-
Notifications
You must be signed in to change notification settings - Fork 0
/
vault.go
120 lines (101 loc) · 3.13 KB
/
vault.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package main
import (
"fmt"
corev1 "k8s.io/api/core/v1"
)
type vault struct {
config struct {
enabled bool
addr string
tlsSecretName string
vaultCACert string
path string
role string
tokenPath string
authPath string
backend string
kubernetesBackend string
useSecretNamesAsKeys bool
gcpServiceAccountKeySecretName string
version string
secretConfigs []string
}
}
func (vault *vault) mutateContainer(container corev1.Container) corev1.Container {
envVars := vault.setEnvVars()
container.Env = append(container.Env, envVars...)
// Mount google service account key if given
if vault.config.gcpServiceAccountKeySecretName != "" {
container.VolumeMounts = append(container.VolumeMounts, []corev1.VolumeMount{
{
Name: VolumeMountGoogleCloudKeyName,
MountPath: VolumeMountGoogleCloudKeyPath,
},
}...)
}
if vault.config.tlsSecretName != "" {
volumeName := VaultTLSVolumeName
container.Env = append(container.Env, []corev1.EnvVar{
{
Name: "VAULT_CACERT",
Value: fmt.Sprintf("%s%s", VaultTLSMountPath, vault.config.vaultCACert),
},
}...)
container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
Name: volumeName,
MountPath: VaultTLSMountPath,
})
} else {
container.Env = append(container.Env, []corev1.EnvVar{
{
Name: "VAULT_SKIP_VERIFY",
Value: "true",
},
}...)
}
container = vault.setArgs(container)
return container
}
func (vault *vault) setArgs(c corev1.Container) corev1.Container {
args := []string{"vault"}
args = append(args, fmt.Sprintf("--role=%s", vault.config.role))
if vault.config.backend == "gcp" {
args = append(args, "--backend=gcp")
if vault.config.gcpServiceAccountKeySecretName != "" {
args = append(args, fmt.Sprintf("--google-application-credentials=%s/%s", VolumeMountGoogleCloudKeyPath, GCPServiceAccountCredentialsFileName))
}
}
if vault.config.kubernetesBackend != "" {
args = append(args, fmt.Sprintf("--kubernetes-backend=%s", vault.config.kubernetesBackend))
}
if vault.config.tokenPath != "" {
args = append(args, fmt.Sprintf("--token-path=%s", vault.config.tokenPath))
}
for _, s := range vault.config.secretConfigs {
args = append(args, fmt.Sprintf("--secret-config=%s", s))
}
if vault.config.path != "" {
args = append(args, fmt.Sprintf("--path=%s", vault.config.path))
}
if vault.config.useSecretNamesAsKeys {
args = append(args, "--names-as-keys")
}
if vault.config.version != "" {
args = append(args, fmt.Sprintf("--version=%s", vault.config.version))
}
args = append(args, "--")
// args = append(args, fmt.Sprintf("%s", strings.Join(c.Args, " ")))
args = append(args, c.Args...)
c.Args = args
return c
}
func (vault *vault) setEnvVars() []corev1.EnvVar {
var envVars []corev1.EnvVar
envVars = append(envVars, []corev1.EnvVar{
{
Name: "VAULT_ADDR",
Value: vault.config.addr,
},
}...)
return envVars
}