open-nomad/nomad/structs/config/vault.go

242 lines
6.3 KiB
Go
Raw Normal View History

2016-08-02 17:32:54 +00:00
package config
2016-08-14 01:33:48 +00:00
import (
"time"
"github.com/hashicorp/nomad/helper"
2016-08-14 01:33:48 +00:00
vault "github.com/hashicorp/vault/api"
)
const (
// DefaultVaultConnectRetryIntv is the retry interval between trying to
// connect to Vault
DefaultVaultConnectRetryIntv = 30 * time.Second
)
2016-08-02 17:32:54 +00:00
// VaultConfig contains the configuration information necessary to
// communicate with Vault in order to:
//
// - Renew Vault tokens/leases.
//
// - Pass a token for the Nomad Server to derive sub-tokens.
//
// - Create child tokens with policy subsets of the Server's token.
type VaultConfig struct {
2016-08-09 21:52:20 +00:00
// Enabled enables or disables Vault support.
Enabled *bool `hcl:"enabled"`
2016-08-09 21:52:20 +00:00
2016-08-13 04:59:31 +00:00
// Token is the Vault token given to Nomad such that it can
// derive child tokens. Nomad will renew this token at half its lease
// lifetime.
Token string `hcl:"token"`
2016-08-02 17:32:54 +00:00
// Role sets the role in which to create tokens from. The Token given to
// Nomad does not have to be created from this role but must have "update"
// capability on "auth/token/create/<create_from_role>". If this value is
// unset and the token is created from a role, the value is defaulted to the
// role the token is from.
Role string `hcl:"create_from_role"`
// Namespace sets the Vault namespace used for all calls against the
// Vault API. If this is unset, then Nomad does not use Vault namespaces.
Namespace string `mapstructure:"namespace"`
2016-08-02 17:32:54 +00:00
// AllowUnauthenticated allows users to submit jobs requiring Vault tokens
// without providing a Vault token proving they have access to these
// policies.
AllowUnauthenticated *bool `hcl:"allow_unauthenticated"`
2016-08-02 17:32:54 +00:00
2016-08-13 04:59:31 +00:00
// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used
2016-08-02 17:32:54 +00:00
// by the client. There should be a minimum time value such that the client
// does not have to renew with Vault at a very high frequency
TaskTokenTTL string `hcl:"task_token_ttl"`
2016-08-02 17:32:54 +00:00
2016-08-14 01:33:48 +00:00
// Addr is the address of the local Vault agent. This should be a complete
// URL such as "http://vault.example.com"
Addr string `hcl:"address"`
2016-08-02 17:32:54 +00:00
2016-08-14 01:33:48 +00:00
// ConnectionRetryIntv is the interval to wait before re-attempting to
// connect to Vault.
ConnectionRetryIntv time.Duration
// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
2016-08-02 17:32:54 +00:00
// Vault server SSL certificate.
TLSCaFile string `hcl:"ca_file"`
2016-08-02 17:32:54 +00:00
// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
// verify the Vault server SSL certificate.
TLSCaPath string `hcl:"ca_path"`
2016-08-02 17:32:54 +00:00
// TLSCertFile is the path to the certificate for Vault communication
TLSCertFile string `hcl:"cert_file"`
2016-08-02 17:32:54 +00:00
// TLSKeyFile is the path to the private key for Vault communication
TLSKeyFile string `hcl:"key_file"`
2016-08-02 17:32:54 +00:00
// TLSSkipVerify enables or disables SSL verification
TLSSkipVerify *bool `hcl:"tls_skip_verify"`
2016-08-02 17:32:54 +00:00
// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
TLSServerName string `hcl:"tls_server_name"`
2016-08-02 17:32:54 +00:00
}
// DefaultVaultConfig returns the canonical defaults for the Nomad
2016-08-02 17:32:54 +00:00
// `vault` configuration.
func DefaultVaultConfig() *VaultConfig {
return &VaultConfig{
Addr: "https://vault.service.consul:8200",
ConnectionRetryIntv: DefaultVaultConnectRetryIntv,
AllowUnauthenticated: helper.BoolToPtr(true),
2016-08-02 17:32:54 +00:00
}
}
2016-10-11 01:04:39 +00:00
// IsEnabled returns whether the config enables Vault integration
func (c *VaultConfig) IsEnabled() bool {
return c.Enabled != nil && *c.Enabled
2016-10-11 01:04:39 +00:00
}
// AllowsUnauthenticated returns whether the config allows unauthenticated
// access to Vault
func (c *VaultConfig) AllowsUnauthenticated() bool {
return c.AllowUnauthenticated != nil && *c.AllowUnauthenticated
2016-10-11 01:04:39 +00:00
}
2016-08-02 17:32:54 +00:00
// Merge merges two Vault configurations together.
func (c *VaultConfig) Merge(b *VaultConfig) *VaultConfig {
result := *c
2016-08-02 17:32:54 +00:00
2016-08-13 04:59:31 +00:00
if b.Token != "" {
result.Token = b.Token
2016-08-02 17:32:54 +00:00
}
if b.Namespace != "" {
result.Namespace = b.Namespace
}
if b.Role != "" {
result.Role = b.Role
}
2016-08-13 04:59:31 +00:00
if b.TaskTokenTTL != "" {
result.TaskTokenTTL = b.TaskTokenTTL
2016-08-02 17:32:54 +00:00
}
if b.Addr != "" {
result.Addr = b.Addr
}
2016-08-14 01:33:48 +00:00
if b.ConnectionRetryIntv.Nanoseconds() != 0 {
result.ConnectionRetryIntv = b.ConnectionRetryIntv
}
if b.TLSCaFile != "" {
result.TLSCaFile = b.TLSCaFile
2016-08-02 17:32:54 +00:00
}
if b.TLSCaPath != "" {
result.TLSCaPath = b.TLSCaPath
2016-08-02 17:32:54 +00:00
}
if b.TLSCertFile != "" {
result.TLSCertFile = b.TLSCertFile
2016-08-02 17:32:54 +00:00
}
if b.TLSKeyFile != "" {
result.TLSKeyFile = b.TLSKeyFile
2016-08-02 17:32:54 +00:00
}
if b.TLSServerName != "" {
result.TLSServerName = b.TLSServerName
}
2016-10-11 01:04:39 +00:00
if b.AllowUnauthenticated != nil {
result.AllowUnauthenticated = b.AllowUnauthenticated
}
if b.TLSSkipVerify != nil {
result.TLSSkipVerify = b.TLSSkipVerify
}
if b.Enabled != nil {
result.Enabled = b.Enabled
}
2016-08-08 22:35:22 +00:00
2016-08-02 17:32:54 +00:00
return &result
}
// ApiConfig returns a usable Vault config that can be passed directly to
2016-08-14 01:33:48 +00:00
// hashicorp/vault/api.
func (c *VaultConfig) ApiConfig() (*vault.Config, error) {
2016-08-02 21:28:39 +00:00
conf := vault.DefaultConfig()
tlsConf := &vault.TLSConfig{
CACert: c.TLSCaFile,
CAPath: c.TLSCaPath,
ClientCert: c.TLSCertFile,
ClientKey: c.TLSKeyFile,
2016-08-02 21:28:39 +00:00
TLSServerName: c.TLSServerName,
}
2016-10-11 01:04:39 +00:00
if c.TLSSkipVerify != nil {
tlsConf.Insecure = *c.TLSSkipVerify
} else {
tlsConf.Insecure = false
}
2016-08-02 21:28:39 +00:00
if err := conf.ConfigureTLS(tlsConf); err != nil {
return nil, err
}
2016-08-14 01:33:48 +00:00
conf.Address = c.Addr
2016-08-02 21:28:39 +00:00
return conf, nil
2016-08-02 17:32:54 +00:00
}
2016-08-09 22:00:50 +00:00
// Copy returns a copy of this Vault config.
func (c *VaultConfig) Copy() *VaultConfig {
if c == nil {
return nil
}
nc := new(VaultConfig)
*nc = *c
return nc
}
2018-06-07 19:34:18 +00:00
// IsEqual compares two Vault configurations and returns a boolean indicating
// if they are equal.
func (c *VaultConfig) IsEqual(b *VaultConfig) bool {
if c == nil && b != nil {
2018-06-07 19:34:18 +00:00
return false
}
if c != nil && b == nil {
2018-06-07 19:34:18 +00:00
return false
}
if c.Token != b.Token {
2018-06-07 19:34:18 +00:00
return false
}
if c.Role != b.Role {
2018-06-07 19:34:18 +00:00
return false
}
if c.TaskTokenTTL != b.TaskTokenTTL {
2018-06-07 19:34:18 +00:00
return false
}
if c.Addr != b.Addr {
2018-06-07 19:34:18 +00:00
return false
}
if c.ConnectionRetryIntv.Nanoseconds() != b.ConnectionRetryIntv.Nanoseconds() {
2018-06-07 19:34:18 +00:00
return false
}
if c.TLSCaFile != b.TLSCaFile {
2018-06-07 19:34:18 +00:00
return false
}
if c.TLSCaPath != b.TLSCaPath {
2018-06-07 19:34:18 +00:00
return false
}
if c.TLSCertFile != b.TLSCertFile {
2018-06-07 19:34:18 +00:00
return false
}
if c.TLSKeyFile != b.TLSKeyFile {
2018-06-07 19:34:18 +00:00
return false
}
if c.TLSServerName != b.TLSServerName {
2018-06-07 19:34:18 +00:00
return false
}
if c.AllowUnauthenticated != b.AllowUnauthenticated {
2018-06-07 19:34:18 +00:00
return false
}
if c.TLSSkipVerify != b.TLSSkipVerify {
2018-06-07 19:34:18 +00:00
return false
}
if c.Enabled != b.Enabled {
2018-06-07 19:34:18 +00:00
return false
}
return true
}