cmd

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 29, 2017 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var RootCmd = &cobra.Command{
	Use:   "kubernetes-vault",
	Short: "Kubernetes-vaults is a Kubernetes controller that pushes Vault tokens into pods",
	Long: `Kubernets-vault is a Kubernetes controller that watches new pods for certain annotaions
		and pushes a wrapped secret into an init container in the pod. The init container exchanges
		the secret and the pod's configured AppRole with Vault for a token and writes the token
		to a shared volume for the pod. More information at https://github.com/Boostport/kubernetes-vault`,
	Run: func(cmd *cobra.Command, args []string) {

		logger := logrus.New()
		logger.Level = logrus.DebugLevel

		logLevel := strings.ToLower(cmd.Flags().Lookup("log-level").Value.String())

		if logLevel != "debug" && logLevel != "error" {
			logger.Fatalf(`logLevel should be either "debug" or "error", got "%s"`, logLevel)
		}

		if logLevel == "error" {
			logger.Level = logrus.ErrorLevel
		}

		if c := cmd.Flags().Lookup("config").Value.String(); c != "" {
			viper.SetConfigFile(c)
		} else {
			viper.AddConfigPath(".")
			viper.SetConfigName("kubernetes-vault")
		}

		err := viper.ReadInConfig()

		if err != nil {
			logger.Fatalf("Error reading config file: %s", err)
		}

		conf := newConfigWithDefaults()

		err = viper.Unmarshal(conf)

		if err != nil {
			logger.Fatalf("Error processing config file: %s", err)
		}

		conf = expandEnvironmentVariables(conf)

		err = conf.Validate()

		if err != nil {
			logger.Fatalf("Invalid config file: %s", err)
		}

		err = os.MkdirAll(conf.RaftDir, 0666)

		if err != nil {
			logger.Fatalf("Error while trying to create raft directory (%s): %s", conf.RaftDir, err)
		}

		bindAddr, err := common.ExternalIP()

		if err != nil {
			logger.Fatalf("Could not determine external ip address: %s", err)
		}

		kube, err := client.NewKube(conf.Kubernetes.WatchNamespace)

		if err != nil {
			logger.Fatalf("Could not create the kubernetes client: %s", err)
		}

		time.Sleep(time.Duration(rand.Intn(7)+3) * time.Second)

		nodes, err := kube.Discover(conf.Kubernetes.ServiceNamespace, conf.Kubernetes.Service)

		if err != nil {
			logger.Fatalf("Error while discovering nodes: %s", err)
		}

		logger.Debugf("Discovered %d nodes: %s", len(nodes), nodes)

		var rootCAResolver client.RootCAResolver

		if len(conf.Vault.TLS.VaultCABackends) > 0 {

			rootCAResolver = &client.VaultRootCAsResolver{
				Backends:  conf.Vault.TLS.VaultCABackends,
				VaultAddr: conf.Vault.Addr,
			}

		} else if conf.Vault.TLS.CACert != "" {

			rootCAResolver = &client.ExternalRootCAsResolver{
				CAFile: conf.Vault.TLS.CACert,
			}
		}

		vault, err := client.NewVault(conf.Vault.Addr, conf.Vault.Token, conf.Kubernetes.Service, rootCAResolver, logger)

		if err != nil {
			logger.Fatalf("Could not create the vault client: %s", err)
		}

		var certCh <-chan tls.Certificate

		if conf.Prometheus.TLS.VaultCertBackend != "" && conf.Prometheus.TLS.VaultCertRole != "" {

			certCh, err = vault.GetAndRenewCertificate(bindAddr, conf.Prometheus.TLS.VaultCertBackend, conf.Prometheus.TLS.VaultCertRole)

			if err != nil {
				logger.Fatalf("Could not get Vault certificate for metrics server: %s", err)
			}
		}

		if conf.Prometheus.TLS.CertFile != "" && conf.Prometheus.TLS.CertKey != "" {
			certCh, err = certificateFromFile(conf.Prometheus.TLS.CertFile, conf.Prometheus.TLS.CertKey)

			if err != nil {
				logger.Fatalf("Could not load certificate for metrics server: %s", err)
			}
		}

		var roots *x509.CertPool

		if len(conf.Prometheus.TLS.VaultCABackends) > 0 {

			roots, err = vault.RootCertificates(conf.Prometheus.TLS.VaultCABackends)

			if err != nil {
				logger.Fatalf("Could not get root certificates from Vault: %s", err)
			}
		}

		if conf.Prometheus.TLS.CACert != "" {
			roots = x509.NewCertPool()

			p, err := ioutil.ReadFile(conf.Prometheus.TLS.CACert)

			if err != nil {
				logger.Fatalf("Could not read CA certificates from the file (%s): %s", conf.Prometheus.TLS.CACert, err)
			}

			roots.AppendCertsFromPEM(p)
		}

		metrics.StartServer(certCh, roots)

		gossip, err := cluster.NewGossip(bindAddr.String(), nodes, 0, logger.WriterLevel(logrus.DebugLevel))

		if err != nil {
			logger.Fatalf("Could not create gossip: %s", err)
		}

		storeConfig := cluster.DefaultStoreConfig()
		storeConfig.Logger = logger

		store := cluster.NewStore(gossip, kube, vault, storeConfig)

		err = store.StartRaft(conf.RaftDir, bindAddr.String(), logger.WriterLevel(logrus.DebugLevel))

		if err != nil {
			logger.Fatalf("Could not start raft: %s", err)
		}

		sigs := make(chan os.Signal, 1)
		done := make(chan struct{}, 1)

		signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)

		go func() {
			<-sigs
			store.Shutdown()
			vault.Shutdown()
			done <- struct{}{}
		}()

		<-done
	},
}

Functions

This section is empty.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.