open-nomad/nomad/structs/config/vault.go

package config

import (
	"time"

	vault "github.com/hashicorp/vault/api"
)

const (
	// DefaultVaultConnectRetryIntv is the retry interval between trying to
	// connect to Vault
	DefaultVaultConnectRetryIntv = 30 * time.Second
)

// VaultConfig contains the configuration information necessary to
// communicate with Vault in order to:
//
// - Renew Vault tokens/leases.
//
// - Pass a token for the Nomad Server to derive sub-tokens.
//
// - Create child tokens with policy subsets of the Server's token.
type VaultConfig struct {

	// Enabled enables or disables Vault support.
	Enabled bool `mapstructure:"enabled"`

	// Token is the Vault token given to Nomad such that it can
	// derive child tokens. Nomad will renew this token at half its lease
	// lifetime.
	Token string `mapstructure:"token"`

	// AllowUnauthenticated allows users to submit jobs requiring Vault tokens
	// without providing a Vault token proving they have access to these
	// policies.
	AllowUnauthenticated bool `mapstructure:"allow_unauthenticated"`

	// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used
	// by the client.  There should be a minimum time value such that the client
	// does not have to renew with Vault at a very high frequency
	TaskTokenTTL string `mapstructure:"task_token_ttl"`

	// Addr is the address of the local Vault agent. This should be a complete
	// URL such as "http://vault.example.com"
	Addr string `mapstructure:"address"`

	// ConnectionRetryIntv is the interval to wait before re-attempting to
	// connect to Vault.
	ConnectionRetryIntv time.Duration

	// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
	// Vault server SSL certificate.
	TLSCaFile string `mapstructure:"tls_ca_file"`

	// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
	// verify the Vault server SSL certificate.
	TLSCaPath string `mapstructure:"tls_ca_path"`

	// TLSCertFile is the path to the certificate for Vault communication
	TLSCertFile string `mapstructure:"tls_cert_file"`

	// TLSKeyFile is the path to the private key for Vault communication
	TLSKeyFile string `mapstructure:"tls_key_file"`

	// TLSSkipVerify enables or disables SSL verification
	TLSSkipVerify bool `mapstructure:"tls_skip_verify"`

	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
	TLSServerName string `mapstructure:"tls_server_name"`
}

// DefaultVaultConfig() returns the canonical defaults for the Nomad
// `vault` configuration.
func DefaultVaultConfig() *VaultConfig {
	return &VaultConfig{
		AllowUnauthenticated: false,
		Addr:                 "https://vault.service.consul:8200",
		ConnectionRetryIntv:  DefaultVaultConnectRetryIntv,
	}
}

// Merge merges two Vault configurations together.
func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig {
	result := *a

	if b.Token != "" {
		result.Token = b.Token
	}
	if b.TaskTokenTTL != "" {
		result.TaskTokenTTL = b.TaskTokenTTL
	}
	if b.Addr != "" {
		result.Addr = b.Addr
	}
	if b.ConnectionRetryIntv.Nanoseconds() != 0 {
		result.ConnectionRetryIntv = b.ConnectionRetryIntv
	}
	if b.TLSCaFile != "" {
		result.TLSCaFile = b.TLSCaFile
	}
	if b.TLSCaPath != "" {
		result.TLSCaPath = b.TLSCaPath
	}
	if b.TLSCertFile != "" {
		result.TLSCertFile = b.TLSCertFile
	}
	if b.TLSKeyFile != "" {
		result.TLSKeyFile = b.TLSKeyFile
	}
	if b.TLSServerName != "" {
		result.TLSServerName = b.TLSServerName
	}

	result.AllowUnauthenticated = b.AllowUnauthenticated
	result.TLSSkipVerify = b.TLSSkipVerify
	result.Enabled = b.Enabled
	return &result
}

// ApiConfig() returns a usable Vault config that can be passed directly to
// hashicorp/vault/api.
func (c *VaultConfig) ApiConfig() (*vault.Config, error) {
	conf := vault.DefaultConfig()
	tlsConf := &vault.TLSConfig{
		CACert:        c.TLSCaFile,
		CAPath:        c.TLSCaPath,
		ClientCert:    c.TLSCertFile,
		ClientKey:     c.TLSKeyFile,
		TLSServerName: c.TLSServerName,
		Insecure:      c.TLSSkipVerify,
	}
	if err := conf.ConfigureTLS(tlsConf); err != nil {
		return nil, err
	}

	conf.Address = c.Addr
	return conf, nil
}

// Copy returns a copy of this Vault config.
func (c *VaultConfig) Copy() *VaultConfig {
	if c == nil {
		return nil
	}

	nc := new(VaultConfig)
	*nc = *c
	return nc
}
Initial config block 2016-08-02 17:32:54 +00:00			`package config`

Token renewal and beginning of tests 2016-08-14 01:33:48 +00:00			`import (`
			`"time"`

			`vault "github.com/hashicorp/vault/api"`
			`)`

			`const (`
			`// DefaultVaultConnectRetryIntv is the retry interval between trying to`
			`// connect to Vault`
			`DefaultVaultConnectRetryIntv = 30 * time.Second`
			`)`
Initial config block 2016-08-02 17:32:54 +00:00
			`// VaultConfig contains the configuration information necessary to`
			`// communicate with Vault in order to:`
			`//`
			`// - Renew Vault tokens/leases.`
			`//`
			`// - Pass a token for the Nomad Server to derive sub-tokens.`
			`//`
			`// - Create child tokens with policy subsets of the Server's token.`
			`type VaultConfig struct {`

Add enabled field 2016-08-09 21:52:20 +00:00			`// Enabled enables or disables Vault support.`
			Enabled bool `mapstructure:"enabled"`

Address field name feedback 2016-08-13 04:59:31 +00:00			`// Token is the Vault token given to Nomad such that it can`
			`// derive child tokens. Nomad will renew this token at half its lease`
			`// lifetime.`
			Token string `mapstructure:"token"`
Initial config block 2016-08-02 17:32:54 +00:00
			`// AllowUnauthenticated allows users to submit jobs requiring Vault tokens`
			`// without providing a Vault token proving they have access to these`
			`// policies.`
			AllowUnauthenticated bool `mapstructure:"allow_unauthenticated"`

Address field name feedback 2016-08-13 04:59:31 +00:00			`// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used`
Initial config block 2016-08-02 17:32:54 +00:00			`// by the client. There should be a minimum time value such that the client`
			`// does not have to renew with Vault at a very high frequency`
Address field name feedback 2016-08-13 04:59:31 +00:00			TaskTokenTTL string `mapstructure:"task_token_ttl"`
Initial config block 2016-08-02 17:32:54 +00:00
Token renewal and beginning of tests 2016-08-14 01:33:48 +00:00			`// Addr is the address of the local Vault agent. This should be a complete`
			`// URL such as "http://vault.example.com"`
Initial config block 2016-08-02 17:32:54 +00:00			Addr string `mapstructure:"address"`

Token renewal and beginning of tests 2016-08-14 01:33:48 +00:00			`// ConnectionRetryIntv is the interval to wait before re-attempting to`
			`// connect to Vault.`
			`ConnectionRetryIntv time.Duration`

change config variable names to match vault 2016-08-08 22:16:40 +00:00			`// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the`
Initial config block 2016-08-02 17:32:54 +00:00			`// Vault server SSL certificate.`
change config variable names to match vault 2016-08-08 22:16:40 +00:00			TLSCaFile string `mapstructure:"tls_ca_file"`
Initial config block 2016-08-02 17:32:54 +00:00
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`// TLSCaFile is the path to a directory of PEM-encoded CA cert files to`
			`// verify the Vault server SSL certificate.`
			TLSCaPath string `mapstructure:"tls_ca_path"`
Initial config block 2016-08-02 17:32:54 +00:00
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`// TLSCertFile is the path to the certificate for Vault communication`
			TLSCertFile string `mapstructure:"tls_cert_file"`
Initial config block 2016-08-02 17:32:54 +00:00
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`// TLSKeyFile is the path to the private key for Vault communication`
			TLSKeyFile string `mapstructure:"tls_key_file"`
Initial config block 2016-08-02 17:32:54 +00:00
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`// TLSSkipVerify enables or disables SSL verification`
			TLSSkipVerify bool `mapstructure:"tls_skip_verify"`
Initial config block 2016-08-02 17:32:54 +00:00
			`// TLSServerName, if set, is used to set the SNI host when connecting via TLS.`
			TLSServerName string `mapstructure:"tls_server_name"`
			`}`

			`// DefaultVaultConfig() returns the canonical defaults for the Nomad`
			// `vault` configuration.
			`func DefaultVaultConfig() *VaultConfig {`
			`return &VaultConfig{`
			`AllowUnauthenticated: false,`
Token renewal and beginning of tests 2016-08-14 01:33:48 +00:00			`Addr: "https://vault.service.consul:8200",`
			`ConnectionRetryIntv: DefaultVaultConnectRetryIntv,`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
			`}`

			`// Merge merges two Vault configurations together.`
			`func (a VaultConfig) Merge(b VaultConfig) *VaultConfig {`
			`result := *a`

Address field name feedback 2016-08-13 04:59:31 +00:00			`if b.Token != "" {`
			`result.Token = b.Token`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
Address field name feedback 2016-08-13 04:59:31 +00:00			`if b.TaskTokenTTL != "" {`
			`result.TaskTokenTTL = b.TaskTokenTTL`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
			`if b.Addr != "" {`
			`result.Addr = b.Addr`
			`}`
Token renewal and beginning of tests 2016-08-14 01:33:48 +00:00			`if b.ConnectionRetryIntv.Nanoseconds() != 0 {`
			`result.ConnectionRetryIntv = b.ConnectionRetryIntv`
			`}`
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`if b.TLSCaFile != "" {`
			`result.TLSCaFile = b.TLSCaFile`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`if b.TLSCaPath != "" {`
			`result.TLSCaPath = b.TLSCaPath`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`if b.TLSCertFile != "" {`
			`result.TLSCertFile = b.TLSCertFile`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`if b.TLSKeyFile != "" {`
			`result.TLSKeyFile = b.TLSKeyFile`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
			`if b.TLSServerName != "" {`
			`result.TLSServerName = b.TLSServerName`
			`}`
small fixes 2016-08-08 22:35:22 +00:00
			`result.AllowUnauthenticated = b.AllowUnauthenticated`
			`result.TLSSkipVerify = b.TLSSkipVerify`
Add enabled field 2016-08-09 21:52:20 +00:00			`result.Enabled = b.Enabled`
Initial config block 2016-08-02 17:32:54 +00:00			`return &result`
			`}`

			`// ApiConfig() returns a usable Vault config that can be passed directly to`
Token renewal and beginning of tests 2016-08-14 01:33:48 +00:00			`// hashicorp/vault/api.`
			`func (c VaultConfig) ApiConfig() (vault.Config, error) {`
vendor + api 2016-08-02 21:28:39 +00:00			`conf := vault.DefaultConfig()`
			`tlsConf := &vault.TLSConfig{`
change config variable names to match vault 2016-08-08 22:16:40 +00:00			`CACert: c.TLSCaFile,`
			`CAPath: c.TLSCaPath,`
			`ClientCert: c.TLSCertFile,`
			`ClientKey: c.TLSKeyFile,`
vendor + api 2016-08-02 21:28:39 +00:00			`TLSServerName: c.TLSServerName,`
small fixes 2016-08-08 22:35:22 +00:00			`Insecure: c.TLSSkipVerify,`
vendor + api 2016-08-02 21:28:39 +00:00			`}`
			`if err := conf.ConfigureTLS(tlsConf); err != nil {`
			`return nil, err`
			`}`

Token renewal and beginning of tests 2016-08-14 01:33:48 +00:00			`conf.Address = c.Addr`
vendor + api 2016-08-02 21:28:39 +00:00			`return conf, nil`
Initial config block 2016-08-02 17:32:54 +00:00			`}`
Pass Vault config to client 2016-08-09 22:00:50 +00:00
			`// Copy returns a copy of this Vault config.`
			`func (c VaultConfig) Copy() VaultConfig {`
			`if c == nil {`
			`return nil`
			`}`

			`nc := new(VaultConfig)`
			`nc = c`
			`return nc`
			`}`