Merge pull request #46 from intelops/genericcreds

Added generic credential

charts/vault-cred/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/vault-cred/values.yaml

@@ -95,6 +95,26 @@ vaultPolicies:
  path "auth/kubernetes/login" {
  capabilities = ["create","read","update"]
  }
+ - name: vault-policy-cluster-admin
+ data:
+ policyName: vault-policy-cluster-admin
+ policyData: |
+ path "secret/data/cluster/*" {
+ capabilities = ["create","read","update","delete","list"]
+ }
+ path "auth/kubernetes/login" {
+ capabilities = ["create","read","update"]
+ }
+ - name: vault-policy-cluster-read
+ data:
+ policyName: vault-policy-cluster-read
+ policyData: |
+ path "secret/data/cluster/*" {
+ capabilities = ["read"]
+ }
+ path "auth/kubernetes/login" {
+ capabilities = ["create","read","update"]
+ }
 
 vaultRoles:
 # - name: vault-role-read-all-creds

examples/cred-sync-secert.yaml

@@ -4,8 +4,13 @@ data:
  SERVICE-CRED-1: e2VudGl0eU5hbWU6ZGIsIHVzZXJOYW1lOnRlc3R1c2VyLHBhc3N3b3JkOnRlc3Rwd2R9Cg==
  # CERTS-<uniquevalue>: `echo '{"entityName":"customer-client", "certIndetifier":"capten1","caCert":"LS0tLS1CRUdJTiB", "cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS", "key":"LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBL"}' | base64 -w 0`
  CERTS-1: eyJlbnRpdHlOYW1lIjoiY3VzdG9tZXItY2xpZW50IiwgImNlcnRJbmRldGlmaWVyIjoiY2FwdGVuMSIsImNhQ2VydCI6IkxTMHRMUzFDUlVkSlRpQiIsICJjZXJ0IjogIkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTIiwgImtleSI6IkxTMHRMUzFDUlVkSlRpQlNVMEVnVUZKSlZrRlVSU0JMIn0K
+
+ #GENERIC-1: `echo '{"credentialType":"cluster","entityName":"astra", "credIndetifier":"authToken", "credential":{"clusterId": "b7f1640e-5488-4fc4-9230-10f58e195e1a","token":"AstraCS:dQOUGyLDrxBsLJUPbdRqzwDs:ce353d87f144c46d740b4889caa840c0325aa0f8bb20eef891c9eefba055132b"}}' | base64 -w 0`
+ GENERIC-1: eyJjcmVkZW50aWFsVHlwZSI6ImNsdXN0ZXIiLCJlbnRpdHlOYW1lIjoiYXN0cmEiLCAiY3JlZEluZGV0aWZpZXIiOiJhdXRoVG9rZW4iLCAiY3JlZGVudGlhbCI6eyJjbHVzdGVySWQiOiAiYjdmMTY0MGUtNTQ4OC00ZmM0LTkyMzAtMTBmNThlMTk1ZTFhIiwidG9rZW4iOiJBc3RyYUNTOmRRT1VHeUxEcnhCc0xKVVBiZFJxendEczpjZTM1M2Q4N2YxNDRjNDZkNzQwYjQ4ODljYWE4NDBjMDMyNWFhMGY4YmIyMGVlZjg5MWM5ZWVmYmEwNTUxMzJiIn19Cg==
+
 kind: Secret
 metadata:
  name: vault-cred-sync-data
- namespace: "<vault-cred-namespace>"
+ namespace: "ml-server"
 type: Opaque
+# 

internal/job/vault-cred-sync.go

@@ -13,15 +13,16 @@ import (
 )
 
 const (
- serviceCredSecretKeyPrefix = "SERVICE-CRED"
- certSecretKeyPrefix = "CERTS"
-
- caDataKey = "ca.pem"
- certDataKey = "cert.crt"
- keyDataKey = "key.key"
-
- serviceCredentialUserNameKey = "userName"
- serviceCredentialPasswordKey = "password"
+ serviceCredSecretKeyPrefix = "SERVICE-CRED"
+ certSecretKeyPrefix = "CERTS"
+ genericSecretKeyPrefix = "GENERIC"
+ caDataKey = "ca.pem"
+ certDataKey = "cert.crt"
+ keyDataKey = "key.key"
+ genericCredentialClusterIdKey = "clusterId"
+ genericCredentialTokenKey = "token"
+ serviceCredentialUserNameKey = "userName"
+ serviceCredentialPasswordKey = "password"
 )
 
 type CertificateData struct {
@@ -38,7 +39,12 @@ type ServiceCredentail struct {
  Password string `json:"password"`
  AdditionalData map[string]string `json:"additionalData"`
 }
-
+type GenericCredential struct {
+ CredentialType string `json:"credentialType"`
+ EntityName string `json:"entityName"`
+ CredIndentifier string `json:"credIndetifier"`
+ Credential map[string]string `json:"credential"`
+}
 type VaultCredSync struct {
  log logging.Logger
  conf config.VaultEnv
@@ -76,7 +82,7 @@ func (v *VaultCredSync) Run() {
  v.log.Debugf("failed to read sync secret, %s", err)
  return
  }
- v.log.Debugf("found %d secret values to synch", len(secretValues))
+ v.log.Debugf("found %d secret values to sync", len(secretValues))
 
  vc, err := client.NewVaultClientForVaultToken(v.log, v.conf)
  if err != nil {
@@ -97,7 +103,16 @@ func (v *VaultCredSync) Run() {
  v.log.Errorf("%s", err)
  continue
  }
+ } else if strings.HasPrefix(key, genericSecretKeyPrefix) {
+ err = v.storeGenericCredential(ctx, vc, key, secretValue)
+ if err != nil {
+ v.log.Errorf("%s", err)
+ continue
+ }
+ } else {
+ v.log.Infof("credentail type %s not supported", key)
  }
+
  }
  v.log.Debug("vault credential sync job completed")
 }
@@ -124,7 +139,7 @@ func (v *VaultCredSync) storeServiceCredential(ctx context.Context, vc *client.V
  if err != nil {
  return errors.WithMessagef(err, "failed to write %s secret data to vault", secretIdentifier)
  }
- v.log.Infof("stored sync credential for %s:%s", serviceCredData.EntityName, serviceCredData.UserName)
+ v.log.Infof("stored sync service credential for %s/%s", serviceCredData.EntityName, serviceCredData.UserName)
  return nil
 }
 
@@ -149,6 +164,32 @@ func (v *VaultCredSync) storeCertData(ctx context.Context, vc *client.VaultClien
  if err != nil {
  return errors.WithMessagef(err, "failed to write %s secret data to vault", secretIdentifier)
  }
- v.log.Infof("stored sync cert for %s:%s", certData.EntityName, certData.CertIndentifier)
+ v.log.Infof("stored sync cert for %s/%s", certData.EntityName, certData.CertIndentifier)
  return nil
 }
+
+func (v *VaultCredSync) storeGenericCredential(ctx context.Context, vc *client.VaultClient, secretIdentifier, secretData string) error {
+ var genericCredData GenericCredential
+ err := json.Unmarshal([]byte(secretData), &genericCredData)
+ if err != nil {
+ return errors.WithMessagef(err, "failed to parse %s secret data", secretIdentifier)
+ }
+
+ if len(genericCredData.EntityName) == 0 || len(genericCredData.CredIndentifier) == 0 || len(genericCredData.CredentialType) == 0 {
+ return errors.WithMessagef(err, "credential attributes are emty for %s secret data", secretIdentifier)
+ }
+
+ cred := map[string]string{}
+ for key, val := range genericCredData.Credential {
+ cred[key] = val
+ }
+
+ secretPath := api.PrepareCredentialSecretPath(strings.ToLower(genericSecretKeyPrefix), genericCredData.EntityName, genericCredData.CredIndentifier)
+ err = vc.PutCredential(ctx, api.CredentialMountPath(), secretPath, cred)
+ if err != nil {
+ return errors.WithMessagef(err, "failed to write %s secret data to vault", secretIdentifier)
+ }
+ v.log.Infof("stored sync credential for %s/%s/%s", strings.ToLower(genericSecretKeyPrefix), genericCredData.EntityName, genericCredData.CredIndentifier)
+ return nil
+
+}