Commit acb0193a authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: support Token auth method

parent 7cf44aab

README.md

+6 −2
Original line number Diff line number Diff line
@@ -12,9 +12,12 @@ in order to decouple the image of your jobs and the way of retrieving secrets. 
Before using this service, you'll have to configure your Vault server, with:



* one or several secrets,

* one [AppRole](https://www.vaultproject.io/docs/auth/approle) with required permissions to access those secrets.

* at least one of the following [Auth Mathods](https://www.vaultproject.io/docs/auth) configured with required permissions to access those secrets:

  * [AppRole](https://www.vaultproject.io/docs/auth/approle),

  * [Token](https://www.vaultproject.io/docs/auth/token),

  * or [JWT for GitLab](https://www.vaultproject.io/docs/auth/jwt/oidc_providers#gitlab).



:warning: The [AppRole](https://www.vaultproject.io/docs/auth/approle) used in your CI/CD shall have a **short `token_ttl`**

:warning: If using the [AppRole](https://www.vaultproject.io/docs/auth/approle) method, the AppRole used in your CI/CD shall have a **short `token_ttl`**

(let's say 10 minutes) and a **long `secret_id_ttl`** (could be infinite).



This way:
@@ -77,6 +80,7 @@ The tool requires the following environment variables to be set (as GitLab CI se 
| `VAULT_BASE_KV_SECRETS_PATH`  | The base [Key/Value secrets](https://www.vaultproject.io/api-docs/secret/kv/kv-v1) API path | `/secret` |

| `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ (required to use the [AppRole](https://www.vaultproject.io/docs/auth/approle) Auth Method) |

| `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_  (required to use the [AppRole](https://www.vaultproject.io/docs/auth/approle) Auth Method) |

| `VAULT_TOKEN`     | The token to use | _none_  (required to use the [Token](https://www.vaultproject.io/docs/auth/token) Auth Method) |

| `VAULT_JWT_TOKEN` | The signed [JSON Web Token](https://en.wikipedia.org/wiki/JSON_Web_Token) to login | `$CI_JOB_JWT` |

| `VAULT_JWT_ROLE`  | Name of the role against which the login is being attempted | `default_role`  (used with the [JWT/OIDC](https://www.vaultproject.io/docs/auth/jwt) Auth Method) |

cmd/vault_service/internal/vault_client.go

+2 −2
Original line number Diff line number Diff line
@@ -77,8 +77,8 @@ func DumpVaultCfg() { 
	log.Printf("Vault base secrets/KV path: '%s'\n", vaultBaseSecretsKvPath)

}



var clientToken string

var expirationTimeSec int64

var clientToken = os.Getenv("VAULT_TOKEN")        // an unlimited token might passed (dev only)

var expirationTimeSec = time.Now().Unix() + 86400 // 24 hours from start time



func hasValidToken() bool {

	return len(clientToken) > 0 && time.Now().Unix() < (expirationTimeSec-1)