Commit cda58de0 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/custom-tls' into 'master' 

feat: load ca certs

Closes #1

See merge request to-be-continuous/tools/vault-secrets-provider!126
parents baba4bf4 e8695efa

README.md

+1 −0
Original line number Diff line number Diff line
@@ -189,6 +189,7 @@ The tool requires the following environment variables to be set (as GitLab CI se 
| `VAULT_JWT_TOKEN` | The signed [JSON Web Token](https://en.wikipedia.org/wiki/JSON_Web_Token) to login <br/>_Required for the [JWT/OIDC](https://www.vaultproject.io/docs/auth/jwt) Auth Method_ | `$CI_JOB_JWT` |

| `VAULT_JWT_ROLE`  | Name of the role against which the login is being attempted  <br/>_Required for the [JWT/OIDC](https://www.vaultproject.io/docs/auth/jwt) Auth Method_ | `default_role` |

| `VAULT_KV_VERSION`  | [Key/Value (KV) version](https://developer.hashicorp.com/vault/docs/secrets/kv) to use | `0` _(automatic)_ |

| `VAULT_CA_CERTS` | Additional CA certificates to use for the Vault server TLS connection <br/>_Optional but recommended, `SKIP_SSL` will be ignored_ | _none_ |



### Authentication method support

cmd/vault_service/internal/ca_certs.go

0 → 100644
+50 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2021 Orange & contributors

 *

 * This program is free software; you can redistribute it and/or modify it under the terms

 *

 * of the GNU Lesser General Public License as published by the Free Software Foundation;

 * either version 3 of the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;

 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 * See the GNU Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License along with this

 * program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth

 * Floor, Boston, MA  02110-1301, USA.

 */



package internal



import (

	"crypto/tls"

	"crypto/x509"

	"log"

	"net/http"

	"strings"



	_ "golang.org/x/crypto/x509roots/fallback"

)



func ConfigHttpClientTLS() {

	if caCertsStr := strings.TrimSpace(EnvStr("VAULT_CA_CERTS").Or("")); caCertsStr != "" {

		log.Println("Using custom CA certificates from $VAULT_CA_CERTS...")

		caCertPool, err := x509.SystemCertPool()

		if err != nil {

			log.Printf("Failed to load system CA certificates: %v\n", err)

			caCertPool = x509.NewCertPool()

		}

		if !caCertPool.AppendCertsFromPEM([]byte(caCertsStr)) {

			log.Fatalln("Failed to parse CA certificates from $VAULT_CA_CERTS")

		}

		// nolint

		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{

			RootCAs: caCertPool,

		}

	} else if skipSsl := EnvBool("SKIP_SSL").Or(false); skipSsl {

		log.Println("Disabling SSL verification ($SKIP_SSL is set)...")

		// nolint

		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}

	}

}

cmd/vault_service/internal/vault_client.go

+3 −6
Original line number Diff line number Diff line
@@ -189,8 +189,7 @@ func doLogin() (*Authentication, error) { 
			request.Header.Set(NamespaceHeader, vaultNamespace)

		}



		client := &http.Client{}

		if resp, err := client.Do(request); err != nil {

		if resp, err := http.DefaultClient.Do(request); err != nil {

			// request error: propagate

			return nil, StatusError{

				Code:    http.StatusInternalServerError,
@@ -269,9 +268,8 @@ func doGetKvEngineVersion(secretPath string) (int, error) { 
			request.Header.Set(NamespaceHeader, vaultNamespace)

		}



		client := &http.Client{}

		log.Printf("... retrieve KV engine version (GET %s)\n", url)

		if resp, err := client.Do(request); err != nil {

		if resp, err := http.DefaultClient.Do(request); err != nil {

			// request error: propagate

			return 0, StatusError{

				Code:    http.StatusInternalServerError,
@@ -365,8 +363,7 @@ func doSecretRequest(method string, secretPath string, payload string) (map[stri 


		log.Printf("... requesting secret '%s' (%s %s)\n", secretPath, method, url)

		delete(path2secret, secretPath) // remove from cache

		client := &http.Client{}

		if resp, err := client.Do(request); err != nil {

		if resp, err := http.DefaultClient.Do(request); err != nil {

			// request error: propagate

			return nil, StatusError{

				Code:    http.StatusInternalServerError,

cmd/vault_service/vault_service.go

+1 −7
Original line number Diff line number Diff line
@@ -18,7 +18,6 @@ 
package main



import (

	"crypto/tls"

	"fmt"

	"log"

	"net/http"
@@ -27,12 +26,7 @@ import ( 
)



func main() {

	skipSsl := EnvBool("SKIP_SSL").Or(false)

	if skipSsl {

		log.Println("Disabling SSL verification ($SKIP_SSL is set)...")

		// nolint

		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}

	}

	ConfigHttpClientTLS()



	port := EnvInt("PORT").Or(8080)

	log.Printf("Launching service on port %d\n", port)

go.mod

+1 −3
Original line number Diff line number Diff line
@@ -4,6 +4,4 @@ go 1.23.0 


toolchain go1.24.5



require google.golang.org/grpc v1.73.0



require golang.org/x/tools/gopls v0.6.9 // indirect
 
require golang.org/x/crypto/x509roots/fallback v0.0.0-20250711192710-b903b535d3ef