certificates/vault: Use new types vaultRole and vaultPath (#2073)

openservicemesh · Nov 17, 2020 · e0be376 · e0be376
1 parent d93b01b
commit e0be376
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 16 deletions.
diff --git a/pkg/certificate/providers/vault/certificate_manager.go b/pkg/certificate/providers/vault/certificate_manager.go
@@ -21,18 +21,20 @@ const (
 	certificateField = "certificate"
 	privateKeyField  = "private_key"
 	issuingCAField   = "issuing_ca"
+	commonNameField  = "common_name"
+	ttlField         = "ttl"
 
 	checkCertificateExpirationInterval = 5 * time.Second
 	tmpCertValidityPeriod              = 1 * time.Second
 )
 
 // NewCertManager implements certificate.Manager and wraps a Hashi Vault with methods to allow easy certificate issuance.
-func NewCertManager(vaultAddr, token string, vaultRole string, cfg configurator.Configurator) (*CertManager, error) {
+func NewCertManager(vaultAddr, token string, role string, cfg configurator.Configurator) (*CertManager, error) {
 	cache := make(map[certificate.CommonName]certificate.Certificater)
 	c := &CertManager{
 		announcements: make(chan announcements.Announcement),
 		cache:         &cache,
-		vaultRole:     vaultRole,
+		role:          vaultRole(role),
 		cfg:           cfg,
 	}
 	config := api.DefaultConfig()
@@ -43,7 +45,7 @@ func NewCertManager(vaultAddr, token string, vaultRole string, cfg configurator.
 		return nil, errors.Errorf("Error creating Vault CertManager without TLS at %s", vaultAddr)
 	}
 
-	log.Info().Msgf("Created Vault CertManager, with vaultRole=%q at %v", vaultRole, vaultAddr)
+	log.Info().Msgf("Created Vault CertManager, with role=%q at %v", role, vaultAddr)
 
 	c.client.SetToken(token)
 
@@ -67,7 +69,7 @@ func NewCertManager(vaultAddr, token string, vaultRole string, cfg configurator.
 }
 
 func (cm *CertManager) issue(cn certificate.CommonName, validityPeriod time.Duration) (certificate.Certificater, error) {
-	secret, err := cm.client.Logical().Write(getIssueURL(cm.vaultRole), getIssuanceData(cn, validityPeriod))
+	secret, err := cm.client.Logical().Write(getIssueURL(cm.role).String(), getIssuanceData(cn, validityPeriod))
 	if err != nil {
 		log.Error().Err(err).Msgf("Error issuing new certificate for CN=%s", cn)
 		return nil, err

diff --git a/pkg/certificate/providers/vault/tools.go b/pkg/certificate/providers/vault/tools.go
@@ -11,17 +11,17 @@ func getDurationInMinutes(validityPeriod time.Duration) string {
 	return fmt.Sprintf("%dh", validityPeriod/time.Hour)
 }
 
-func getIssueURL(vaultRole string) string {
-	return fmt.Sprintf("pki/issue/%+v", vaultRole)
+func getIssueURL(role vaultRole) vaultPath {
+	return vaultPath(fmt.Sprintf("pki/issue/%+v", role))
 }
 
-func getRoleConfigURL(vaultRole string) string {
-	return fmt.Sprintf("pki/roles/%s", vaultRole)
+func getRoleConfigURL(role vaultRole) vaultPath {
+	return vaultPath(fmt.Sprintf("pki/roles/%s", role))
 }
 
 func getIssuanceData(cn certificate.CommonName, validityPeriod time.Duration) map[string]interface{} {
 	return map[string]interface{}{
-		"common_name": cn.String(),
-		"ttl":         getDurationInMinutes(validityPeriod),
+		commonNameField: cn.String(),
+		ttlField:        getDurationInMinutes(validityPeriod),
 	}
 }
diff --git a/pkg/certificate/providers/vault/tools_test.go b/pkg/certificate/providers/vault/tools_test.go
@@ -7,11 +7,13 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
+	"github.com/google/uuid"
+
 	"github.com/openservicemesh/osm/pkg/certificate"
 )
 
 var _ = Describe("Test tools", func() {
-	vaultRole := "openservicemesh"
+	role := vaultRole(uuid.New().String())
 
 	Context("Test converting duration into Vault recognizable string", func() {
 		It("converts 36 hours into correct string representation", func() {
@@ -23,16 +25,16 @@ var _ = Describe("Test tools", func() {
 
 	Context("Test cert issuance URL", func() {
 		It("creates the URL for issuing a new certificate", func() {
-			actual := getIssueURL(vaultRole)
-			expected := fmt.Sprintf("pki/issue/%s", vaultRole)
+			actual := getIssueURL(role)
+			expected := vaultPath(fmt.Sprintf("pki/issue/%s", role))
 			Expect(actual).To(Equal(expected))
 		})
 	})
 
 	Context("Test role config URL", func() {
 		It("creates the URL for role configuration", func() {
-			actual := getRoleConfigURL(vaultRole)
-			expected := fmt.Sprintf("pki/roles/%s", vaultRole)
+			actual := getRoleConfigURL(role)
+			expected := vaultPath(fmt.Sprintf("pki/roles/%s", role))
 			Expect(actual).To(Equal(expected))
 		})
 	})

diff --git a/pkg/certificate/providers/vault/types.go b/pkg/certificate/providers/vault/types.go
@@ -26,7 +26,19 @@ type CertManager struct {
 	client *api.Client
 
 	// The Vault role configured for OSM and passed as a CLI.
-	vaultRole string
+	role vaultRole
 
 	cfg configurator.Configurator
 }
+
+type vaultRole string
+
+func (vr vaultRole) String() string {
+	return string(vr)
+}
+
+type vaultPath string
+
+func (vp vaultPath) String() string {
+	return string(vp)
+}