs.Subjects()) != 1 { - t.Errorf("expected cert count to be 1, got %v", len(tlsClientConfig.RootCAs.Subjects())) - } - - if tlsClientConfig.InsecureSkipVerify != true { - t.Errorf("expected insecure skip verify to be true, got %v", tlsClientConfig.InsecureSkipVerify) - } - - for k := range env { - os.Unsetenv(k) - } -} - func TestNewConfigNoType(t *testing.T) { - viper := viper.New() - _, err := config.New(viper, utils.DefaultHttpClient()) + _, err := config.New(&config.Options{}) expectedError := "Must provide a supported Vault Type" if err.Error() != expectedError { @@ -202,8 +96,7 @@ func TestNewConfigNoType(t *testing.T) { func TestNewConfigNoAuthType(t *testing.T) { os.Setenv("AVP_TYPE", "vault") - viper := viper.New() - _, err := config.New(viper, utils.DefaultHttpClient()) + _, err := config.New(&config.Options{}) expectedError := "Must provide a supported Authentication Type" if err.Error() != expectedError { @@ -254,8 +147,7 @@ func TestNewConfigMissingParameter(t *testing.T) { for k, v := range tc.environment { os.Setenv(k, v.(string)) } - viper := viper.New() - _, err := config.New(viper, utils.DefaultHttpClient()) + _, err := config.New(&config.Options{}) if err == nil { t.Fatalf("%s should not instantiate", tc.expectedType) } diff --git a/version/version.go b/version/version.go index 60a74507..cc25db7e 100644 --- a/version/version.go +++ b/version/version.go @@ -2,5 +2,5 @@ package version var ( // Version is the argocd-vault-plugin version. - Version = "v0.6.0" + Version = "v1.0.0" )