settings_reader-vault_resolver 0.1.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 684115b87887c0d2774679160f1f0d7d7136035053b3af87a9878fd5ab4b5778
-  data.tar.gz: 9d3747fdd02285d0664569ec73566951637aeb1c145223da5be9239078c4a6cf
+  metadata.gz: 16ca7880831b27b05c24651940a1dab796b792f7d98229f2f01e229ffcee5662
+  data.tar.gz: ff8e434b0512ce66772e8f99b16761ea51597614b195abb91889a5543ba88267
 SHA512:
-  metadata.gz: 3b7b5512574b61c2b7fd96fdf121152938c7c232e12c8da23a864f52db1502501406dec213e28eec118decdfe142f7f90dbcd1748ae551558583691af26de97f
-  data.tar.gz: 81f2e979bee9b9cfca5ec316c4218bc2260042875eab9fc580443e0d4edcd159299c64398b17ddc12fe9a25aac545d6f217cabd5f71e146fe1c4eb6c31033e4d
+  metadata.gz: e1476c785e7369a2a2f3d4ee47a149cfd3c1fc2ebf333a94a1ec158c564584995ced9392fa08e1be9ec16ba166c0f20899414e02622473a4d0058ef5d70abce2
+  data.tar.gz: 8c1a40bd635b8e9de7193114618a0669e3c9d3ffabae250ff5efc416a31636c199584bb7e474373ead29bde9e85e281adbba0e7ba123358e1729d0e599bf17bf

data/.github/workflows/linters.yml

@@ -0,0 +1,52 @@
+name: "linters"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '30 0 * * 1'
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 2.5
+          bundler-cache: true
+      - name: Run rubocop
+        run: bundle exec rubocop --parallel
+
+  code-ql:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'ruby' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

data/.github/workflows/main.yml

@@ -13,6 +13,7 @@ jobs:
   build:
     env:
       COVERAGE: true
+      CODECOV_TOKEN: a0c859b6-dfb7-4d9f-9933-2dd945cdd960
       VAULT_ADDR: 'http://127.0.0.1:8200'
       VAULT_TOKEN: 'vault_root_token'
 

data/.rubocop.yml

@@ -0,0 +1,16 @@
+AllCops:
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 2.5
+
+Gemspec/RequireMFA:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Metrics/BlockLength:
+  IgnoredMethods: ['describe', 'context']
+
+Layout/LineLength:
+  Max: 120

data/.simplecov

@@ -1,4 +1,4 @@
-if ENV["COVERAGE"]
+if ENV['COVERAGE']
   require 'simplecov'
   require 'codecov'
   SimpleCov.start do
@@ -6,4 +6,4 @@ if ENV["COVERAGE"]
     primary_coverage :branch
     formatter SimpleCov::Formatter::Codecov
   end
-end
+end

data/CHANGELOG.md

@@ -1,6 +1,16 @@
 ## [Unreleased]
 
-## [0.1.0]
+## [0.2.1]
+### Fixes
+- Use default k8s auth route without namespace 
+
+## [0.2.0]
+### New features
+- Better integration with parent gem
+- Support of k8s authentication method
+- Additional tests and fixes related to Vault permissions
+
+## [0.1.1]
 ### Fixes
 - Fix CI release
 - Add changelog
@@ -11,7 +21,9 @@
 - Secrets caching
 - Automatic secrets lease renewal
 
-[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.1.1...HEAD
-[0.1.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.1.1
+[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.2.1...HEAD
+[0.2.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.1
+[0.2.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.0
+[0.1.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.1.1
 [0.1.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.1.0
 

data/Gemfile

@@ -1,4 +1,12 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
 # Specify your gem's dependencies in settings_reader-vault_resolver.gemspec
 gemspec
+
+gem 'codecov'
+gem 'rake'
+gem 'rspec'
+gem 'rubocop'
+gem 'rubocop-rspec'
+gem 'simplecov'
+gem 'timecop'

data/Gemfile.lock

@@ -3,6 +3,7 @@ PATH
   specs:
     settings_reader-vault_resolver (0.0.0)
       concurrent-ruby (~> 1.1)
+      settings_reader (~> 0.1)
       vault (~> 0.16)
 
 GEM
@@ -18,11 +19,11 @@ GEM
     diff-lcs (1.5.0)
     docile (1.4.0)
     parallel (1.21.0)
-    parser (3.1.0.0)
+    parser (3.1.1.0)
       ast (~> 2.4.1)
-    rainbow (3.0.0)
+    rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.2.0)
+    regexp_parser (2.2.1)
     rexml (3.2.5)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
@@ -37,20 +38,21 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
     rspec-support (3.10.3)
-    rubocop (0.93.1)
+    rubocop (1.25.1)
       parallel (~> 1.10)
-      parser (>= 2.7.1.5)
+      parser (>= 3.1.0.0)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
+      regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 0.6.0)
+      rubocop-ast (>= 1.15.1, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.15.1)
-      parser (>= 3.0.1.1)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.16.0)
+      parser (>= 3.1.1.0)
     rubocop-rspec (1.32.0)
       rubocop (>= 0.60.0)
     ruby-progressbar (1.11.0)
+    settings_reader (0.1.0)
     simplecov (0.21.2)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -58,7 +60,7 @@ GEM
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.3)
     timecop (0.9.4)
-    unicode-display_width (1.8.0)
+    unicode-display_width (2.1.0)
     vault (0.16.0)
       aws-sigv4
 
@@ -66,15 +68,14 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 2.0)
-  codecov (~> 0.4)
-  rake (~> 13.0)
-  rspec (~> 3.0)
-  rubocop (~> 0.66)
-  rubocop-rspec (~> 1.32.0)
+  codecov
+  rake
+  rspec
+  rubocop
+  rubocop-rspec
   settings_reader-vault_resolver!
-  simplecov (~> 0.16)
-  timecop (~> 0.9)
+  simplecov
+  timecop
 
 BUNDLED WITH
    2.1.4

data/README.md

@@ -26,20 +26,13 @@ At the load of application when initializing `settings_reader`:
 Vault.address = 'http://127.0.0.1:8200'
 Vault.token = 'MY_SUPER_SECRET_TOKEN'
 
-#Init Settings Reader
-SettingsReader.configure do |config|
-  config.settings_providers = [
-    SettingsReader::Providers::Yaml,
-  ]
-
-  config.value_resolvers = [
-    SettingsReader::Resolvers::Vault,
-    SettingsReader::Resolvers::Env,
-  ]
+#Load Settings Reader and configure resolver
+AppSettings = SettingsReader.load do |config|
+  # ... Other configurations
+  
+  # Add vault resolver as one of resolvers
+  config.resolvers << SettingsReader::VaultResolver.resolver
 end
-
-#Load Settings
-APP_SETTINGS = SettingsReader.load
 ```
 
 ### Usage
@@ -51,16 +44,22 @@ Assuming your settings has following structure:
 app:
   name: 'MyCoolApp'
   hostname: 'http://localhost:3001'
-  secret: 'vault://secret/apps/my_cool_app#app_secret'
+  static_secret: 'vault://secret/apps/my_cool_app#app_secret'
+  dynamic_secret: 'vault://database/creds/app-db#username'
 ```
 
 When requesting `app/secret` from `SettingsReader` it will resolve in Vault as:
 
 ```ruby
-secret = APP_SETTINGS.get('app/secret') 
+secret = AppSettings.get('app/static_secret') 
 # Gem will read `vault://secret/app#secret` from YAML
 # Gem will resolve value in Vault using Vault.kv('secret').read('apps/my_cool_app')
 # Gem will return `app_secret` attribute from the secret resolved above
+
+db_user = AppSettings.get('app/dynamic_secret')
+# Gem will request dynamic credentials from `vault://database/creds/app-db` and cache them
+# Gem will renew lease on retrieved credentials 3 minutes prior lease expiration from vault
+# Gem will return `username` attribute from dynamic secret
 ```
 
 ## Development

data/Rakefile

@@ -1,6 +1,6 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task default: :spec

data/bin/console

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
-require "bundler/setup"
-require "settings_reader/vault_resolver"
+require 'bundler/setup'
+require 'settings_reader/vault_resolver'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +10,5 @@ require "settings_reader/vault_resolver"
 # require "pry"
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start(__FILE__)

data/lib/settings_reader/vault_resolver/address.rb

@@ -1,5 +1,6 @@
 module SettingsReader
   module VaultResolver
+    # Parsing of vault address
     class Address
       def initialize(uri)
         @uri = URI.parse(uri)
@@ -10,11 +11,11 @@ module SettingsReader
       end
 
       def path
-        @uri.path
+        @uri.path.delete_prefix('/')
       end
 
       def full_path
-        "#{mount}#{path}"
+        "#{mount}#{@uri.path}"
       end
 
       def attribute
@@ -22,7 +23,7 @@ module SettingsReader
       end
 
       def options
-        URI::decode_www_form(@uri.query || '').to_h
+        URI.decode_www_form(@uri.query || '').to_h
       end
 
       def to_s

data/lib/settings_reader/vault_resolver/cache.rb

@@ -1,5 +1,6 @@
 module SettingsReader
   module VaultResolver
+    # Secrets cache for seamless dynamic keys and renewal operations
     class Cache
       def initialize
         @secrets = {}
@@ -42,4 +43,4 @@ module SettingsReader
       end
     end
   end
-end
+end

data/lib/settings_reader/vault_resolver/entry.rb

@@ -1,7 +1,9 @@
 module SettingsReader
   module VaultResolver
+    # Wrapper around vault secret object
     class Entry
       attr_reader :address, :secret
+
       MONTH = 30 * 60 * 60
 
       def initialize(address, secret)
@@ -32,12 +34,18 @@ module SettingsReader
         @secret = Vault.sys.renew(@secret.lease_id)
         @lease_started = Time.now
         true
+      rescue Vault::HTTPClientError => e
+        raise SettingsReader::VaultResolver::Error, e.message
       end
 
       def value_for(attribute)
         secret.data[attribute.to_sym]
       end
 
+      def to_s
+        address.to_s
+      end
+
       private
 
       def lease_duration

data/lib/settings_reader/vault_resolver/helpers/k8s_auth.rb

@@ -0,0 +1,43 @@
+require_relative '../patches/authenticate'
+
+module SettingsReader
+  module VaultResolver
+    module Helpers
+      # Helps with Vault authentication using kubernetes login
+      class K8sAuth
+        def call(role)
+          secret = Vault.auth.kubernetes(role)
+
+          cache_token_for_renewal(secret)
+          secret
+        end
+
+        private
+
+        def cache_token_for_renewal(secret)
+          address = SettingsReader::VaultResolver::Address.new('vault://v1/auth/token/lookup-self')
+          entry = SettingsReader::VaultResolver::AuthEntry.new(address, secret)
+          SettingsReader::VaultResolver.cache.save(entry)
+          entry
+        end
+      end
+    end
+
+    # Helps with auth token lease renewal
+    class AuthEntry < SettingsReader::VaultResolver::Entry
+      def leased?
+        true
+      end
+
+      def lease_duration
+        @secret.auth.lease_duration
+      end
+
+      def renew
+        Vault.client.auth_token.renew_self
+        @lease_started = Time.now
+        true
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/instance.rb

@@ -0,0 +1,64 @@
+require 'vault'
+
+module SettingsReader
+  module VaultResolver
+    # Resolver class for Settings Reader
+    class Instance
+      include Logging
+
+      IDENTIFIER = 'vault://'.freeze
+      DATABASE_MOUNT = 'database'.freeze
+
+      def resolvable?(value, _path)
+        return unless value.respond_to?(:start_with?)
+
+        value.start_with?(IDENTIFIER)
+      end
+
+      # Expect value in format `vault://mount/path/to/secret?attribute_name`
+      def resolve(value, _path)
+        debug { "Resolving Vault secret at #{value}" }
+        address = SettingsReader::VaultResolver::Address.new(value)
+        entry = fetch_entry(address)
+        entry&.value_for(address.attribute)
+      end
+
+      # Resolve KV secret
+      def kv_secret(address)
+        debug { "Fetching new kv secret at: #{address}" }
+        Vault.kv(address.mount).read(address.path)
+      rescue Vault::HTTPClientError => e
+        error { "Error retrieving secret at: #{address}: #{e.message}" }
+        raise SettingsReader::VaultResolver::Error, e.message
+      end
+
+      def database_secret(address)
+        debug { "Fetching new database secret at: #{address}" }
+        Vault.logical.read(address.full_path)
+      rescue Vault::HTTPClientError => e
+        error { "Error retrieving database secret: #{address}: #{e.message}" }
+        return nil if e.message.include?('* unknown role')
+
+        raise SettingsReader::VaultResolver::Error, e.message
+      end
+
+      private
+
+      def fetch_entry(address)
+        cache.fetch(address) do
+          info { "Retrieving new secret at: #{address}" }
+          if (secret = address.mount == DATABASE_MOUNT ? database_secret(address) : kv_secret(address))
+            debug { "Retrieved secret at: #{address}" }
+            SettingsReader::VaultResolver::Entry.new(address, secret)
+          else
+            debug { "Secret not retrieved: #{address}" }
+          end
+        end
+      end
+
+      def cache
+        SettingsReader::VaultResolver.cache
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/logging.rb

@@ -0,0 +1,40 @@
+module SettingsReader
+  module VaultResolver
+    # Methods for centralized logging
+    module Logging
+      def debug(&block)
+        logger.debug do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      def info(&block)
+        logger.info do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      def warn(&block)
+        logger.warn do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      def error(&block)
+        logger.error do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      private
+
+      def logger
+        @logger ||= SettingsReader::VaultResolver.logger
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/patches/authenticate.rb

@@ -0,0 +1,21 @@
+module Vault
+  # Monkey patch to support k8s authenticaiton. Taken from https://github.com/hashicorp/vault-ruby/pull/202
+  class Authenticate < Request
+    def kubernetes(role, route = nil, service_token_path = nil)
+      route ||= '/v1/auth/kubernetes/login'
+      service_token_path ||= '/var/run/secrets/kubernetes.io/serviceaccount/token'
+
+      payload = {
+        role: role,
+        jwt: File.read(service_token_path)
+      }
+
+      json = client.post(route, JSON.fast_generate(payload))
+
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+
+      secret
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/refresher.rb

@@ -1,7 +1,10 @@
 module SettingsReader
   module VaultResolver
+    # Vault Lease refresher task
     class Refresher
-      DEFAULT_RENEW_DELAY = 120
+      include Logging
+
+      DEFAULT_RENEW_DELAY = 200
       REFRESH_INTERVAL = 60
 
       def initialize(cache)
@@ -10,19 +13,26 @@ module SettingsReader
 
       def refresh
         @cache.entries.each do |entry|
+          debug { "Checking lease for #{entry}. Leased?: #{entry.leased?}. Expires in: #{entry.expires_in}s" }
           next unless entry.leased?
           next unless entry.expires_in < DEFAULT_RENEW_DELAY
 
+          info { "Refreshing lease for #{entry}. Expires in: #{entry.expires_in}" }
           entry.renew
+          info { "Lease renewed for #{entry}. Expires in: #{entry.expires_in}" }
+        rescue SettingsReader::VaultResolver::Error => e
+          error { "Error refreshing lease for #{entry}: #{e.message}" }
+          # Continue renewal.
         end
       end
 
       def self.refresh_task(cache)
         refresher = self
         Concurrent::TimerTask.new(execution_interval: refresher::REFRESH_INTERVAL) do
+          info { 'Refreshing Vault leases' }
           refresher.new(cache).refresh
         end
       end
     end
   end
-end
+end

data/lib/settings_reader/vault_resolver/version.rb

@@ -1,5 +1,5 @@
 module SettingsReader
   module VaultResolver
-    VERSION = "0.1.1"
+    VERSION = '0.2.2'.freeze
   end
 end

data/lib/settings_reader/vault_resolver.rb

@@ -1,12 +1,17 @@
-require 'concurrent/timer_task.rb'
-require "settings_reader/vault_resolver/version"
-require "settings_reader/vault_resolver/address"
-require "settings_reader/vault_resolver/entry"
-require "settings_reader/vault_resolver/cache"
-require "settings_reader/vault_resolver/refresher"
-require "settings_reader/resolvers/vault"
+require 'logger'
+require 'concurrent/timer_task'
+
+require 'settings_reader'
+require 'settings_reader/vault_resolver/version'
+require 'settings_reader/vault_resolver/logging'
+require 'settings_reader/vault_resolver/address'
+require 'settings_reader/vault_resolver/entry'
+require 'settings_reader/vault_resolver/cache'
+require 'settings_reader/vault_resolver/refresher'
+require 'settings_reader/vault_resolver/instance'
 
 module SettingsReader
+  # Singleton for lease renewals and secrets cache
   module VaultResolver
     class Error < StandardError; end
 
@@ -14,6 +19,13 @@ module SettingsReader
       attr_accessor :cache, :refresher_timer_task
     end
 
+    def self.logger
+      return @logger if @logger
+      return @logger = Rails.logger if defined? Rails
+
+      @logger = Logger.new($stdout, level: Logger::INFO)
+    end
+
     def self.setup_cache
       self.cache ||= SettingsReader::VaultResolver::Cache.new
     end
@@ -24,7 +36,7 @@ module SettingsReader
     end
 
     def self.resolver
-      SettingsReader::VaultResolver::Vault
+      SettingsReader::VaultResolver::Instance.new
     end
 
     setup_cache

data/settings_reader-vault_resolver.gemspec

@@ -4,7 +4,7 @@ Gem::Specification.new do |spec|
   spec.name          = 'settings_reader-vault_resolver'
   spec.version       = SettingsReader::VaultResolver::VERSION
   spec.authors       = ['Volodymyr Mykhailyk']
-  spec.email         = ['712680+volodymyr-mykhailyk@users.noreply.github.com']
+  spec.email         = ['volodymyr.mykhailyk@gmail.com']
 
   spec.summary       = 'Settings Reader plugin to resolve values using in Hashicorp Vault'
   spec.description   = 'This gem works as a resolver for `settings_reader` gem. \
@@ -12,15 +12,15 @@ Gem::Specification.new do |spec|
                         with support of dynamic secrets and lease renewal.'
   spec.homepage      = 'https://github.com/matic-insurance/settings_reader-vault_resolver'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
 
   spec.metadata['homepage_uri'] = spec.homepage
   spec.metadata['source_code_uri'] = spec.homepage
-  spec.metadata['changelog_uri'] = spec.homepage + "/blob/master/CHANGELOG.md"
+  spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/master/CHANGELOG.md"
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|local)/}) }
   end
   spec.bindir        = 'exe'
@@ -28,14 +28,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'concurrent-ruby', '~> 1.1'
+  spec.add_dependency 'settings_reader', '~> 0.1'
   spec.add_dependency 'vault', '~> 0.16'
-
-  spec.add_development_dependency 'bundler', '~> 2.0'
-  spec.add_development_dependency 'codecov', '~> 0.4'
-  spec.add_development_dependency 'rake', '~> 13.0'
-  spec.add_development_dependency 'rspec', '~> 3.0'
-  spec.add_development_dependency 'rubocop', '~> 0.66'
-  spec.add_development_dependency 'rubocop-rspec', '~> 1.32.0'
-  spec.add_development_dependency 'simplecov', '~> 0.16'
-  spec.add_development_dependency 'timecop', '~> 0.9'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: settings_reader-vault_resolver
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.2
 platform: ruby
 authors:
 - Volodymyr Mykhailyk
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-01-19 00:00:00.000000000 Z
+date: 2022-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -25,144 +25,48 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.1'
 - !ruby/object:Gem::Dependency
-  name: vault
+  name: settings_reader
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: '0.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.16'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: codecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.1'
 - !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.66'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.66'
-- !ruby/object:Gem::Dependency
-  name: rubocop-rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.32.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.32.0
-- !ruby/object:Gem::Dependency
-  name: simplecov
+  name: vault
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.16'
-  type: :development
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.16'
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
 description: |-
   This gem works as a resolver for `settings_reader` gem. \
                           Any value with matching format will be resolved using Vault \
                           with support of dynamic secrets and lease renewal.
 email:
-- 712680+volodymyr-mykhailyk@users.noreply.github.com
+- volodymyr.mykhailyk@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/linters.yml"
 - ".github/workflows/main.yml"
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".simplecov"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
@@ -174,11 +78,14 @@ files:
 - bin/console
 - bin/setup
 - docker-compose.yml
-- lib/settings_reader/resolvers/vault.rb
 - lib/settings_reader/vault_resolver.rb
 - lib/settings_reader/vault_resolver/address.rb
 - lib/settings_reader/vault_resolver/cache.rb
 - lib/settings_reader/vault_resolver/entry.rb
+- lib/settings_reader/vault_resolver/helpers/k8s_auth.rb
+- lib/settings_reader/vault_resolver/instance.rb
+- lib/settings_reader/vault_resolver/logging.rb
+- lib/settings_reader/vault_resolver/patches/authenticate.rb
 - lib/settings_reader/vault_resolver/refresher.rb
 - lib/settings_reader/vault_resolver/version.rb
 - settings_reader-vault_resolver.gemspec
@@ -197,7 +104,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/lib/settings_reader/resolvers/vault.rb

@@ -1,50 +0,0 @@
-require 'vault'
-
-module SettingsReader
-  module Resolver
-    class Vault
-      IDENTIFIER = 'vault://'.freeze
-      DATABASE_MOUNT = 'database'.freeze
-
-      def resolvable?(value, _path)
-        return unless value.respond_to?(:start_with?)
-
-        value.start_with?(IDENTIFIER)
-      end
-
-      # Expect value in format `vault://mount/path/to/secret?attribute_name`
-      def resolve(value, _path)
-        address = SettingsReader::VaultResolver::Address.new(value)
-        entry = fetch_entry(address)
-        entry&.value_for(address.attribute)
-      end
-
-      #Resolve KV secret
-      def kv_secret(address)
-        ::Vault.kv(address.mount).read(address.path)
-      end
-
-      def database_secret(address)
-        ::Vault.logical.read(address.full_path)
-      rescue ::Vault::HTTPClientError => e
-        raise unless e.message.include?('* unknown role')
-
-        nil
-      end
-
-      private
-
-      def fetch_entry(address)
-        cache.fetch(address) do
-          if (secret = address.mount == DATABASE_MOUNT ? database_secret(address) : kv_secret(address))
-            SettingsReader::VaultResolver::Entry.new(address, secret)
-          end
-        end
-      end
-
-      def cache
-        SettingsReader::VaultResolver.cache
-      end
-    end
-  end
-end