Commit 1467866a authored by Finn's avatar Finn

Create auth directory before writing files there

also make things more configurable
parent 5f64f979
Pipeline #3418 passed with stage
in 1 minute and 35 seconds
......@@ -27,13 +27,18 @@ type Config struct {
}
type VaultConfig struct {
TLSConfig api.TLSConfig // TLSConfig is the TLS configuration to use, if any
Address string
InjectionCommand string
CommandPollMS int
CommandTimeoutSeconds libvirt.DomainQemuAgentCommandTimeout
RoleIDFilePath string
SecretIDFilePath string
TLSConfig api.TLSConfig // TLSConfig is the TLS configuration to use, if any
Address string
InjectionCommand string
CommandPollMS int
GuestCommandTimeoutSeconds libvirt.DomainQemuAgentCommandTimeout
GuestAuthFolder string
RoleIDFilePath string
SecretIDFilePath string
SecretIDTTL string
TokenPolicies []string
SecretIDNumUses string
TokenMaxTTL string
}
var (
......@@ -51,10 +56,14 @@ var (
ImageOwner: "64055",
MetadataBind: "127.0.0.1:8081",
Vault: VaultConfig{
TLSConfig: api.TLSConfig{},
InjectionCommand: "/opt/entanglement/vault-inject.sh",
CommandPollMS: 250,
CommandTimeoutSeconds: 5,
TLSConfig: api.TLSConfig{},
InjectionCommand: "/opt/entanglement/vault-inject.sh",
GuestAuthFolder: "/etc/entanglement/auth",
CommandPollMS: 250,
GuestCommandTimeoutSeconds: 5,
SecretIDTTL: "1h",
SecretIDNumUses: "1",
TokenMaxTTL: "24h",
},
}
)
......
......@@ -6,6 +6,7 @@ import (
"fmt"
"log"
"net/http"
"strings"
"time"
libvirt "github.com/libvirt/libvirt-go"
......@@ -27,13 +28,20 @@ func InjectAppRole(w http.ResponseWriter, r *http.Request) {
return
}
_, err = GuestExec(domain, "mkdir", "-p", config.C.Vault.GuestAuthFolder)
if err != nil {
log.Println("Error creating", config.C.Vault.GuestAuthFolder, "on guest:", err)
http.Error(w, err.Error(), 500)
return
}
// Create the approle
appRolePath := fmt.Sprintf("auth/approle/role/%s.%s", domainName, config.C.Hostname)
_, err = vaultClient.Logical().Write(appRolePath, map[string]interface{}{
"secret_id_ttl": "1h",
"token_policies": "hypervisors,pki-and-read-own-cert",
"secret_id_num_uses": "1",
"token_max_ttl": "24h",
"secret_id_ttl": config.C.Vault.SecretIDTTL,
"token_policies": strings.Join(config.C.Vault.TokenPolicies, ","),
"secret_id_num_uses": config.C.Vault.SecretIDNumUses,
"token_max_ttl": config.C.Vault.TokenMaxTTL,
})
if err != nil {
log.Println("Error creating vault role", appRolePath, err)
......@@ -56,7 +64,7 @@ func InjectAppRole(w http.ResponseWriter, r *http.Request) {
return
}
err = WriteSecret(domain, "/etc/entanglement/auth/role-id", roleIDstring)
err = WriteSecret(domain, fmt.Sprintf("%s/role-id", config.C.Vault.GuestAuthFolder), roleIDstring)
if err != nil {
log.Println("Error writing role-id file to guest", err)
http.Error(w, err.Error(), 500)
......@@ -86,7 +94,7 @@ func InjectAppRole(w http.ResponseWriter, r *http.Request) {
return
}
err = WriteSecret(domain, "/etc/entanglement/auth/secret-id", secretIDstring)
err = WriteSecret(domain, fmt.Sprintf("%s/secret-id", config.C.Vault.GuestAuthFolder), secretIDstring)
if err != nil {
log.Println("Error writing secret-id file to guest", err)
http.Error(w, err.Error(), 500)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment