mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-12 10:55:20 +02:00
116a91ce28
* added secret fetching from vault * added rootPath and vault namespaces * write tests for vault config loading * fix smaller bugs * rename rootPath to basePath * fix integration test * make basePath optional * write more tests * remove unnecessary code * make basePath configurable * remove mixin for vault * rewrite tests * fix tests for searching over multiple paths Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
72 lines
1.6 KiB
Go
72 lines
1.6 KiB
Go
package config
|
|
|
|
import (
|
|
"path"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/vault"
|
|
"github.com/hashicorp/vault/api"
|
|
)
|
|
|
|
// vaultClient interface for mocking
|
|
type vaultClient interface {
|
|
GetKvSecret(string) (map[string]string, error)
|
|
}
|
|
|
|
func getVaultClientFromConfig(config StepConfig) (vaultClient, error) {
|
|
address, addressOk := config.Config["vaultAddress"].(string)
|
|
token, tokenOk := config.Config["vaultToken"].(string)
|
|
|
|
// if vault isn't used it's not an error
|
|
if !addressOk || !tokenOk {
|
|
return nil, nil
|
|
}
|
|
|
|
// namespaces are only available in vault enterprise so using them should be optional
|
|
namespace := config.Config["vaultNamespace"].(string)
|
|
|
|
client, err := vault.NewClient(&api.Config{Address: address}, token, namespace)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &client, nil
|
|
}
|
|
|
|
func addVaultCredentials(config *StepConfig, client vaultClient, params []StepParameters) error {
|
|
for _, param := range params {
|
|
|
|
// we don't overwrite secrets that have already been set in any way
|
|
if _, ok := config.Config[param.Name].(string); ok {
|
|
continue
|
|
}
|
|
ref := param.GetReference("vaultSecret")
|
|
if ref == nil {
|
|
continue
|
|
}
|
|
for _, vaultPath := range ref.Paths {
|
|
// it should be possible to configure the root path were the secret is stored
|
|
basePath := ""
|
|
var ok bool
|
|
p, ok := config.Config["vaultBasePath"].(string)
|
|
if ok {
|
|
basePath = p
|
|
}
|
|
|
|
secret, err := client.GetKvSecret(path.Join(basePath, vaultPath))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if secret == nil {
|
|
continue
|
|
}
|
|
|
|
field := secret[param.Name]
|
|
if field != "" {
|
|
config.Config[param.Name] = field
|
|
break
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|