settings_reader-vault_resolver 0.2.4 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce73ad9e3b10d933922778fa85c1f2fecc4f33dd0041a83c4b6b034229c7574f
-  data.tar.gz: eef4339b9136147de04ba2e85648fbf2328c3771fed427e600edf544683c1c98
+  metadata.gz: 4e24591d4c66561cb24e3e12d124d2c4f4ca90236112f6324f709883297e692f
+  data.tar.gz: df5df6353fb0169385697bdb2c6b6e6b1ca082a7cc99e99e166cf29ad38354bc
 SHA512:
-  metadata.gz: ddab1303046474d0da7916d9e64803d9c599f1ee80e2d50e2c96e4cc73ff17f5d4e0b45dd0db37447d3553596135883ca088868800c588f9ceffb7113457bfe4
-  data.tar.gz: 6f31f31fccc0281890df52503a9b8c353229fe7cc6f4233eb251e69ed245ea63acdc8bd4cd9e9e5cd1e0f6ef00c448ba30e0afb732105d2322a0ae338180438d
+  metadata.gz: 3b08d59ab15c02f04f0204e071da10b72aefdd1fe5ef0a70e3902c94487993aadf30afb852a68de9af984f76624dc032d2d4a79e71bce27163782725de15ebff
+  data.tar.gz: a56e1ef3320ba333755c27aa31aea29a51c82c8f6cbdb32cc0f5a287e93636286ee2b4a51ef950318a7029e6ff46bc52199e42832aecfe9661803398f4f9fc74

data/CHANGELOG.md

@@ -1,5 +1,39 @@
 ## [Unreleased]
 
+## [0.4.0]
+### Breaking changes
+- Reworked authentication helpers interface
+
+### New features
+- Retry secret retrieval and renewal
+- Capture more vault exceptions including connectivity errors
+- Introduce vault engine adapter concept
+- Separate kv, database, and auth engine logic 
+
+## [0.3.0]
+### Breaking changes
+- Require configuration before use
+
+### New features
+- Gem configurations
+- Require configuration before use
+- Report renew errors via configuration listeners
+
+### Fixes
+- Cleanup logging
+
+## [0.2.4]
+### Fixes
+- Fix refresher task logging
+
+## [0.2.3]
+### Fixes
+- Fix logging setup when gem loaded before rails
+
+## [0.2.2]
+### New features
+- Add logging to gem
+
 ## [0.2.1]
 ### Fixes
 - Use default k8s auth route without namespace 
@@ -21,7 +55,12 @@
 - Secrets caching
 - Automatic secrets lease renewal
 
-[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.2.1...HEAD
+[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.4.0...HEAD
+[0.4.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.4.0
+[0.3.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.3.0
+[0.2.4]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.4
+[0.2.3]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.3
+[0.2.2]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.2
 [0.2.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.1
 [0.2.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.0
 [0.1.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.1.1

data/README.md

@@ -28,7 +28,13 @@ Vault.token = 'MY_SUPER_SECRET_TOKEN'
 
 #Load Settings Reader and configure resolver
 AppSettings = SettingsReader.load do |config|
-  # ... Other configurations
+  # ... SettingReader configurations
+  
+  # Configure vault resolver
+  SettingsReader::VaultResolver.configure do |vault_resolver_config|
+    vault_resolver_config.logger = Rails.logger
+    # ... VaultResolver configurations
+  end
   
   # Add vault resolver as one of resolvers
   config.resolvers << SettingsReader::VaultResolver.resolver

data/codecov.yml

@@ -0,0 +1,12 @@
+codecov:
+  require_ci_to_pass: yes
+
+coverage:
+  precision: 2
+  round: up
+  range: "90...100"
+
+ignore:
+  - "spec"
+  - "bin"
+  - "local"

data/lib/settings_reader/vault_resolver/cache.rb

@@ -36,6 +36,10 @@ module SettingsReader
         @secrets.each_value(&block)
       end
 
+      def clear_all
+        @secrets = {}
+      end
+
       private
 
       def cache_key(address)

data/lib/settings_reader/vault_resolver/configuration.rb

@@ -0,0 +1,71 @@
+module SettingsReader
+  module VaultResolver
+    # Configurations for vault resolver
+    class Configuration
+      # Logger for gem
+      # Default: Logger.new(STDOUT, level: Logger::ERROR)
+      attr_accessor :logger
+
+      # How many times to retry retrieval of the secret
+      # Default: 2
+      attr_accessor :retrieval_retries
+
+      # How often do we check if secret lease is about to expire
+      # Default: 60seconds
+      attr_accessor :lease_refresh_interval
+
+      # Time before expiration when we try to renew the lease
+      # Default: 300seconds
+      attr_accessor :lease_renew_delay
+
+      # How many times to retry renew of the secret
+      # Default: 4
+      attr_accessor :lease_renew_retries
+
+      # Block to be executed when lease is refreshed
+      # Default: empty proc
+      attr_accessor :lease_renew_success_listener
+
+      # Block to be executed when lease is not refreshed
+      # Default: empty proc
+      attr_accessor :lease_renew_error_listener
+
+      def initialize
+        @logger = Logger.new($stdout, level: Logger::ERROR)
+        @retrieval_retries = 2
+        @lease_refresh_interval = 60
+        @lease_renew_delay = 300
+        @lease_renew_retries = 4
+        @lease_renew_error_listener = proc {}
+        @lease_renew_success_listener = proc {}
+      end
+
+      def setup_lease_refresher(cache, previous_task = nil)
+        previous_task&.shutdown
+
+        timer_task = Concurrent::TimerTask.new(execution_interval: lease_refresh_interval) do
+          SettingsReader::VaultResolver::Refresher.new(cache, self).refresh
+        end
+        timer_task.add_observer(SettingsReader::VaultResolver::RefresherObserver.new(self))
+        timer_task.execute
+        timer_task
+      end
+
+      def vault_engines
+        @vault_engines ||= [
+          SettingsReader::VaultResolver::Engines::KV2.new(self),
+          SettingsReader::VaultResolver::Engines::Database.new(self),
+          SettingsReader::VaultResolver::Engines::Auth.new(self)
+        ]
+      end
+
+      def vault_engine_for(address)
+        unless (engine = vault_engines.detect { |e| e.retrieves?(address) })
+          raise SettingsReader::VaultResolver::Error, "Unknown engine for #{address}"
+        end
+
+        engine
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/engines/abstract.rb

@@ -0,0 +1,64 @@
+module SettingsReader
+  module VaultResolver
+    module Engines
+      # Abstract interface for Vault Backends
+      class Abstract
+        include Logging
+
+        attr_reader :config
+
+        def initialize(config)
+          @config = config
+        end
+
+        def retrieves?(_address)
+          raise NotImplementedError
+        end
+
+        def get(address)
+          return unless (vault_secret = get_secret_with_retries(address))
+
+          wrap_secret(address, vault_secret)
+        rescue Vault::VaultError => e
+          raise SettingsReader::VaultResolver::Error, e.message
+        end
+
+        def renew(entry)
+          return unless entry.leased?
+
+          new_secret = renew_lease_with_retries(entry)
+          entry.update_renewed(new_secret)
+          true
+        rescue Vault::VaultError => e
+          raise SettingsReader::VaultResolver::Error, e.message
+        end
+
+        protected
+
+        def get_secret_with_retries(address)
+          Vault.with_retries(Vault::HTTPConnectionError, attempts: config.retrieval_retries) do
+            get_secret(address)
+          end
+        end
+
+        def renew_lease_with_retries(address)
+          Vault.with_retries(Vault::HTTPConnectionError, attempts: config.lease_renew_retries) do
+            renew_lease(address)
+          end
+        end
+
+        def get_secret(address)
+          raise NotImplementedError
+        end
+
+        def renew_lease(entry)
+          raise NotImplementedError
+        end
+
+        def wrap_secret(address, secret)
+          SettingsReader::VaultResolver::Entry.new(address, secret)
+        end
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/engines/auth.rb

@@ -0,0 +1,36 @@
+module SettingsReader
+  module VaultResolver
+    module Engines
+      # Adapter to retrieve / renew auth tokens
+      class Auth < Abstract
+        MOUNT = 'auth'.freeze
+        K8S_AUTH = 'kubernetes/login'.freeze
+
+        def retrieves?(address)
+          address.mount == MOUNT
+        end
+
+        protected
+
+        def get_secret(address)
+          return k8s_auth(address) if address.path == K8S_AUTH
+
+          raise SettingsReader::VaultResolver::Error, "Unsupported auth backed for #{address}"
+        end
+
+        def renew_lease(_entry)
+          secret = Vault.client.auth_token.renew_self
+          secret&.auth
+        end
+
+        private
+
+        def k8s_auth(address)
+          options = { route: address.options['route'], service_token_path: address.options['service_token_path'] }
+          secret = Vault.auth.kubernetes(address.options['role'], **options)
+          secret&.auth
+        end
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/engines/database.rb

@@ -0,0 +1,29 @@
+module SettingsReader
+  module VaultResolver
+    module Engines
+      # Adapter to retrieve / renew secret from database engine
+      class Database < Abstract
+        MOUNT = 'database'.freeze
+
+        def retrieves?(address)
+          address.mount == MOUNT
+        end
+
+        private
+
+        def get_secret(address)
+          debug { "Fetching new database secret at: #{address}" }
+          Vault.logical.read(address.full_path)
+        rescue Vault::HTTPClientError => e
+          return nil if e.message.include?('* unknown role')
+
+          raise e
+        end
+
+        def renew_lease(entry)
+          Vault.sys.renew(entry.lease_id)
+        end
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/engines/kv2.rb

@@ -0,0 +1,25 @@
+module SettingsReader
+  module VaultResolver
+    module Engines
+      # Adapter to retrieve / renew secret from kv2 engine
+      class KV2 < Abstract
+        MOUNT = 'secret'.freeze
+
+        def retrieves?(address)
+          address.mount == MOUNT
+        end
+
+        def renew(_entry)
+          # KV secrets are static. Nothing to do
+        end
+
+        private
+
+        def get_secret(address)
+          debug { "Fetching new kv secret at: #{address}" }
+          Vault.kv(address.mount).read(address.path)
+        end
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/entry.rb

@@ -13,7 +13,7 @@ module SettingsReader
       end
 
       def leased?
-        @secret.lease_id && lease_duration.positive?
+        @secret.renewable?
       end
 
       def expired?
@@ -28,26 +28,26 @@ module SettingsReader
         @lease_started + lease_duration - Time.now
       end
 
-      def renew
-        return unless leased?
+      def lease_id
+        @secret.lease_id
+      end
 
-        @secret = Vault.sys.renew(@secret.lease_id)
+      def update_renewed(new_secret)
+        @secret = new_secret
         @lease_started = Time.now
-        true
-      rescue Vault::HTTPClientError => e
-        raise SettingsReader::VaultResolver::Error, e.message
       end
 
       def value_for(attribute)
-        secret.data[attribute.to_sym]
+        return secret.data[attribute.to_sym] if secret.respond_to?(:data) && secret.data.key?(attribute.to_sym)
+        return secret.public_send(attribute) if secret.respond_to?(attribute)
+
+        nil
       end
 
       def to_s
         address.to_s
       end
 
-      private
-
       def lease_duration
         @secret.lease_duration.to_i
       end

data/lib/settings_reader/vault_resolver/helpers/vault_authentication.rb

@@ -0,0 +1,23 @@
+require_relative '../patches/authenticate'
+
+module SettingsReader
+  module VaultResolver
+    module Helpers
+      # Helps with authentication using different schemes
+      class VaultAuthentication
+        FAKE_RESOLVER_PATH = 'vault/authentication'.freeze
+
+        def authenticate_via_k8s(role, route: nil, service_token_path: nil)
+          params = URI.encode_www_form({ role: role, route: route, service_token_path: service_token_path }.compact)
+          resolver.resolve("vault://auth/kubernetes/login?#{params}#client_token", FAKE_RESOLVER_PATH)
+        end
+
+        private
+
+        def resolver
+          @resolver = SettingsReader::VaultResolver.resolver
+        end
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/instance.rb

@@ -9,6 +9,13 @@ module SettingsReader
       IDENTIFIER = 'vault://'.freeze
       DATABASE_MOUNT = 'database'.freeze
 
+      attr_reader :config
+
+      def initialize(config)
+        @config = config
+        @engines = config.vault_engines
+      end
+
       def resolvable?(value, _path)
         return unless value.respond_to?(:start_with?)
 
@@ -23,37 +30,16 @@ module SettingsReader
         entry&.value_for(address.attribute)
       end
 
-      # Resolve KV secret
-      def kv_secret(address)
-        debug { "Fetching new kv secret at: #{address}" }
-        Vault.kv(address.mount).read(address.path)
-      rescue Vault::HTTPClientError => e
-        error { "Error retrieving secret at: #{address}: #{e.message}" }
-        raise SettingsReader::VaultResolver::Error, e.message
-      end
-
-      def database_secret(address)
-        debug { "Fetching new database secret at: #{address}" }
-        Vault.logical.read(address.full_path)
-      rescue Vault::HTTPClientError => e
-        error { "Error retrieving database secret: #{address}: #{e.message}" }
-        return nil if e.message.include?('* unknown role')
-
-        raise SettingsReader::VaultResolver::Error, e.message
-      end
-
       private
 
       def fetch_entry(address)
         cache.fetch(address) do
           info { "Retrieving new secret at: #{address}" }
-          if (secret = address.mount == DATABASE_MOUNT ? database_secret(address) : kv_secret(address))
-            debug { "Retrieved secret at: #{address}" }
-            SettingsReader::VaultResolver::Entry.new(address, secret)
-          else
-            debug { "Secret not retrieved: #{address}" }
-          end
+          config.vault_engine_for(address).get(address)
         end
+      rescue StandardError => e
+        error { "Error retrieving secret: #{address}: #{e.message}" }
+        raise e
       end
 
       def cache

data/lib/settings_reader/vault_resolver/logging.rb

@@ -3,37 +3,34 @@ module SettingsReader
     # Methods for centralized logging
     module Logging
       def debug(&block)
-        logger.debug do
-          "[VaultResolver] #{block.call}"
-        end
-        nil
+        log_message(Logger::DEBUG, &block)
       end
 
       def info(&block)
-        logger.info do
-          "[VaultResolver] #{block.call}"
-        end
-        nil
+        log_message(Logger::INFO, &block)
       end
 
       def warn(&block)
-        logger.warn do
-          "[VaultResolver] #{block.call}"
-        end
-        nil
+        log_message(Logger::WARN, &block)
       end
 
       def error(&block)
-        logger.error do
+        log_message(Logger::ERROR, &block)
+      end
+
+      private
+
+      def log_message(severity, &block)
+        logger&.log(severity) do
           "[VaultResolver] #{block.call}"
+        rescue StandardError => _e
+          # Ignoring errors in log message
         end
         nil
       end
 
-      private
-
       def logger
-        SettingsReader::VaultResolver.logger
+        config.logger
       end
     end
   end

data/lib/settings_reader/vault_resolver/patches/authenticate.rb

@@ -1,7 +1,7 @@
 module Vault
   # Monkey patch to support k8s authenticaiton. Taken from https://github.com/hashicorp/vault-ruby/pull/202
   class Authenticate < Request
-    def kubernetes(role, route = nil, service_token_path = nil)
+    def kubernetes(role, route: nil, service_token_path: nil)
       route ||= '/v1/auth/kubernetes/login'
       service_token_path ||= '/var/run/secrets/kubernetes.io/serviceaccount/token'
 

data/lib/settings_reader/vault_resolver/refresher.rb

@@ -1,3 +1,5 @@
+require 'concurrent/promise'
+
 module SettingsReader
   module VaultResolver
     # Vault Lease refresher task
@@ -7,35 +9,34 @@ module SettingsReader
       DEFAULT_RENEW_DELAY = 200
       REFRESH_INTERVAL = 60
 
-      def initialize(cache)
+      attr_reader :cache, :config
+
+      def initialize(cache, config)
         @cache = cache
+        @config = config
       end
 
       def refresh
-        info { 'Starting Vault lease refreshing' }
-        @cache.entries.each do |entry|
+        info { 'Performing Vault leases refresh' }
+        promises = cache.entries.map do |entry|
+          debug { "Checking lease for #{entry}. Leased?: #{entry.leased?}. Expires in: #{entry.expires_in}s" }
           refresh_entry(entry)
-        end
-        info { 'Finished Vault lease refreshing' }
+        end.compact
+        promises.each(&:wait)
+        promises
       end
 
       def refresh_entry(entry)
-        debug { "Checking lease for #{entry}. Leased?: #{entry.leased?}. Expires in: #{entry.expires_in}s" }
-        return unless entry.leased?
-        return unless entry.expires_in < DEFAULT_RENEW_DELAY
-
-        info { "Refreshing lease for #{entry}. Expires in: #{entry.expires_in}" }
-        entry.renew
-        info { "Lease renewed for #{entry}. Expires in: #{entry.expires_in}" }
-      rescue SettingsReader::VaultResolver::Error => e
-        error { "Error refreshing lease for #{entry}: #{e.message}" }
-        # Continue renewal.
-      end
+        return unless entry.expires_in < config.lease_renew_delay
 
-      def self.refresh_task(cache)
-        refresher = self
-        Concurrent::TimerTask.new(execution_interval: refresher::REFRESH_INTERVAL) do
-          refresher.new(cache).refresh
+        Concurrent::Promise.execute do
+          debug { "Refreshing lease for #{entry}. Expires in: #{entry.expires_in}" }
+          config.vault_engine_for(entry.address).renew(entry)
+          info { "Lease renewed for #{entry}. Expires in: #{entry.expires_in}" }
+          entry
+        rescue StandardError => e
+          error { "Error refreshing lease for #{entry}: #{e.message}" }
+          raise SettingsReader::VaultResolver::Error, e.message
         end
       end
     end

data/lib/settings_reader/vault_resolver/refresher_observer.rb

@@ -0,0 +1,30 @@
+module SettingsReader
+  module VaultResolver
+    # Check lease refresh result and report problems if needed
+    class RefresherObserver
+      attr_reader :config
+
+      def initialize(config)
+        @config = config
+      end
+
+      def update(_time, result, error)
+        if result
+          result.map do |promise|
+            promise.on_success(&method(:notify_success)).on_error(&method(:notify_error))
+          end.each(&:wait)
+        else
+          notify_error(error)
+        end
+      end
+
+      def notify_success(result)
+        config.lease_renew_success_listener.call(result)
+      end
+
+      def notify_error(result)
+        config.lease_renew_error_listener.call(result)
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/version.rb

@@ -1,5 +1,5 @@
 module SettingsReader
   module VaultResolver
-    VERSION = '0.2.4'.freeze
+    VERSION = '0.4.1'.freeze
   end
 end

data/lib/settings_reader/vault_resolver.rb

@@ -2,13 +2,19 @@ require 'logger'
 require 'concurrent/timer_task'
 
 require 'settings_reader'
-require 'settings_reader/vault_resolver/version'
-require 'settings_reader/vault_resolver/logging'
-require 'settings_reader/vault_resolver/address'
-require 'settings_reader/vault_resolver/entry'
-require 'settings_reader/vault_resolver/cache'
-require 'settings_reader/vault_resolver/refresher'
-require 'settings_reader/vault_resolver/instance'
+require_relative 'vault_resolver/version'
+require_relative 'vault_resolver/logging'
+require_relative 'vault_resolver/configuration'
+require_relative 'vault_resolver/address'
+require_relative 'vault_resolver/entry'
+require_relative 'vault_resolver/engines/abstract'
+require_relative 'vault_resolver/engines/auth'
+require_relative 'vault_resolver/engines/kv2'
+require_relative 'vault_resolver/engines/database'
+require_relative 'vault_resolver/cache'
+require_relative 'vault_resolver/refresher'
+require_relative 'vault_resolver/refresher_observer'
+require_relative 'vault_resolver/instance'
 
 module SettingsReader
   # Singleton for lease renewals and secrets cache
@@ -16,36 +22,23 @@ module SettingsReader
     class Error < StandardError; end
 
     class << self
-      attr_accessor :cache, :refresher_timer_task
+      attr_reader :configuration, :refresher_timer_task
     end
 
-    def self.logger
-      return @logger if @logger
-      return @logger = Rails.logger if (defined? Rails) && Rails.logger
-
-      @logger = Logger.new($stdout, level: Logger::INFO)
-    end
-
-    def self.logger=(logger)
-      @logger = logger
+    def self.configure(&block)
+      @configuration = SettingsReader::VaultResolver::Configuration.new
+      block&.call(@configuration)
+      @refresher_timer_task = @configuration.setup_lease_refresher(cache, refresher_timer_task)
     end
 
-    def self.setup_cache
-      logger.debug { '[VaultResolver] Setting up secrets cache' }
-      self.cache ||= SettingsReader::VaultResolver::Cache.new
-    end
-
-    def self.setup_lease_refresher
-      logger.debug { '[VaultResolver] Setting up lease resolver task' }
-      self.refresher_timer_task ||= SettingsReader::VaultResolver::Refresher.refresh_task(self.cache)
-      self.refresher_timer_task.execute
+    def self.cache
+      @cache ||= SettingsReader::VaultResolver::Cache.new
     end
 
     def self.resolver
-      SettingsReader::VaultResolver::Instance.new
-    end
+      raise Error, 'Gem not configured. Call configure before getting resolver' unless configuration
 
-    setup_cache
-    setup_lease_refresher
+      SettingsReader::VaultResolver::Instance.new(configuration)
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: settings_reader-vault_resolver
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.4.1
 platform: ruby
 authors:
 - Volodymyr Mykhailyk
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-03-28 00:00:00.000000000 Z
+date: 2022-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -77,16 +77,23 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- codecov.yml
 - docker-compose.yml
 - lib/settings_reader/vault_resolver.rb
 - lib/settings_reader/vault_resolver/address.rb
 - lib/settings_reader/vault_resolver/cache.rb
+- lib/settings_reader/vault_resolver/configuration.rb
+- lib/settings_reader/vault_resolver/engines/abstract.rb
+- lib/settings_reader/vault_resolver/engines/auth.rb
+- lib/settings_reader/vault_resolver/engines/database.rb
+- lib/settings_reader/vault_resolver/engines/kv2.rb
 - lib/settings_reader/vault_resolver/entry.rb
-- lib/settings_reader/vault_resolver/helpers/k8s_auth.rb
+- lib/settings_reader/vault_resolver/helpers/vault_authentication.rb
 - lib/settings_reader/vault_resolver/instance.rb
 - lib/settings_reader/vault_resolver/logging.rb
 - lib/settings_reader/vault_resolver/patches/authenticate.rb
 - lib/settings_reader/vault_resolver/refresher.rb
+- lib/settings_reader/vault_resolver/refresher_observer.rb
 - lib/settings_reader/vault_resolver/version.rb
 - settings_reader-vault_resolver.gemspec
 homepage: https://github.com/matic-insurance/settings_reader-vault_resolver

data/lib/settings_reader/vault_resolver/helpers/k8s_auth.rb

@@ -1,43 +0,0 @@
-require_relative '../patches/authenticate'
-
-module SettingsReader
-  module VaultResolver
-    module Helpers
-      # Helps with Vault authentication using kubernetes login
-      class K8sAuth
-        def call(role)
-          secret = Vault.auth.kubernetes(role)
-
-          cache_token_for_renewal(secret)
-          secret
-        end
-
-        private
-
-        def cache_token_for_renewal(secret)
-          address = SettingsReader::VaultResolver::Address.new('vault://v1/auth/token/lookup-self')
-          entry = SettingsReader::VaultResolver::AuthEntry.new(address, secret)
-          SettingsReader::VaultResolver.cache.save(entry)
-          entry
-        end
-      end
-    end
-
-    # Helps with auth token lease renewal
-    class AuthEntry < SettingsReader::VaultResolver::Entry
-      def leased?
-        true
-      end
-
-      def lease_duration
-        @secret.auth.lease_duration
-      end
-
-      def renew
-        Vault.client.auth_token.renew_self
-        @lease_started = Time.now
-        true
-      end
-    end
-  end
-end