README
¶
Vault Secret Plugin
This vault plugin is used to load secrets from the vault server into memory at the start of the service. The secrets then can be accessed from memeory at runtime. This library has been inspired from the Spring Vault Cloud by which a microservice or an application loads its secrets from the vault server at the startup. So the secrets are loaded once into the memory and are accessible throughout the application lifecycle.
Usage
This library supports two types of vault authentication methods: Kubernetes and App role - see below more details on how to instantiate an instance of the vault client
Here is an example of the client can be used in app
The service or the app vault config should look like the following
auth_method: KUBERNETES
token: data/token
role: example_role
secret_path: secret/data/app/config
address: http://localhost:8080
role_id: 62022d0a-b316-30cb-8265-b37da6763012 \
secret_id: f4a9312b-118c-8d28-fbff-5661760e8a58
tls_config:
ca_cert: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU
ca_path: /var/ca
client_cert: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU
client_key: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU
tls_server_name: name
insecure: false
Kubernetes auth method
With config file
package main
import (
"fmt"
"github.com/akhettar/vault-secrets-plugin"
)
func main() {
// Create a client by login into vault and read all the secrets into memory
client, err := vault.NewClient("config/config.yml")
if err != nil {
vault.Error.Fatalf("Failed %v", err)
}
// read secret - this read from memory
pwd := client.ReadSecret("password")
vault.Info.Printf("Password is %s", pwd)
}
With Config
package main
import (
"fmt"
"github.com/akhettar/vault-secrets-plugin"
)
func main() {
// TLS config - if tls is not enabled, this config can be ignored
tlsConfig := vault.TLSConfig{CAPath:"<root-ca>", ClientCert:"<public-key>", ClientKey:"<private-key>"}
// create config
config := vault.Config{
Address: vault_addr,
Role: "example",
SecretPath: "secret/data/myapp/config",
AuthMethod: vault.KubernetesAuth,
Token: "<kube-token>", // this can be sourced from /var/run/secrets/kubernetes.io/serviceaccount/token
TLSConfig:tlsConfig}
// Create a client by login into vault and read all the secrets into memory
client, err := vault.NewClientWithConfig(config)
if err != nil {
vault.Error.Fatalf("Failed %v", err)
}
// read secret - this read from memory
pwd := client.ReadSecret("password")
vault.Info.Printf("Password is %s", pwd)
}
App role auth method
package main
import (
"fmt"
"github.com/akhettar/vault-secrets-plugin"
)
func main() {
// TLS config - if tls is not enabled, this config can be ignored
tlsConfig := vault.TLSConfig{CAPath:"<root-ca>", ClientCert:"<public-key>", ClientKey:"<private-key>"}
// create config
config := vault.Config{
Address: vault_addr,
SecretPath: "secret/data/myapp/config",
AuthMethod: vault.AppRoleAuth,
SecretId:"056a8b44-8473-e7d1-f76b-af86144fcabe",
RoleId:"62022d0a-b316-30cb-8265-b37da6763012",
TLSConfig: tlsConfig}}
// Create a client by login into vault and read all the secrets into memory
client, err := vault.NewClientWithConfig(config)
if err != nil {
vault.Error.Fatalf("Failed %v", err)
}
// read secret - this read from memory
pwd := client.ReadSecret("password")
vault.Info.Printf("Password is %s", pwd)
}
Configuration parameters for the plugin
These are the environment variables required for this tool.
| Configuration parameter | Description | Required |
|---|---|---|
Address |
The vault address, exp: https://192.168.1.35:1234 | Yes |
Role |
The role name chosen for the service account | Yes, only for kube auth method |
SecretPath |
The secret path where to source all the secret from for a given service | Yes |
SecretPath |
The secret path where to source all the secret from for a given service | Yes |
Token |
The kube token path, normally present here: /var/run/secrets/kubernetes.io/serviceaccount/token | Yes |
SecretId |
The secretId for the role app auth | Yes, only for role app auth method |
RoleId |
The role Id for the role app auth | Yes, only for the role app auth method |
CAPath |
the Vault server SSL certificate | Yes, if tls connection is enabled |
ClientCert |
ClientCert is the path to the certificate for Vault communication | Yes, if tls connection is enabled |
ClientKey |
ClientKey is the path to the private key for Vault communication | Optional, if tls connection is enabled |
TLSServerName |
TLSServerName, if set, is used to set the SNI host when connecting via | Optional, if tls connection is enabled |
Insecure |
Insecure enables or disables SSL verification | Optional, if tls connection is enabled |
Authentication Method
This library supports two type of authentication methods:
1. Kubernetes auth method
This is the case where a REST service is deployed to kubernetes cluster, a service account is configured for the pod, which provides an identity for processes that run in a Pod so that the processes can contact the API server.
When the pod is created a temporary token is created in the following file system of the docker container on which the pod is running on: /var/run/secrets/kubernetes.io/serviceaccount/token. A learning harshicrop blog on how to enable kubernetes auth and test the authentication locally can be found here: Vault Agent with kubernetes
See also Kubernetes auth method
1. App role auth method
The approle auth method allows machines or apps to authenticate with vault-defined roles. Details on how to enable app role auth and how to set it up can be found Vault project documentation
License
Documentation
¶
Overview ¶
Copyright 2020 Ayache Khettar. All rights reserved. Use of this source file is governed by MIT license license that can be found in LICENSE file.
Package vault provides a way of loading all the secrets for a given Go application or a service into memory. These secrets are then available for the application to use at run time.
Two methods of authentication are supported by this library namely, Kubernetes and App role authentication.
Here is an example on how the library is used ¶
Kubernetes authentication
import (
"fmt"
"github.com/akhettar/vault-secrets-plugin"
)
func main() {
// Create a client by login into vault and read all the secrets into memory
client, err := vault.NewClient("config/config.yml")
if err != nil {
vault.Error.Fatalf("Failed %v", err)
}
// read secret - this read from memory
pwd := client.ReadSecret("password")
vault.Info.Printf("Password is %s", pwd)
}
The config yml should look like this
auth_method: KUBERNETES token: data/token role: example_role secret_path: secret/data/app/config address: http://localhost:8080 role_id: 62022d0a-b316-30cb-8265-b37da6763012 \ secret_id: f4a9312b-118c-8d28-fbff-5661760e8a58 tls_config: ca_cert: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU ca_path: /var/ca client_cert: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU client_key: eyJhbGciOiJSUzI1NiIsImtpZCI6IjZMNUxjVG1tU tls_server_name: name insecure: false
Creating a client with a config
import (
"fmt"
"github.com/akhettar/vault-secrets-plugin"
)
func main() {
// TLS config - if tls is not enabled, this config can be ignored
tlsConfig := vault.TLSConfig{CAPath:"<root-ca>", ClientCert:"<public-key>", ClientKey:"<private-key>"}
// create config
config := vault.Config{
Address: vault_addr,
Role: "example",
SecretPath: "secret/data/myapp/config",
AuthMethod: vault.KubernetesAuth,
Token: "<kube-token>", // this can be sourced from /var/run/secrets/kubernetes.io/serviceaccount/token
TLSConfig:tlsConfig}
// Create a client by login into vault and read all the secrets into memory
client, err := vault.NewClientWithConfig(config)
if err != nil {
vault.Error.Fatalf("Failed %v", err)
}
// read secret - this read from memory
pwd := client.ReadSecret("password")
vault.Info.Printf("Password is %s", pwd)
}
App role authentication
import (
"fmt"
"github.com/akhettar/vault-secrets-plugin"
)
func main() {
// TLS config - if tls is not enabled, this config can be ignored
tlsConfig := vault.TLSConfig{CAPath:"<root-ca>", ClientCert:"<public-key>", ClientKey:"<private-key>"}
// create config
config := vault.Config{
Address: vault_addr,
SecretPath: "secret/data/myapp/config",
AuthMethod: vault.AppRoleAuth,
SecretId:"056a8b44-8473-e7d1-f76b-af86144fcabe",
RoleId:"62022d0a-b316-30cb-8265-b37da6763012",
TLSConfig: tlsConfig}}
// Create a client by login into vault and read all the secrets into memory
client, err := vault.NewClientWithConfig(config)
if err != nil {
vault.Error.Fatalf("Failed %v", err)
}
// read secret - this read from memory
pwd := client.ReadSecret("password")
vault.Info.Printf("Password is %s", pwd)
}
Index ¶
Constants ¶
const ( // AUTH used in the vault REST path for login endpoint AUTH = "auth" // ClientToken the json name field of the client token we get in the login response ClientToken = "client_token" // JWT vault token header for querying the secrets JWT = "X-Vault-Token" // DATA the json field object name representing the secrets DATA = "data" // Kubernetes auth KubernetesAuth = "KUBERNETES" // App Role AppRoleAuth = "APP_ROLE" )
Variables ¶
var ( // Info logger Info *log.Logger // Error logger Error *log.Logger )
Functions ¶
Types ¶
type AppRoleAuthBody ¶
type AppRoleAuthBody struct {
RoleID string `json:"role_id"`
SecretID string `json:"secret_id, string"`
}
AppRoleAuthBody is the body request for the vault login request
type Config ¶
type Config struct {
// AuthMethod the authentication method
AuthMethod AuthMethod `yaml:"auth_method"`
// Token the vault kube token path only required fro kube auth method
Token string `yaml:"token"`
// Role The role attached to the JWT vault token
Role string `yaml:"role"`
// SecretPath a string the secret path
SecretPath string `yaml:"secret_path"`
// Address the vault url
Address string `yaml:"address"`
// TLSConfig the tls config
TLSConfig TLSConfig `yaml:"tls_config"`
// RoleId only required for App role auth method
RoleId string `yaml:"role_id"`
//SecretId only required for app role auth method
SecretId string `yaml:"secret_id"`
}
Config for vault
type KubeAuthBody ¶
KubeAuthBody is the body request for the vault login request
type SecretLoader ¶
type SecretLoader struct {
// contains filtered or unexported fields
}
SecretLoader used for Vault HTTP client
func NewClient ¶
func NewClient(file string) (SecretLoader, error)
NewClient returns an instance of the Secret Loader with the given configuration file
func NewClientWithConfig ¶
func NewClientWithConfig(cf Config) (SecretLoader, error)
NewClientWithConfig returns an instance of the SecretLoader
func (*SecretLoader) ReadSecret ¶
func (client *SecretLoader) ReadSecret(key string) string
ReadSecret form the vault repository for given key. If the secret is not present this functions returns an empty string
type TLSConfig ¶
type TLSConfig struct {
// CACert is the path to a PEM-encoded CA cert file to use to verify the
// Vault server SSL certificate.
CACert string `yaml:"ca_cert"`
// CAPath is the path to a directory of PEM-encoded CA cert files to verify
// the Vault server SSL certificate.
CAPath string `yaml:"ca_path"`
// ClientCert is the path to the certificate for Vault communication
ClientCert string `yaml:"client_cert"`
// ClientKey is the path to the private key for Vault communication
ClientKey string `yaml:"client_key"`
// TLSServerName, if set, is used to set the SNI host when connecting via
// TLS.
TLSServerName string `yaml:"tls_server_name"`
// Insecure enables or disables SSL verification
Insecure bool `yaml:"insecure"`
}
TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.
Source Files