93 lines
3.1 KiB
Go
93 lines
3.1 KiB
Go
|
// Copyright © 2022 Roberto Hidalgo <joao@un.rob.mx>
|
||
|
|
// SPDX-License-Identifier: Apache-2.0
|
||
|
|
package cmd
|
||
|
|
|
||
|
|
import (
|
||
|
|
"git.rob.mx/nidito/chinampa/pkg/command"
|
||
|
|
"git.rob.mx/nidito/joao/internal/vault"
|
||
|
|
"github.com/hashicorp/vault/api"
|
||
|
|
"github.com/hashicorp/vault/sdk/plugin"
|
||
|
|
)
|
||
|
|
|
||
|
|
var Plugin = &command.Command{
|
||
|
|
Path: []string{"vault", "server"},
|
||
|
|
Summary: "Starts a vault-joao-plugin server",
|
||
|
|
Description: `Runs ﹅joao﹅ as a vault plugin.
|
||
|
|
|
||
|
|
You'll need to install ﹅joao﹅ in the machine running ﹅vault﹅ to ﹅plugin_directory﹅ as specified by vault's config. The installed ﹅joao﹅ executable needs to be executable for the user running vault only.
|
||
|
|
|
||
|
|
### Configuration
|
||
|
|
﹅﹅﹅sh
|
||
|
|
export VAULT_PLUGIN_DIR=/var/lib/vault/plugins
|
||
|
|
chmod 700 "$VAULT_PLUGIN_DIR/joao"
|
||
|
|
export PLUGIN_SHA="$(openssl dgst -sha256 -hex "$VAULT_PLUGIN_DIR/joao" | awk '{print $2}')"
|
||
|
|
export VERSION="$($VAULT_PLUGIN_DIR/joao --version)"
|
||
|
|
|
||
|
|
# register
|
||
|
|
vault plugin register -sha256="$PLUGIN_SHA" -command=joao -args="vault,server" -version="$VERSION" secret joao
|
||
|
|
|
||
|
|
# configure, add ﹅vault﹅ to set a default vault for querying
|
||
|
|
vault write config/1password "host=$OP_CONNECT_HOST" "token=$OP_CONNECT_TOKEN" # vault=my-default-vault
|
||
|
|
|
||
|
|
if !vault plugin list secret | grep -c -m1 '^joao ' >/dev/null; then
|
||
|
|
# first time, let's enable the secrets backend
|
||
|
|
vault secrets enable --path=config joao
|
||
|
|
else
|
||
|
|
# updating from a previous version
|
||
|
|
vault secrets tune -plugin-version="$VERSION" config/
|
||
|
|
vault plugin reload -plugin joao
|
||
|
|
fi
|
||
|
|
﹅﹅﹅
|
||
|
|
|
||
|
|
### Vault API
|
||
|
|
|
||
|
|
﹅﹅﹅sh
|
||
|
|
# VAULT is optional if configured with a default ﹅vault﹅. See above
|
||
|
|
|
||
|
|
# vault read config/tree/[VAULT/]ITEM
|
||
|
|
vault read config/tree/service:api
|
||
|
|
vault read config/tree/prod/service:api
|
||
|
|
|
||
|
|
# vault list config/trees/[VAULT/]
|
||
|
|
vault list config/trees
|
||
|
|
vault list config/trees/prod
|
||
|
|
﹅﹅﹅
|
||
|
|
`,
|
||
|
|
Options: command.Options{
|
||
|
|
"ca-cert": {
|
||
|
|
Type: command.ValueTypeString,
|
||
|
|
Description: "See https://pkg.go.dev/github.com/hashicorp/vault/api#TLSConfig",
|
||
|
|
},
|
||
|
|
"ca-path": {
|
||
|
|
Type: command.ValueTypeString,
|
||
|
|
Description: "See https://pkg.go.dev/github.com/hashicorp/vault/api#TLSConfig",
|
||
|
|
},
|
||
|
|
"client-cert": {
|
||
|
|
Type: command.ValueTypeString,
|
||
|
|
Description: "See https://pkg.go.dev/github.com/hashicorp/vault/api#TLSConfig",
|
||
|
|
},
|
||
|
|
"client-key": {
|
||
|
|
Type: command.ValueTypeString,
|
||
|
|
Description: "See https://pkg.go.dev/github.com/hashicorp/vault/api#TLSConfig",
|
||
|
|
},
|
||
|
|
"tls-skip-verify": {
|
||
|
|
Type: command.ValueTypeBoolean,
|
||
|
|
Description: "See https://pkg.go.dev/github.com/hashicorp/vault/api#TLSConfig",
|
||
|
|
Default: false,
|
||
|
|
},
|
||
|
|
},
|
||
|
|
Action: func(cmd *command.Command) error {
|
||
|
|
return plugin.ServeMultiplex(&plugin.ServeOpts{
|
||
|
|
BackendFactoryFunc: vault.Factory,
|
||
|
|
TLSProviderFunc: api.VaultPluginTLSProvider(&api.TLSConfig{
|
||
|
|
CACert: cmd.Options["ca-cert"].ToString(),
|
||
|
|
CAPath: cmd.Options["ca-path"].ToString(),
|
||
|
|
ClientCert: cmd.Options["client-cert"].ToString(),
|
||
|
|
ClientKey: cmd.Options["client-key"].ToString(),
|
||
|
|
TLSServerName: "",
|
||
|
|
Insecure: cmd.Options["tls-skip-verify"].ToValue().(bool),
|
||
|
|
}),
|
||
|
|
})
|
||
|
|
},
|
||
|
|
}
|