Commit f50f05a7 authored by Cédric OLIVIER's avatar Cédric OLIVIER
Browse files

Merge branch 'feat/acceptance-test' into 'master' 

Feat/acceptance test

Closes #7

See merge request to-be-continuous/tools/vault-secrets-provider!14
parents 7cf44aab 981a46cf

.gitignore

+1 −0
Original line number Diff line number Diff line
@@ -34,3 +34,4 @@ 
/.vscode/

reports/coverage.out

reports/coverage.out

start_vault.sh

.gitlab-ci.yml

+47 −1
Original line number Diff line number Diff line
@@ -27,7 +27,8 @@ variables: 
  GO_BUILD_FLAGS: -tags netgo

  DOCKER_BUILD_ARGS: "--build-arg CI_PROJECT_URL --build-arg DEFAULT_VAULT_URL"



test-service:

# this job tests the Docker image on a remote Vault server (configurable)

test-on-remote:

  image: "curlimages/curl"

  services:

    - name: "$DOCKER_SNAPSHOT_IMAGE"
@@ -36,6 +37,7 @@ test-service: 
    # variables have to be explicitly declared in the YAML to be exported to the service

    VAULT_BASE_URL: "$TEST_VAULT_BASE_URL"

    VAULT_ROLE_ID: "$TEST_VAULT_ROLE_ID"

    VAULT_TOKEN: "$TEST_VAULT_TOKEN"

    VAULT_SECRET_ID: "$TEST_VAULT_SECRET_ID"

  stage: acceptance

  script:
@@ -53,3 +55,47 @@ test-service: 
      - branches

    variables:

      - "$TEST_VAULT_BASE_URL"



# this job tests the Docker image on a local Vault server using the Vault server image

# See: https://hub.docker.com/_/vault

test-on-local:

  image: "dwdraju/alpine-curl-jq"

  services:

    - name: "$DOCKER_SNAPSHOT_IMAGE"

      alias: "vault-secrets-provider"

    - name: "vault"

      alias: "vault-server"

  variables:

    # variables have to be explicitly declared in the YAML to be exported to the service

    # config for Vault dev mode - see: https://www.vaultproject.io/docs/commands/server#dev-options

    VAULT_DEV_ROOT_TOKEN_ID: "dev-root-token"

    # defines the Vault server base URL for Vault Secrets Provider

    VAULT_BASE_URL: "http://vault-server:8200/v1" # config for 

    # defines the Vault (root) Token for Vault Secrets Provider

    VAULT_TOKEN: "dev-root-token"

    # This allows the main container to connect to the services containers

    FF_NETWORK_PER_BUILD: "1"

  stage: acceptance

  script:

    # wait for a while that all services are UP and running

    - sleep 5

    # check Vault Secrets Provider is UP and healthy

    - curl -sSf "http://vault-secrets-provider/health"

    # check Vault is UP and healthy

    - curl -sSf "$VAULT_BASE_URL/sys/health"

    # create a secret in Vault

    - |

      curl --silent --header "X-Vault-Token: ${VAULT_DEV_ROOT_TOKEN_ID}" --request PUT --data '{"options": {"cas": 0}, "data": {"foo": "bar", "zip": "zap"}}' "${VAULT_BASE_URL}/secret/data/my-secret"

    # now check we can retrieve the secret through Vault Secrets Provider

    - |

      if foo_secret=$(curl -sSf "http://vault-secrets-provider/api/secrets/my-secret?field=foo")

      then

        echo "secret retrieved - $foo_secret"

      else

        echo "FAILED retrieving secret"

        curl --silent "http://vault-secrets-provider/api/secrets/my-secret?field=foo"

        exit 1

      fi

  only:

    refs:

      - branches

README.md

+6 −2
Original line number Diff line number Diff line
@@ -12,9 +12,12 @@ in order to decouple the image of your jobs and the way of retrieving secrets. 
Before using this service, you'll have to configure your Vault server, with:



* one or several secrets,

* one [AppRole](https://www.vaultproject.io/docs/auth/approle) with required permissions to access those secrets.

* at least one of the following [Auth Methods](https://www.vaultproject.io/docs/auth) configured with required permissions to access those secrets:

  * [AppRole](https://www.vaultproject.io/docs/auth/approle),

  * [Token](https://www.vaultproject.io/docs/auth/token),

  * or [JWT for GitLab](https://www.vaultproject.io/docs/auth/jwt/oidc_providers#gitlab).



:warning: The [AppRole](https://www.vaultproject.io/docs/auth/approle) used in your CI/CD shall have a **short `token_ttl`**

:warning: If using the [AppRole](https://www.vaultproject.io/docs/auth/approle) method, the AppRole used in your CI/CD shall have a **short `token_ttl`**

(let's say 10 minutes) and a **long `secret_id_ttl`** (could be infinite).



This way:
@@ -77,6 +80,7 @@ The tool requires the following environment variables to be set (as GitLab CI se 
| `VAULT_BASE_KV_SECRETS_PATH`  | The base [Key/Value secrets](https://www.vaultproject.io/api-docs/secret/kv/kv-v1) API path | `/secret` |

| `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ (required to use the [AppRole](https://www.vaultproject.io/docs/auth/approle) Auth Method) |

| `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_  (required to use the [AppRole](https://www.vaultproject.io/docs/auth/approle) Auth Method) |

| `VAULT_TOKEN`     | The token to use | _none_  (required to use the [Token](https://www.vaultproject.io/docs/auth/token) Auth Method) |

| `VAULT_JWT_TOKEN` | The signed [JSON Web Token](https://en.wikipedia.org/wiki/JSON_Web_Token) to login | `$CI_JOB_JWT` |

| `VAULT_JWT_ROLE`  | Name of the role against which the login is being attempted | `default_role`  (used with the [JWT/OIDC](https://www.vaultproject.io/docs/auth/jwt) Auth Method) |

cmd/vault_service/internal/vault_client.go

+2 −2
Original line number Diff line number Diff line
@@ -77,8 +77,8 @@ func DumpVaultCfg() { 
	log.Printf("Vault base secrets/KV path: '%s'\n", vaultBaseSecretsKvPath)

}



var clientToken string

var expirationTimeSec int64

var clientToken = os.Getenv("VAULT_TOKEN")        // an unlimited token might passed (dev only)

var expirationTimeSec = time.Now().Unix() + 86400 // 24 hours from start time



func hasValidToken() bool {

	return len(clientToken) > 0 && time.Now().Unix() < (expirationTimeSec-1)