gatekeeper

package module

v1.1.3 Latest Latest Go to latest Published: Nov 13, 2019 License: MIT Imports: 33 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ChannelMeter/vault-gatekeeper-mesos

Links

Open Source Insights

README ¶

vault-gatekeeper

Vault-Gatekeeper is a small service for delivering Vault token to other services who's lifecycles are managed by a container scheduler such as Mesos or ECS.

Vault-Gatekeeper takes the Cubbyhole Authenication approach outlined by Jeff Mitchell on Vault Blog. Specifically Vault response wrapping is used as outlined in the Vault documentation.

In short, a service will request a vault token from VG supplying its Mesos task id or ECS task arn. VG will then check with Mesos/ECS to ensure that the task has been recently started and that VG has not already issued a token for that task id. Then VG will check its configuration to understand what role that task is assigned and request a response wrapped token from Vault. VG will then pass the token to the service which can then unwrap the response with /sys/wrapping/unwrap to retrieve the token.

Requirements

Vault 0.6.2+
Mesos 1.0.0+ (if using Mesos)

Documentation

Visit http://nemosupremo.github.io/vault-gatekeeper

Quickstart

This guide assumes that you 1.) have a Vault instance running, 2.) have a Mesos instance running and 3.) have an approle policy in Vault named test.

Install a sample policy in Vault

$ echo '{"mesos:*":{"roles":["test"],"num_uses":1}}' | ./gatekeeper policy update --vault-token 'MY_TOKEN' '-'

Start a Gatekeeper instance

$ ./gatekeeper server --mesos-master 'http://leader.mesos:5050' --vault-addr http://localhost:8200

Unseal the Gatekeeper instance with a token. (The token must have at least the policy defined in gatekeeper-policy.hcl).

$ ./gatekeeper unseal token --vault-token 'GK_TOKEN'

Launch a task on mesos and retrieve a token:

$ curl -X POST -d"{\"task_id\":\"${MESOS_TASK_ID}\"}" 'http://gatekeeper-host/token'

Downloading

You can grab a binary from the releases or deploy the docker image nemosupremo/vault-gatekeeper.

License

MIT

Documentation ¶

Index ¶

Variables
func GetLog(r *http.Request) logrus.FieldLogger
func ListenAndServeTLS(addr, certFile, keyFile string, handler http.Handler) error
func LogEntrySetField(r *http.Request, key string, value interface{})
func LogEntrySetFields(r *http.Request, fields map[string]interface{})
func NewKeypairReloader(certFile, keyFile string) (*keypairReloader, error)
func NewLogger(logger *logrus.Logger) func(next http.Handler) http.Handler
type Config
type Gatekeeper
- func NewGatekeeper(conf Config) (*Gatekeeper, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrHostMismatch = errors.New("The service's remote address requesting this token does not match the host of the service running this task.")

View Source

var ErrMaxTokensGiven = errors.New("Maximum number of tokens given to this task.")

View Source

var ErrNoPolicy = errors.New("Your task doesn't match any configured policy.")

View Source

var ErrNoPolicyConfigured = errors.New("No policies have been configured.")

View Source

var ErrNoSuchRole = errors.New("The role requested does not exist.")

View Source

var ErrRoleMismatch = errors.New("Your task does not have permission to use this role.")

View Source

var ErrSealed = errors.New("Gatekeeper is sealed.")

View Source

var ErrTaskNotFresh = errors.New("This task has been running too long to request a token.")

Functions ¶

func GetLog ¶

func GetLog(r *http.Request) logrus.FieldLogger

func ListenAndServeTLS ¶

func ListenAndServeTLS(addr, certFile, keyFile string, handler http.Handler) error

This works just like http.ListenAndServeTLS but certificates are loaded into a wrapper struct that reloads certificates from disk when a SIGHUP is received.

func LogEntrySetField ¶

func LogEntrySetField(r *http.Request, key string, value interface{})

func LogEntrySetFields ¶

func LogEntrySetFields(r *http.Request, fields map[string]interface{})

func NewKeypairReloader ¶

func NewKeypairReloader(certFile, keyFile string) (*keypairReloader, error)

func NewLogger ¶

func NewLogger(logger *logrus.Logger) func(next http.Handler) http.Handler

Types ¶

type Config ¶

type Config struct {
	ListenAddress    string
	TlsCert          string
	TlsKey           string
	DefaultScheduler string
	Schedulers       []string
	Store            string
	StoreVaultPath   string
	Peers            string
	HostCheck        bool
	UseImageNames    bool

	Vault struct {
		Address      string
		CaCert       string
		CaPath       string
		ClientCert   string
		ClientKey    string
		Insecure     bool
		KvVersion    string
		AppRoleMount string
	}

	Metrics struct {
		Ticker time.Duration
		Statsd struct {
			Host    string
			Prefix  string
			Influx  bool
			Datadog bool
		}
	}

	PolicyPath  string
	MaxTaskLife time.Duration

	Unsealer unsealer.Unsealer

	Version string

	SkipPolicyLoading bool

	Backoff *backoff.ExponentialBackOff
}

type Gatekeeper ¶

type Gatekeeper struct {
	Store      usagestore.UsageStore
	Schedulers map[string]scheduler.Scheduler
	Policies   *policy.Policies `json:"-"`
	Stats      struct {
		Requests   int32 `json:"requests"`
		Successful int32 `json:"successful"`
		Denied     int32 `json:"denied"`
		Failed     int32 `json:"failed"`
	} `json:"stats"`
	Started time.Time `json:"started"`
	Token   string    `json:"-"`

	PeerId string `json:"peer_id"`

	sync.RWMutex
	// contains filtered or unexported fields
}

func NewGatekeeper ¶

func NewGatekeeper(conf Config) (*Gatekeeper, error)

func (*Gatekeeper) ErrorResponse ¶

func (g *Gatekeeper) ErrorResponse(w http.ResponseWriter, code int, err string)

func (*Gatekeeper) GetPolicyConfig ¶

func (g *Gatekeeper) GetPolicyConfig() ([]byte, error)

func (*Gatekeeper) GetRoleId ¶

func (g *Gatekeeper) GetRoleId(roleName string, authToken string) (string, error)

func (*Gatekeeper) GetSecretId ¶

func (g *Gatekeeper) GetSecretId(roleName string, authToken string) (string, error)

func (*Gatekeeper) IsUnsealed ¶

func (g *Gatekeeper) IsUnsealed() bool

func (*Gatekeeper) LoadPeers ¶

func (g *Gatekeeper) LoadPeers(myId string, startup bool) ([]peer, error)

func (*Gatekeeper) NewMetrics ¶

func (g *Gatekeeper) NewMetrics(conf Config) (*metrics, error)

func (*Gatekeeper) OkResponse ¶

func (g *Gatekeeper) OkResponse(w http.ResponseWriter, message string)

func (*Gatekeeper) Peers ¶

func (g *Gatekeeper) Peers() []peer

func (*Gatekeeper) RenewToken ¶

func (g *Gatekeeper) RenewToken() error

func (*Gatekeeper) RenewalWorker ¶

func (g *Gatekeeper) RenewalWorker(controlChan chan struct{})

func (*Gatekeeper) RequestToken ¶

func (g *Gatekeeper) RequestToken(providerKey string, taskId string, requestedRole string, remoteAddr string) (string, time.Duration, error)

func (*Gatekeeper) Routes ¶

func (g *Gatekeeper) Routes() http.Handler

func (*Gatekeeper) Seal ¶

func (g *Gatekeeper) Seal() error

func (*Gatekeeper) Serve ¶

func (g *Gatekeeper) Serve() error

func (*Gatekeeper) TokenTtl ¶

func (g *Gatekeeper) TokenTtl() (time.Duration, error)

func (*Gatekeeper) Unseal ¶

func (g *Gatekeeper) Unseal(u unsealer.Unsealer) error

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
gatekeeper
dist
gatekeeper
policy
scheduler
dcosee_mesos
ecs
mesos
mock
usagestore
vault
unsealer

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL