-
Notifications
You must be signed in to change notification settings - Fork 168
/
config.go
135 lines (122 loc) · 4.02 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
package agent
import (
"encoding/json"
"fmt"
"time"
)
const (
DefaultTemplate = "{{ with secret \"%s\" }}{{ range $k, $v := .Data }}{{ $k }}: {{ $v }}\n{{ end }}{{ end }}"
TokenTemplate = "{{ with secret \"auth/token/lookup-self\" }}{{ .Data.id }}\n{{ end }}"
TokenSecret = "auth/token/lookup-self"
PidFile = "/home/vault/.pid"
TokenFile = "/home/vault/.vault-token"
)
// Config is the top level struct that composes a Vault Agent
// configuration file.
type Config struct {
AutoAuth *AutoAuth `json:"auto_auth"`
ExitAfterAuth bool `json:"exit_after_auth"`
PidFile string `json:"pid_file"`
Vault *VaultConfig `json:"vault"`
Templates []*Template `json:"template"`
}
// Vault contains configuration for connecting to Vault servers
type VaultConfig struct {
Address string `json:"address"`
CACert string `json:"ca_cert,omitempty"`
CAPath string `json:"ca_path,omitempty"`
TLSSkipVerify bool `json:"tls_skip_verify,omitempty"`
ClientCert string `json:"client_cert,omitempty"`
ClientKey string `json:"client_key,omitempty"`
TLSServerName string `json:"tls_server_name,omitempty"`
}
// AutoAuth is the configured authentication method and sinks
type AutoAuth struct {
Method *Method `json:"method,omitempty"`
Sinks []*Sink `json:"sink,omitempty"`
}
// Method represents the configuration for the authentication backend
type Method struct {
Type string `json:"type"`
MountPath string `json:"mount_path,omitempty"`
WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"`
WrapTTL time.Duration `json:"-"`
Namespace string `json:"namespace,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
}
// Sink defines a location to write the authenticated token
type Sink struct {
Type string `json:"type"`
WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"`
WrapTTL time.Duration `json:"-"`
DHType string `json:"dh_type,omitempty"`
DHPath string `json:"dh_path,omitempty"`
AAD string `json:"aad,omitempty"`
AADEnvVar string `json:"aad_env_var,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
}
// Template defines the Consul Template parameters
type Template struct {
CreateDestDirs bool `json:"create_dest_dirs,omitempty"`
Destination string `json:"destination"`
Contents string `json:"contents"`
LeftDelim string `json:"left_delimiter,omitempty"`
RightDelim string `json:"right_delimiter,omitempty"`
Command string `json:"command,omitempty"`
}
func (a *Agent) newTemplateConfigs() []*Template {
var templates []*Template
for _, secret := range a.Secrets {
template := secret.Template
if template == "" {
template = fmt.Sprintf(DefaultTemplate, secret.Path)
}
tmpl := &Template{
Contents: template,
Destination: fmt.Sprintf("/vault/secrets/%s", secret.Name),
LeftDelim: "{{",
RightDelim: "}}",
Command: secret.Command,
}
templates = append(templates, tmpl)
}
return templates
}
func (a *Agent) newConfig(init bool) ([]byte, error) {
config := Config{
PidFile: PidFile,
ExitAfterAuth: init,
Vault: &VaultConfig{
Address: a.Vault.Address,
CACert: a.Vault.CACert,
CAPath: a.Vault.CAKey,
ClientCert: a.Vault.ClientCert,
ClientKey: a.Vault.ClientKey,
TLSSkipVerify: a.Vault.TLSSkipVerify,
TLSServerName: a.Vault.TLSServerName,
},
AutoAuth: &AutoAuth{
Method: &Method{
Type: "kubernetes",
Namespace: a.Vault.Namespace,
MountPath: a.Vault.AuthPath,
Config: map[string]interface{}{
"role": a.Vault.Role,
},
},
Sinks: []*Sink{
{
Type: "file",
Config: map[string]interface{}{
"path": TokenFile,
},
},
},
},
Templates: a.newTemplateConfigs(),
}
return config.render()
}
func (c *Config) render() ([]byte, error) {
return json.Marshal(c)
}