settings_reader-vault_resolver 0.4.2 → 0.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.circleci/config.yml +114 -0
- data/.github/workflows/linters.yml +0 -13
- data/.github/workflows/main.yml +0 -58
- data/README.md +2 -1
- data/docker-compose.yml +2 -2
- data/lib/settings_reader/vault_resolver/address.rb +4 -0
- data/lib/settings_reader/vault_resolver/cache.rb +1 -1
- data/lib/settings_reader/vault_resolver/configuration.rb +7 -2
- data/lib/settings_reader/vault_resolver/engines/abstract.rb +26 -4
- data/lib/settings_reader/vault_resolver/engines/auth.rb +10 -0
- data/lib/settings_reader/vault_resolver/helpers/vault_authentication.rb +3 -2
- data/lib/settings_reader/vault_resolver/version.rb +1 -1
- data/lib/settings_reader/vault_resolver.rb +1 -0
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5135f50633e103f09f6f30bf956295fc9290a6b75dfd7864e0296ecc9f467f35
|
|
4
|
+
data.tar.gz: d80b42374412c4053538af7e2ba9a984f0f53219fed76aa440a1a35494167b33
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 57f47f6d9d9cbea621fa523560129021ceb70c5c9b4175f34f367387bfc76992cae6f5761fb11d36a04bf3111ff156b2ea7c4d7c69703b0256be14e51c973849
|
|
7
|
+
data.tar.gz: 9789a9fe5ac8bfebb040eae0998d977806daaed20b05a35655d77cf8615aeab6f1023e933ff59c71dd3ce79061f8675f09e8da97d079c02b1b1d95377905e536
|
|
@@ -0,0 +1,114 @@
|
|
|
1
|
+
|
|
2
|
+
version: 2.1
|
|
3
|
+
|
|
4
|
+
orbs:
|
|
5
|
+
ci: matic/orb-common@0.2
|
|
6
|
+
ruby: circleci/ruby@1.8.0
|
|
7
|
+
|
|
8
|
+
jobs:
|
|
9
|
+
|
|
10
|
+
rspec-test:
|
|
11
|
+
resource_class: small
|
|
12
|
+
parameters:
|
|
13
|
+
ruby-version:
|
|
14
|
+
type: string
|
|
15
|
+
docker:
|
|
16
|
+
- image: cimg/ruby:<< parameters.ruby-version >>
|
|
17
|
+
environment:
|
|
18
|
+
COVERAGE: true
|
|
19
|
+
CODECOV_TOKEN: a0c859b6-dfb7-4d9f-9933-2dd945cdd960
|
|
20
|
+
VAULT_ADDR: 'http://127.0.0.1:8200'
|
|
21
|
+
VAULT_TOKEN: 'vault_root_token'
|
|
22
|
+
- image: vault
|
|
23
|
+
environment:
|
|
24
|
+
VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
|
|
25
|
+
SKIP_SETCAP: true
|
|
26
|
+
- image: postgres:14.1-alpine
|
|
27
|
+
environment:
|
|
28
|
+
POSTGRES_DB: 'app_db'
|
|
29
|
+
POSTGRES_USER: 'vault_root'
|
|
30
|
+
POSTGRES_PASSWORD: 'root_password'
|
|
31
|
+
steps:
|
|
32
|
+
- checkout
|
|
33
|
+
- ruby/install-deps
|
|
34
|
+
- run:
|
|
35
|
+
name: Set up vault
|
|
36
|
+
command: sh local/vault/setup.sh
|
|
37
|
+
- run:
|
|
38
|
+
name: Run RSpec Tests
|
|
39
|
+
command: bundle exec rspec
|
|
40
|
+
- store_test_results:
|
|
41
|
+
path: reports/rspec
|
|
42
|
+
- store_artifacts:
|
|
43
|
+
path: reports/rspec
|
|
44
|
+
- ci/slack-stage-message
|
|
45
|
+
|
|
46
|
+
rubocop:
|
|
47
|
+
resource_class: small
|
|
48
|
+
docker:
|
|
49
|
+
- image: cimg/ruby:2.5
|
|
50
|
+
steps:
|
|
51
|
+
- checkout
|
|
52
|
+
- ruby/install-deps
|
|
53
|
+
- run:
|
|
54
|
+
name: Run rubocop
|
|
55
|
+
command: bundle exec rubocop --parallel
|
|
56
|
+
|
|
57
|
+
release:
|
|
58
|
+
parameters:
|
|
59
|
+
tag:
|
|
60
|
+
type: string
|
|
61
|
+
default: "default-tag"
|
|
62
|
+
docker:
|
|
63
|
+
- image: cimg/ruby:2.7.5
|
|
64
|
+
environment:
|
|
65
|
+
RELEASE_TAG: << parameters.tag >>
|
|
66
|
+
steps:
|
|
67
|
+
- checkout
|
|
68
|
+
- ruby/install-deps
|
|
69
|
+
- run:
|
|
70
|
+
name: Set up credentials
|
|
71
|
+
command: |
|
|
72
|
+
mkdir -p $HOME/.gem
|
|
73
|
+
touch $HOME/.gem/credentials
|
|
74
|
+
chmod 0600 $HOME/.gem/credentials
|
|
75
|
+
printf -- "---\n:rubygems_api_key: $RUBYGEMS_API_KEY\n" > $HOME/.gem/credentials
|
|
76
|
+
- run:
|
|
77
|
+
name: Set version
|
|
78
|
+
command: sed -i "s/[[:digit:]].[[:digit:]].[[:digit:]]/${RELEASE_TAG}/g" $(find . -name "version.rb")
|
|
79
|
+
- run:
|
|
80
|
+
name: Build gem
|
|
81
|
+
command: gem build *.gemspec
|
|
82
|
+
- run:
|
|
83
|
+
name: Push gem
|
|
84
|
+
command: gem push *.gem
|
|
85
|
+
|
|
86
|
+
workflows:
|
|
87
|
+
|
|
88
|
+
settings_reader-vault_resolver.build-pull-request:
|
|
89
|
+
when:
|
|
90
|
+
not:
|
|
91
|
+
equal: [ main, << pipeline.git.branch >> ]
|
|
92
|
+
jobs:
|
|
93
|
+
|
|
94
|
+
- rspec-test:
|
|
95
|
+
context: global
|
|
96
|
+
matrix:
|
|
97
|
+
parameters:
|
|
98
|
+
ruby-version: [ '2.5', '2.6', '2.7', '3.0' ]
|
|
99
|
+
|
|
100
|
+
- rubocop:
|
|
101
|
+
name: Rubocop
|
|
102
|
+
context: global
|
|
103
|
+
|
|
104
|
+
settings_reader-vault_resolver.release:
|
|
105
|
+
jobs:
|
|
106
|
+
|
|
107
|
+
- release:
|
|
108
|
+
tag: << pipeline.git.tag >>
|
|
109
|
+
context: gem-publishing
|
|
110
|
+
filters:
|
|
111
|
+
branches:
|
|
112
|
+
ignore: /.*/
|
|
113
|
+
tags:
|
|
114
|
+
only: /\d\.\d\.\d/ # It should be [digin dot digit dot digit] format
|
|
@@ -9,19 +9,6 @@ on:
|
|
|
9
9
|
- cron: '30 0 * * 1'
|
|
10
10
|
|
|
11
11
|
jobs:
|
|
12
|
-
rubocop:
|
|
13
|
-
runs-on: ubuntu-latest
|
|
14
|
-
|
|
15
|
-
steps:
|
|
16
|
-
- name: Checkout
|
|
17
|
-
uses: actions/checkout@v2
|
|
18
|
-
- name: Set up Ruby
|
|
19
|
-
uses: ruby/setup-ruby@v1
|
|
20
|
-
with:
|
|
21
|
-
ruby-version: 2.5
|
|
22
|
-
bundler-cache: true
|
|
23
|
-
- name: Run rubocop
|
|
24
|
-
run: bundle exec rubocop --parallel
|
|
25
12
|
|
|
26
13
|
code-ql:
|
|
27
14
|
name: Analyze
|
data/.github/workflows/main.yml
CHANGED
|
@@ -10,64 +10,6 @@ on:
|
|
|
10
10
|
types: [published]
|
|
11
11
|
|
|
12
12
|
jobs:
|
|
13
|
-
build:
|
|
14
|
-
env:
|
|
15
|
-
COVERAGE: true
|
|
16
|
-
CODECOV_TOKEN: a0c859b6-dfb7-4d9f-9933-2dd945cdd960
|
|
17
|
-
VAULT_ADDR: 'http://127.0.0.1:8200'
|
|
18
|
-
VAULT_TOKEN: 'vault_root_token'
|
|
19
|
-
|
|
20
|
-
runs-on: ubuntu-latest
|
|
21
|
-
strategy:
|
|
22
|
-
matrix:
|
|
23
|
-
ruby: [ '2.5.x', '2.6.x', '2.7.x', '3.0.x' ]
|
|
24
|
-
services:
|
|
25
|
-
vault:
|
|
26
|
-
image: vault
|
|
27
|
-
ports:
|
|
28
|
-
- "8200:8200"
|
|
29
|
-
env:
|
|
30
|
-
VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
|
|
31
|
-
SKIP_SETCAP: true
|
|
32
|
-
db:
|
|
33
|
-
image: postgres:14.1-alpine
|
|
34
|
-
ports:
|
|
35
|
-
- "5432:5432"
|
|
36
|
-
env:
|
|
37
|
-
POSTGRES_USER: 'vault_root'
|
|
38
|
-
POSTGRES_PASSWORD: 'root_password'
|
|
39
|
-
POSTGRES_DB: 'app_db'
|
|
40
|
-
|
|
41
|
-
steps:
|
|
42
|
-
- name: Checkout
|
|
43
|
-
uses: actions/checkout@v1
|
|
44
|
-
- name: Cache dependencies
|
|
45
|
-
uses: actions/cache@v1
|
|
46
|
-
with:
|
|
47
|
-
path: vendor/bundle
|
|
48
|
-
key: ${{ runner.OS }}-ruby-${{ matrix.ruby }}
|
|
49
|
-
restore-keys: ${{ runner.OS }}-
|
|
50
|
-
|
|
51
|
-
- name: Set up Ruby
|
|
52
|
-
uses: actions/setup-ruby@v1
|
|
53
|
-
with:
|
|
54
|
-
ruby-version: ${{ matrix.ruby }}
|
|
55
|
-
- name: Set up Bundler
|
|
56
|
-
run: gem install bundler:2.1.4
|
|
57
|
-
- name: Set up Dependencies
|
|
58
|
-
run: bundle install --path vendor/bundle
|
|
59
|
-
- name: Set up Vault
|
|
60
|
-
run: sh local/vault/setup.sh
|
|
61
|
-
|
|
62
|
-
- name: Run specs
|
|
63
|
-
env:
|
|
64
|
-
COVERAGE: true
|
|
65
|
-
run: bundle exec rspec
|
|
66
|
-
|
|
67
|
-
- name: Upload coverage
|
|
68
|
-
env:
|
|
69
|
-
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
|
|
70
|
-
run: bash <(curl -s https://codecov.io/bash)
|
|
71
13
|
|
|
72
14
|
release:
|
|
73
15
|
runs-on: ubuntu-latest
|
data/README.md
CHANGED
|
@@ -33,7 +33,8 @@ AppSettings = SettingsReader.load do |config|
|
|
|
33
33
|
# Configure vault resolver
|
|
34
34
|
SettingsReader::VaultResolver.configure do |vault_resolver_config|
|
|
35
35
|
vault_resolver_config.logger = Rails.logger
|
|
36
|
-
|
|
36
|
+
vault_resolver_config.vault_initializer = -> { authenticate_vault }
|
|
37
|
+
# ... other VaultResolver configurations
|
|
37
38
|
end
|
|
38
39
|
|
|
39
40
|
# Add vault resolver as one of resolvers
|
data/docker-compose.yml
CHANGED
|
@@ -7,7 +7,7 @@ services:
|
|
|
7
7
|
- "8200:8200"
|
|
8
8
|
environment:
|
|
9
9
|
VAULT_DEV_ROOT_TOKEN_ID: 'vault_root_token'
|
|
10
|
-
SKIP_SETCAP: true
|
|
10
|
+
SKIP_SETCAP: 'true'
|
|
11
11
|
db:
|
|
12
12
|
image: postgres:14.1-alpine
|
|
13
13
|
ports:
|
|
@@ -26,5 +26,5 @@ services:
|
|
|
26
26
|
environment:
|
|
27
27
|
VAULT_ADDR: 'http://vault:8200'
|
|
28
28
|
VAULT_TOKEN: 'vault_root_token'
|
|
29
|
-
SKIP_SETCAP: true
|
|
29
|
+
SKIP_SETCAP: 'true'
|
|
30
30
|
command: sh /etc/vault/setup.sh
|
|
@@ -30,14 +30,19 @@ module SettingsReader
|
|
|
30
30
|
# Default: empty proc
|
|
31
31
|
attr_accessor :lease_renew_error_listener
|
|
32
32
|
|
|
33
|
+
# Block to be executed for initialization and authorization
|
|
34
|
+
# Default: empty proc
|
|
35
|
+
attr_accessor :vault_initializer
|
|
36
|
+
|
|
33
37
|
def initialize
|
|
34
38
|
@logger = Logger.new($stdout, level: Logger::ERROR)
|
|
35
39
|
@retrieval_retries = 2
|
|
36
40
|
@lease_refresh_interval = 60
|
|
37
41
|
@lease_renew_delay = 300
|
|
38
42
|
@lease_renew_retries = 4
|
|
39
|
-
@lease_renew_error_listener =
|
|
40
|
-
@lease_renew_success_listener =
|
|
43
|
+
@lease_renew_error_listener = -> {}
|
|
44
|
+
@lease_renew_success_listener = -> {}
|
|
45
|
+
@vault_initializer = -> {}
|
|
41
46
|
end
|
|
42
47
|
|
|
43
48
|
def setup_lease_refresher(cache, previous_task = nil)
|
|
@@ -16,7 +16,7 @@ module SettingsReader
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def get(address)
|
|
19
|
-
return unless (vault_secret =
|
|
19
|
+
return unless (vault_secret = get_and_retry_auth(address))
|
|
20
20
|
|
|
21
21
|
wrap_secret(address, vault_secret)
|
|
22
22
|
rescue Vault::VaultError => e
|
|
@@ -26,7 +26,7 @@ module SettingsReader
|
|
|
26
26
|
def renew(entry)
|
|
27
27
|
return unless entry.leased?
|
|
28
28
|
|
|
29
|
-
new_secret =
|
|
29
|
+
new_secret = renew_and_retry_auth(entry)
|
|
30
30
|
entry.update_renewed(new_secret)
|
|
31
31
|
true
|
|
32
32
|
rescue Vault::VaultError => e
|
|
@@ -35,13 +35,31 @@ module SettingsReader
|
|
|
35
35
|
|
|
36
36
|
protected
|
|
37
37
|
|
|
38
|
-
def
|
|
38
|
+
def get_and_retry_auth(address)
|
|
39
|
+
get_and_retry_connection(address)
|
|
40
|
+
rescue Vault::HTTPError => e # if not authenticated, let's reauthenticate and try once more
|
|
41
|
+
raise unless auth_error?(e)
|
|
42
|
+
|
|
43
|
+
config.vault_initializer.call
|
|
44
|
+
get_and_retry_connection(address)
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def get_and_retry_connection(address)
|
|
39
48
|
Vault.with_retries(Vault::HTTPConnectionError, attempts: config.retrieval_retries) do
|
|
40
49
|
get_secret(address)
|
|
41
50
|
end
|
|
42
51
|
end
|
|
43
52
|
|
|
44
|
-
def
|
|
53
|
+
def renew_and_retry_auth(address)
|
|
54
|
+
renew_and_retry_connection(address)
|
|
55
|
+
rescue Vault::HTTPError => e # if not authenticated, let's reauthenticate and try once more
|
|
56
|
+
raise unless auth_error?(e)
|
|
57
|
+
|
|
58
|
+
config.vault_initializer.call
|
|
59
|
+
renew_and_retry_connection(address)
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def renew_and_retry_connection(address)
|
|
45
63
|
Vault.with_retries(Vault::HTTPConnectionError, attempts: config.lease_renew_retries) do
|
|
46
64
|
renew_lease(address)
|
|
47
65
|
end
|
|
@@ -58,6 +76,10 @@ module SettingsReader
|
|
|
58
76
|
def wrap_secret(address, secret)
|
|
59
77
|
SettingsReader::VaultResolver::Entry.new(address, secret)
|
|
60
78
|
end
|
|
79
|
+
|
|
80
|
+
def auth_error?(error)
|
|
81
|
+
error.code == 403 || error.message =~ /token mac for token_version.*is incorrect/
|
|
82
|
+
end
|
|
61
83
|
end
|
|
62
84
|
end
|
|
63
85
|
end
|
|
@@ -12,6 +12,16 @@ module SettingsReader
|
|
|
12
12
|
|
|
13
13
|
protected
|
|
14
14
|
|
|
15
|
+
# Auth backend should not retry auth errors as it causing infinite recursion
|
|
16
|
+
def get_and_retry_auth(address)
|
|
17
|
+
get_and_retry_connection(address)
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
# Auth backend should not retry auth errors as it causing infinite recursion
|
|
21
|
+
def renew_and_retry_auth(address)
|
|
22
|
+
renew_and_retry_connection(address)
|
|
23
|
+
end
|
|
24
|
+
|
|
15
25
|
def get_secret(address)
|
|
16
26
|
return k8s_auth(address) if address.path == K8S_AUTH
|
|
17
27
|
|
|
@@ -8,8 +8,9 @@ module SettingsReader
|
|
|
8
8
|
FAKE_RESOLVER_PATH = 'vault/authentication'.freeze
|
|
9
9
|
|
|
10
10
|
def authenticate_via_k8s(role, route: nil, service_token_path: nil)
|
|
11
|
-
params =
|
|
12
|
-
|
|
11
|
+
params = { role: role, route: route, service_token_path: service_token_path, no_cache: true }
|
|
12
|
+
url_params = URI.encode_www_form(params.compact)
|
|
13
|
+
resolver.resolve("vault://auth/kubernetes/login?#{url_params}#client_token", FAKE_RESOLVER_PATH)
|
|
13
14
|
end
|
|
14
15
|
|
|
15
16
|
private
|
|
@@ -28,6 +28,7 @@ module SettingsReader
|
|
|
28
28
|
def self.configure(&block)
|
|
29
29
|
@configuration = SettingsReader::VaultResolver::Configuration.new
|
|
30
30
|
block&.call(@configuration)
|
|
31
|
+
@configuration.vault_initializer.call
|
|
31
32
|
@refresher_timer_task = @configuration.setup_lease_refresher(cache, refresher_timer_task)
|
|
32
33
|
end
|
|
33
34
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: settings_reader-vault_resolver
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Volodymyr Mykhailyk
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-09-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: concurrent-ruby
|
|
@@ -62,6 +62,7 @@ executables: []
|
|
|
62
62
|
extensions: []
|
|
63
63
|
extra_rdoc_files: []
|
|
64
64
|
files:
|
|
65
|
+
- ".circleci/config.yml"
|
|
65
66
|
- ".github/workflows/linters.yml"
|
|
66
67
|
- ".github/workflows/main.yml"
|
|
67
68
|
- ".gitignore"
|
|
@@ -118,7 +119,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
118
119
|
- !ruby/object:Gem::Version
|
|
119
120
|
version: '0'
|
|
120
121
|
requirements: []
|
|
121
|
-
rubygems_version: 3.
|
|
122
|
+
rubygems_version: 3.2.32
|
|
122
123
|
signing_key:
|
|
123
124
|
specification_version: 4
|
|
124
125
|
summary: Settings Reader plugin to resolve values using in Hashicorp Vault
|