settings_reader-vault_resolver 0.2.0 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -1
- data/lib/settings_reader/vault_resolver/entry.rb +4 -0
- data/lib/settings_reader/vault_resolver/instance.rb +11 -0
- data/lib/settings_reader/vault_resolver/logging.rb +40 -0
- data/lib/settings_reader/vault_resolver/patches/authenticate.rb +1 -1
- data/lib/settings_reader/vault_resolver/refresher.rb +8 -2
- data/lib/settings_reader/vault_resolver/version.rb +1 -1
- data/lib/settings_reader/vault_resolver.rb +14 -0
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 62d9b04d2c1d077efc9fd04b8de77c13e1d30fea6bbed0a942f3411c32130216
|
|
4
|
+
data.tar.gz: 4ee9710b9173260acabf445a658b6987d516034a03eee86f2c5ae2d22b013c23
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b4b55065d8d4349457e791383c4265957e80fec4b8997676b75a4b8b11523efbf4584b18298eecbbc3be244d40a718be3d45b5ff6fca04fe8f9edb64e2d69e6e
|
|
7
|
+
data.tar.gz: 91ba8dacc8becf367766cddadabcd22a06f69ab0068e6604ffbb3424d7a363bac8def6a334f972cd46b649d9c75dccd78bf5da2cf684421752da9b235fe30e91
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,9 @@
|
|
|
1
1
|
## [Unreleased]
|
|
2
2
|
|
|
3
|
+
## [0.2.1]
|
|
4
|
+
### Fixes
|
|
5
|
+
- Use default k8s auth route without namespace
|
|
6
|
+
|
|
3
7
|
## [0.2.0]
|
|
4
8
|
### New features
|
|
5
9
|
- Better integration with parent gem
|
|
@@ -17,7 +21,8 @@
|
|
|
17
21
|
- Secrets caching
|
|
18
22
|
- Automatic secrets lease renewal
|
|
19
23
|
|
|
20
|
-
[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.2.
|
|
24
|
+
[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.2.1...HEAD
|
|
25
|
+
[0.2.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.1
|
|
21
26
|
[0.2.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.0
|
|
22
27
|
[0.1.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.1.1
|
|
23
28
|
[0.1.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.1.0
|
|
@@ -4,6 +4,8 @@ module SettingsReader
|
|
|
4
4
|
module VaultResolver
|
|
5
5
|
# Resolver class for Settings Reader
|
|
6
6
|
class Instance
|
|
7
|
+
include Logging
|
|
8
|
+
|
|
7
9
|
IDENTIFIER = 'vault://'.freeze
|
|
8
10
|
DATABASE_MOUNT = 'database'.freeze
|
|
9
11
|
|
|
@@ -15,6 +17,7 @@ module SettingsReader
|
|
|
15
17
|
|
|
16
18
|
# Expect value in format `vault://mount/path/to/secret?attribute_name`
|
|
17
19
|
def resolve(value, _path)
|
|
20
|
+
debug { "Resolving Vault secret at #{value}" }
|
|
18
21
|
address = SettingsReader::VaultResolver::Address.new(value)
|
|
19
22
|
entry = fetch_entry(address)
|
|
20
23
|
entry&.value_for(address.attribute)
|
|
@@ -22,14 +25,18 @@ module SettingsReader
|
|
|
22
25
|
|
|
23
26
|
# Resolve KV secret
|
|
24
27
|
def kv_secret(address)
|
|
28
|
+
debug { "Fetching new kv secret at: #{address}" }
|
|
25
29
|
Vault.kv(address.mount).read(address.path)
|
|
26
30
|
rescue Vault::HTTPClientError => e
|
|
31
|
+
error { "Error retrieving secret at: #{address}: #{e.message}" }
|
|
27
32
|
raise SettingsReader::VaultResolver::Error, e.message
|
|
28
33
|
end
|
|
29
34
|
|
|
30
35
|
def database_secret(address)
|
|
36
|
+
debug { "Fetching new database secret at: #{address}" }
|
|
31
37
|
Vault.logical.read(address.full_path)
|
|
32
38
|
rescue Vault::HTTPClientError => e
|
|
39
|
+
error { "Error retrieving database secret: #{address}: #{e.message}" }
|
|
33
40
|
return nil if e.message.include?('* unknown role')
|
|
34
41
|
|
|
35
42
|
raise SettingsReader::VaultResolver::Error, e.message
|
|
@@ -39,8 +46,12 @@ module SettingsReader
|
|
|
39
46
|
|
|
40
47
|
def fetch_entry(address)
|
|
41
48
|
cache.fetch(address) do
|
|
49
|
+
info { "Retrieving new secret at: #{address}" }
|
|
42
50
|
if (secret = address.mount == DATABASE_MOUNT ? database_secret(address) : kv_secret(address))
|
|
51
|
+
debug { "Retrieved secret at: #{address}" }
|
|
43
52
|
SettingsReader::VaultResolver::Entry.new(address, secret)
|
|
53
|
+
else
|
|
54
|
+
debug { "Secret not retrieved: #{address}" }
|
|
44
55
|
end
|
|
45
56
|
end
|
|
46
57
|
end
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module SettingsReader
|
|
2
|
+
module VaultResolver
|
|
3
|
+
# Methods for centralized logging
|
|
4
|
+
module Logging
|
|
5
|
+
def debug(&block)
|
|
6
|
+
logger.debug do
|
|
7
|
+
"[VaultResolver] #{block.call}"
|
|
8
|
+
end
|
|
9
|
+
nil
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def info(&block)
|
|
13
|
+
logger.info do
|
|
14
|
+
"[VaultResolver] #{block.call}"
|
|
15
|
+
end
|
|
16
|
+
nil
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def warn(&block)
|
|
20
|
+
logger.warn do
|
|
21
|
+
"[VaultResolver] #{block.call}"
|
|
22
|
+
end
|
|
23
|
+
nil
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def error(&block)
|
|
27
|
+
logger.error do
|
|
28
|
+
"[VaultResolver] #{block.call}"
|
|
29
|
+
end
|
|
30
|
+
nil
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
private
|
|
34
|
+
|
|
35
|
+
def logger
|
|
36
|
+
SettingsReader::VaultResolver.logger
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -2,7 +2,7 @@ module Vault
|
|
|
2
2
|
# Monkey patch to support k8s authenticaiton. Taken from https://github.com/hashicorp/vault-ruby/pull/202
|
|
3
3
|
class Authenticate < Request
|
|
4
4
|
def kubernetes(role, route = nil, service_token_path = nil)
|
|
5
|
-
route ||= '/v1/
|
|
5
|
+
route ||= '/v1/auth/kubernetes/login'
|
|
6
6
|
service_token_path ||= '/var/run/secrets/kubernetes.io/serviceaccount/token'
|
|
7
7
|
|
|
8
8
|
payload = {
|
|
@@ -2,6 +2,8 @@ module SettingsReader
|
|
|
2
2
|
module VaultResolver
|
|
3
3
|
# Vault Lease refresher task
|
|
4
4
|
class Refresher
|
|
5
|
+
include Logging
|
|
6
|
+
|
|
5
7
|
DEFAULT_RENEW_DELAY = 200
|
|
6
8
|
REFRESH_INTERVAL = 60
|
|
7
9
|
|
|
@@ -11,12 +13,15 @@ module SettingsReader
|
|
|
11
13
|
|
|
12
14
|
def refresh
|
|
13
15
|
@cache.entries.each do |entry|
|
|
16
|
+
debug { "Checking lease for #{entry}. Leased?: #{entry.leased?}. Expires in: #{entry.expires_in}s" }
|
|
14
17
|
next unless entry.leased?
|
|
15
18
|
next unless entry.expires_in < DEFAULT_RENEW_DELAY
|
|
16
19
|
|
|
20
|
+
info { "Refreshing lease for #{entry}. Expires in: #{entry.expires_in}" }
|
|
17
21
|
entry.renew
|
|
18
|
-
|
|
19
|
-
|
|
22
|
+
info { "Lease renewed for #{entry}. Expires in: #{entry.expires_in}" }
|
|
23
|
+
rescue SettingsReader::VaultResolver::Error => e
|
|
24
|
+
error { "Error refreshing lease for #{entry}: #{e.message}" }
|
|
20
25
|
# Continue renewal.
|
|
21
26
|
end
|
|
22
27
|
end
|
|
@@ -24,6 +29,7 @@ module SettingsReader
|
|
|
24
29
|
def self.refresh_task(cache)
|
|
25
30
|
refresher = self
|
|
26
31
|
Concurrent::TimerTask.new(execution_interval: refresher::REFRESH_INTERVAL) do
|
|
32
|
+
info { 'Refreshing Vault leases' }
|
|
27
33
|
refresher.new(cache).refresh
|
|
28
34
|
end
|
|
29
35
|
end
|
|
@@ -1,6 +1,9 @@
|
|
|
1
|
+
require 'logger'
|
|
1
2
|
require 'concurrent/timer_task'
|
|
3
|
+
|
|
2
4
|
require 'settings_reader'
|
|
3
5
|
require 'settings_reader/vault_resolver/version'
|
|
6
|
+
require 'settings_reader/vault_resolver/logging'
|
|
4
7
|
require 'settings_reader/vault_resolver/address'
|
|
5
8
|
require 'settings_reader/vault_resolver/entry'
|
|
6
9
|
require 'settings_reader/vault_resolver/cache'
|
|
@@ -16,6 +19,17 @@ module SettingsReader
|
|
|
16
19
|
attr_accessor :cache, :refresher_timer_task
|
|
17
20
|
end
|
|
18
21
|
|
|
22
|
+
def self.logger
|
|
23
|
+
return @logger if @logger
|
|
24
|
+
return @logger = Rails.logger if (defined? Rails) && Rails.logger
|
|
25
|
+
|
|
26
|
+
@logger = Logger.new($stdout, level: Logger::INFO)
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def self.logger=(logger)
|
|
30
|
+
@logger = logger
|
|
31
|
+
end
|
|
32
|
+
|
|
19
33
|
def self.setup_cache
|
|
20
34
|
self.cache ||= SettingsReader::VaultResolver::Cache.new
|
|
21
35
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: settings_reader-vault_resolver
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Volodymyr Mykhailyk
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-03-
|
|
11
|
+
date: 2022-03-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: concurrent-ruby
|
|
@@ -84,6 +84,7 @@ files:
|
|
|
84
84
|
- lib/settings_reader/vault_resolver/entry.rb
|
|
85
85
|
- lib/settings_reader/vault_resolver/helpers/k8s_auth.rb
|
|
86
86
|
- lib/settings_reader/vault_resolver/instance.rb
|
|
87
|
+
- lib/settings_reader/vault_resolver/logging.rb
|
|
87
88
|
- lib/settings_reader/vault_resolver/patches/authenticate.rb
|
|
88
89
|
- lib/settings_reader/vault_resolver/refresher.rb
|
|
89
90
|
- lib/settings_reader/vault_resolver/version.rb
|