2023-01-10 07:02:10 +00:00
|
|
|
// Copyright © 2022 Roberto Hidalgo <joao@un.rob.mx>
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
package cmd
|
|
|
|
|
|
|
|
|
|
import (
|
2023-01-14 21:56:32 +00:00
|
|
|
"os"
|
|
|
|
|
|
2023-01-10 07:02:10 +00:00
|
|
|
"git.rob.mx/nidito/chinampa/pkg/command"
|
|
|
|
|
"git.rob.mx/nidito/joao/internal/vault"
|
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
|
"github.com/hashicorp/vault/sdk/plugin"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var Plugin = &command.Command{
|
2023-01-14 21:56:32 +00:00
|
|
|
Path: []string{"vault-plugin"},
|
2023-01-10 07:02:10 +00:00
|
|
|
Summary: "Starts a vault-joao-plugin server",
|
2023-01-14 21:56:32 +00:00
|
|
|
Description: `﹅joao﹅ can run as a plugin to Hashicorp Vault, and make whole configuration entries available—secrets and all—through the Vault API.
|
2023-01-10 07:02:10 +00:00
|
|
|
|
2023-01-14 21:56:32 +00:00
|
|
|
To install, download ﹅joao﹅ to the machine running ﹅vault﹅ at the ﹅plugin_directory﹅, as specified by vault's config. The installed ﹅joao﹅ executable needs to be executable for the user running vault only.
|
2023-01-10 07:02:10 +00:00
|
|
|
|
|
|
|
|
### Configuration
|
|
|
|
|
﹅﹅﹅sh
|
|
|
|
|
export VAULT_PLUGIN_DIR=/var/lib/vault/plugins
|
|
|
|
|
chmod 700 "$VAULT_PLUGIN_DIR/joao"
|
|
|
|
|
export PLUGIN_SHA="$(openssl dgst -sha256 -hex "$VAULT_PLUGIN_DIR/joao" | awk '{print $2}')"
|
|
|
|
|
export VERSION="$($VAULT_PLUGIN_DIR/joao --version)"
|
|
|
|
|
|
|
|
|
|
# register
|
2023-01-14 21:56:32 +00:00
|
|
|
vault plugin register -sha256="$PLUGIN_SHA" -command=joao -args="vault-plugin" -version="$VERSION" secret joao
|
2023-01-10 07:02:10 +00:00
|
|
|
|
|
|
|
|
# configure, add ﹅vault﹅ to set a default vault for querying
|
|
|
|
|
vault write config/1password "host=$OP_CONNECT_HOST" "token=$OP_CONNECT_TOKEN" # vault=my-default-vault
|
|
|
|
|
|
2023-01-14 21:56:32 +00:00
|
|
|
if !(vault plugin list secret | grep -c -m1 '^joao ' >/dev/null); then
|
2023-01-10 07:02:10 +00:00
|
|
|
# first time, let's enable the secrets backend
|
2023-01-14 21:56:32 +00:00
|
|
|
vault secrets enable -path=config joao
|
2023-01-10 07:02:10 +00:00
|
|
|
else
|
|
|
|
|
# updating from a previous version
|
|
|
|
|
vault secrets tune -plugin-version="$VERSION" config/
|
|
|
|
|
vault plugin reload -plugin joao
|
|
|
|
|
fi
|
|
|
|
|
﹅﹅﹅
|
|
|
|
|
|
|
|
|
|
### Vault API
|
|
|
|
|
|
|
|
|
|
﹅﹅﹅sh
|
|
|
|
|
# VAULT is optional if configured with a default ﹅vault﹅. See above
|
|
|
|
|
|
|
|
|
|
# vault read config/tree/[VAULT/]ITEM
|
|
|
|
|
vault read config/tree/service:api
|
|
|
|
|
vault read config/tree/prod/service:api
|
|
|
|
|
|
|
|
|
|
# vault list config/trees/[VAULT/]
|
|
|
|
|
vault list config/trees
|
|
|
|
|
vault list config/trees/prod
|
|
|
|
|
﹅﹅﹅
|
2023-01-11 06:57:58 +00:00
|
|
|
|
|
|
|
|
See:
|
|
|
|
|
- https://developer.hashicorp.com/vault/docs/plugins
|
2023-01-10 07:02:10 +00:00
|
|
|
`,
|
|
|
|
|
Options: command.Options{
|
2023-01-14 21:56:32 +00:00
|
|
|
"sigh0": {
|
|
|
|
|
ShortName: "c",
|
|
|
|
|
Default: "",
|
2023-01-10 07:02:10 +00:00
|
|
|
},
|
2023-01-14 21:56:32 +00:00
|
|
|
"sigh1": {
|
|
|
|
|
ShortName: "t",
|
|
|
|
|
Default: "",
|
2023-01-10 07:02:10 +00:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
Action: func(cmd *command.Command) error {
|
2023-01-14 21:56:32 +00:00
|
|
|
apiClientMeta := &api.PluginAPIClientMeta{}
|
|
|
|
|
flags := apiClientMeta.FlagSet()
|
|
|
|
|
flags.Parse(os.Args[2:])
|
|
|
|
|
|
|
|
|
|
tlsConfig := apiClientMeta.GetTLSConfig()
|
|
|
|
|
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
|
2023-01-10 07:02:10 +00:00
|
|
|
return plugin.ServeMultiplex(&plugin.ServeOpts{
|
|
|
|
|
BackendFactoryFunc: vault.Factory,
|
2023-01-14 21:56:32 +00:00
|
|
|
TLSProviderFunc: tlsProviderFunc,
|
2023-01-10 07:02:10 +00:00
|
|
|
})
|
|
|
|
|
},
|
|
|
|
|
}
|
