1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2024-12-12 10:55:20 +02:00
sap-jenkins-library/pkg/config/vault.go
Kevin Stiehl 116a91ce28
Fetch config parameters from vault (#1782)
* added secret fetching from vault

* added rootPath and vault namespaces

* write tests for vault config loading
	* fix smaller bugs

* rename rootPath to basePath

* fix integration test

* make basePath optional

* write more tests

* remove unnecessary code

* make basePath configurable

* remove mixin for vault

* rewrite tests
* fix tests for searching over multiple paths

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2020-07-22 11:15:48 +02:00

72 lines
1.6 KiB
Go

package config
import (
"path"
"github.com/SAP/jenkins-library/pkg/vault"
"github.com/hashicorp/vault/api"
)
// vaultClient interface for mocking
type vaultClient interface {
GetKvSecret(string) (map[string]string, error)
}
func getVaultClientFromConfig(config StepConfig) (vaultClient, error) {
address, addressOk := config.Config["vaultAddress"].(string)
token, tokenOk := config.Config["vaultToken"].(string)
// if vault isn't used it's not an error
if !addressOk || !tokenOk {
return nil, nil
}
// namespaces are only available in vault enterprise so using them should be optional
namespace := config.Config["vaultNamespace"].(string)
client, err := vault.NewClient(&api.Config{Address: address}, token, namespace)
if err != nil {
return nil, err
}
return &client, nil
}
func addVaultCredentials(config *StepConfig, client vaultClient, params []StepParameters) error {
for _, param := range params {
// we don't overwrite secrets that have already been set in any way
if _, ok := config.Config[param.Name].(string); ok {
continue
}
ref := param.GetReference("vaultSecret")
if ref == nil {
continue
}
for _, vaultPath := range ref.Paths {
// it should be possible to configure the root path were the secret is stored
basePath := ""
var ok bool
p, ok := config.Config["vaultBasePath"].(string)
if ok {
basePath = p
}
secret, err := client.GetKvSecret(path.Join(basePath, vaultPath))
if err != nil {
return err
}
if secret == nil {
continue
}
field := secret[param.Name]
if field != "" {
config.Config[param.Name] = field
break
}
}
}
return nil
}