settings_reader-vault_resolver 0.4.10 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/main.yml +38 -24
- data/Gemfile.lock +2 -2
- data/docker-compose.yml +22 -1
- data/lib/settings_reader/vault_resolver/cache.rb +2 -2
- data/lib/settings_reader/vault_resolver/configuration.rb +1 -0
- data/lib/settings_reader/vault_resolver/engines/abstract.rb +1 -1
- data/lib/settings_reader/vault_resolver/engines/aws.rb +29 -0
- data/lib/settings_reader/vault_resolver/entry.rb +5 -1
- data/lib/settings_reader/vault_resolver/refresher.rb +1 -1
- data/lib/settings_reader/vault_resolver/version.rb +1 -1
- data/lib/settings_reader/vault_resolver.rb +1 -0
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f3e683be3539c3e3fd46bf0de60c78f11c7aeda4bbc321246298ec19b068fa84
|
|
4
|
+
data.tar.gz: 80a0bae40ee7bef3f22ac77761685fa89a53eeb21311295590dea2378c2b0a9b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c957e71f2730a18abe2b8a21e10d4fd93f1f0efcf779d7ca1f4cca791363a5bc5a2daeee83510b9a03b71045c7b8700957ce571ca5462355976e2fd203bd71a
|
|
7
|
+
data.tar.gz: ce4d399a56ec38e4bf39f87ecb759a0f5a77b7269f84de42a8d32b0ef477e25b38522513c03bcd92f60a47eeb43867a69af797a751f1e108ab071fb0f0a6cebf
|
data/.github/workflows/main.yml
CHANGED
|
@@ -18,28 +18,39 @@ jobs:
|
|
|
18
18
|
runs-on: ubuntu-latest
|
|
19
19
|
strategy:
|
|
20
20
|
matrix:
|
|
21
|
-
ruby: [ '2.
|
|
22
|
-
services:
|
|
23
|
-
vault:
|
|
24
|
-
image: hashicorp/vault
|
|
25
|
-
ports:
|
|
26
|
-
- "8200:8200"
|
|
27
|
-
env:
|
|
28
|
-
VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
|
|
29
|
-
SKIP_SETCAP: true
|
|
30
|
-
database:
|
|
31
|
-
image: postgres:14.1-alpine
|
|
32
|
-
ports:
|
|
33
|
-
- "5432:5432"
|
|
34
|
-
env:
|
|
35
|
-
POSTGRES_USER: 'vault_root'
|
|
36
|
-
POSTGRES_PASSWORD: 'root_password'
|
|
37
|
-
POSTGRES_DB: 'app_db'
|
|
38
|
-
options: >-
|
|
39
|
-
--health-cmd pg_isready
|
|
40
|
-
--health-interval 10s
|
|
41
|
-
--health-timeout 5s
|
|
42
|
-
--health-retries 5
|
|
21
|
+
ruby: [ '2.7', '3.0', '3.3' ]
|
|
22
|
+
# services:
|
|
23
|
+
# vault:
|
|
24
|
+
# image: hashicorp/vault
|
|
25
|
+
# ports:
|
|
26
|
+
# - "8200:8200"
|
|
27
|
+
# env:
|
|
28
|
+
# VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
|
|
29
|
+
# SKIP_SETCAP: true
|
|
30
|
+
# database:
|
|
31
|
+
# image: postgres:14.1-alpine
|
|
32
|
+
# ports:
|
|
33
|
+
# - "5432:5432"
|
|
34
|
+
# env:
|
|
35
|
+
# POSTGRES_USER: 'vault_root'
|
|
36
|
+
# POSTGRES_PASSWORD: 'root_password'
|
|
37
|
+
# POSTGRES_DB: 'app_db'
|
|
38
|
+
# options: >-
|
|
39
|
+
# --health-cmd pg_isready
|
|
40
|
+
# --health-interval 10s
|
|
41
|
+
# --health-timeout 5s
|
|
42
|
+
# --health-retries 5
|
|
43
|
+
# aws:
|
|
44
|
+
# image: localstack/localstack
|
|
45
|
+
# ports:
|
|
46
|
+
# - "127.0.0.1:4566:4566" # LocalStack Gateway
|
|
47
|
+
# - "127.0.0.1:4510-4559:4510-4559" # external services port range
|
|
48
|
+
# env:
|
|
49
|
+
# DEBUG: 0
|
|
50
|
+
# volumes:
|
|
51
|
+
# - '/home/runner/work/settings_reader-vault_resolver/local/localstack/app-access-policy.json:/etc/localstack/init/ready.d/app-access-policy.json'
|
|
52
|
+
# - '/home/runner/work/settings_reader-vault_resolver/local/localstack/app-assume-policy.json:/etc/localstack/init/ready.d/app-assume-policy.json'
|
|
53
|
+
# - '/home/runner/work/settings_reader-vault_resolver/local/localstack/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh'
|
|
43
54
|
steps:
|
|
44
55
|
- name: Checkout
|
|
45
56
|
uses: actions/checkout@v1
|
|
@@ -50,8 +61,11 @@ jobs:
|
|
|
50
61
|
ruby-version: ${{ matrix.ruby }}
|
|
51
62
|
bundler-cache: true
|
|
52
63
|
|
|
53
|
-
- name:
|
|
54
|
-
run:
|
|
64
|
+
- name: Start Dependencies
|
|
65
|
+
run: |
|
|
66
|
+
docker-compose up -d
|
|
67
|
+
echo "Waiting 15 seconds for initial configuraiton"
|
|
68
|
+
sleep 15
|
|
55
69
|
|
|
56
70
|
- name: Run specs
|
|
57
71
|
env:
|
data/Gemfile.lock
CHANGED
|
@@ -58,7 +58,7 @@ GEM
|
|
|
58
58
|
simplecov-html (~> 0.11)
|
|
59
59
|
simplecov_json_formatter (~> 0.1)
|
|
60
60
|
simplecov-html (0.12.3)
|
|
61
|
-
simplecov_json_formatter (0.1.
|
|
61
|
+
simplecov_json_formatter (0.1.4)
|
|
62
62
|
timecop (0.9.4)
|
|
63
63
|
unicode-display_width (2.1.0)
|
|
64
64
|
vault (0.16.0)
|
|
@@ -78,4 +78,4 @@ DEPENDENCIES
|
|
|
78
78
|
timecop
|
|
79
79
|
|
|
80
80
|
BUNDLED WITH
|
|
81
|
-
2.
|
|
81
|
+
2.2.32
|
data/docker-compose.yml
CHANGED
|
@@ -2,12 +2,20 @@
|
|
|
2
2
|
version: '3'
|
|
3
3
|
services:
|
|
4
4
|
vault:
|
|
5
|
-
image: vault
|
|
5
|
+
image: hashicorp/vault
|
|
6
6
|
ports:
|
|
7
7
|
- "8200:8200"
|
|
8
8
|
environment:
|
|
9
9
|
VAULT_DEV_ROOT_TOKEN_ID: 'vault_root_token'
|
|
10
10
|
SKIP_SETCAP: 'true'
|
|
11
|
+
# playground:
|
|
12
|
+
# image: hashicorp/vault
|
|
13
|
+
# command:
|
|
14
|
+
# - sleep
|
|
15
|
+
# - '10000000000'
|
|
16
|
+
# environment:
|
|
17
|
+
# VAULT_ADDR: 'http://aws:8200'
|
|
18
|
+
# VAULT_TOKEN: 'vault_root_token'
|
|
11
19
|
db:
|
|
12
20
|
image: postgres:14.1-alpine
|
|
13
21
|
ports:
|
|
@@ -16,11 +24,24 @@ services:
|
|
|
16
24
|
POSTGRES_USER: 'vault_root'
|
|
17
25
|
POSTGRES_PASSWORD: 'root_password'
|
|
18
26
|
POSTGRES_DB: 'app_db'
|
|
27
|
+
aws:
|
|
28
|
+
image: localstack/localstack
|
|
29
|
+
ports:
|
|
30
|
+
- "127.0.0.1:4566:4566" # LocalStack Gateway
|
|
31
|
+
- "127.0.0.1:4510-4559:4510-4559" # external services port range
|
|
32
|
+
environment:
|
|
33
|
+
# LocalStack configuration: https://docs.localstack.cloud/references/configuration/
|
|
34
|
+
- DEBUG=${DEBUG:-0}
|
|
35
|
+
volumes:
|
|
36
|
+
- './local/localstack/app-access-policy.json:/etc/localstack/init/ready.d/app-access-policy.json'
|
|
37
|
+
- './local/localstack/app-assume-policy.json:/etc/localstack/init/ready.d/app-assume-policy.json'
|
|
38
|
+
- './local/localstack/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh'
|
|
19
39
|
init:
|
|
20
40
|
image: curlimages/curl
|
|
21
41
|
depends_on:
|
|
22
42
|
- vault
|
|
23
43
|
- db
|
|
44
|
+
- aws
|
|
24
45
|
volumes:
|
|
25
46
|
- './local/vault/setup.sh:/etc/vault/setup.sh'
|
|
26
47
|
environment:
|
|
@@ -23,8 +23,8 @@ module SettingsReader
|
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
def fetch(address, &block)
|
|
26
|
-
if !address.no_cache? && (
|
|
27
|
-
|
|
26
|
+
if !address.no_cache? && (existing_entry = retrieve(address))
|
|
27
|
+
existing_entry
|
|
28
28
|
else
|
|
29
29
|
new_entry = block.call(address)
|
|
30
30
|
save(new_entry) if new_entry
|
|
@@ -70,6 +70,7 @@ module SettingsReader
|
|
|
70
70
|
@vault_engines ||= [
|
|
71
71
|
SettingsReader::VaultResolver::Engines::KV2.new(self),
|
|
72
72
|
SettingsReader::VaultResolver::Engines::Database.new(self),
|
|
73
|
+
SettingsReader::VaultResolver::Engines::Aws.new(self),
|
|
73
74
|
SettingsReader::VaultResolver::Engines::Auth.new(self)
|
|
74
75
|
]
|
|
75
76
|
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module SettingsReader
|
|
2
|
+
module VaultResolver
|
|
3
|
+
module Engines
|
|
4
|
+
# Adapter to retrieve / renew secret from database engine
|
|
5
|
+
class Aws < Abstract
|
|
6
|
+
MOUNT = 'aws'.freeze
|
|
7
|
+
|
|
8
|
+
def retrieves?(address)
|
|
9
|
+
address.mount == MOUNT
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
|
|
14
|
+
def get_secret(address)
|
|
15
|
+
debug { "Fetching new aws secret at: #{address}" }
|
|
16
|
+
Vault.logical.read(address.full_path)
|
|
17
|
+
rescue Vault::HTTPClientError => e
|
|
18
|
+
return nil if e.message.match?('Role ".*" not found')
|
|
19
|
+
|
|
20
|
+
raise e
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def renew_lease(entry)
|
|
24
|
+
Vault.sys.renew(entry.lease_id)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -13,10 +13,14 @@ module SettingsReader
|
|
|
13
13
|
@lease_started = Time.now
|
|
14
14
|
end
|
|
15
15
|
|
|
16
|
-
def
|
|
16
|
+
def renewable?
|
|
17
17
|
@secret.renewable?
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
+
def leased?
|
|
21
|
+
renewable? || @secret.lease_duration&.positive?
|
|
22
|
+
end
|
|
23
|
+
|
|
20
24
|
def expired?
|
|
21
25
|
return false unless leased?
|
|
22
26
|
|
|
@@ -19,7 +19,7 @@ module SettingsReader
|
|
|
19
19
|
def refresh
|
|
20
20
|
info { 'Performing Vault leases refresh' }
|
|
21
21
|
promises = cache.active_entries.map do |entry|
|
|
22
|
-
debug { "Checking lease for #{entry}.
|
|
22
|
+
debug { "Checking lease for #{entry}. Renewable?: #{entry.renewable?}. Expires in: #{entry.expires_in}s" }
|
|
23
23
|
refresh_entry(entry)
|
|
24
24
|
end.compact
|
|
25
25
|
promises.each(&:wait)
|
|
@@ -11,6 +11,7 @@ require_relative 'vault_resolver/engines/abstract'
|
|
|
11
11
|
require_relative 'vault_resolver/engines/auth'
|
|
12
12
|
require_relative 'vault_resolver/engines/kv2'
|
|
13
13
|
require_relative 'vault_resolver/engines/database'
|
|
14
|
+
require_relative 'vault_resolver/engines/aws'
|
|
14
15
|
require_relative 'vault_resolver/cache'
|
|
15
16
|
require_relative 'vault_resolver/refresher'
|
|
16
17
|
require_relative 'vault_resolver/refresher_observer'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: settings_reader-vault_resolver
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Volodymyr Mykhailyk
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-01-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: concurrent-ruby
|
|
@@ -85,6 +85,7 @@ files:
|
|
|
85
85
|
- lib/settings_reader/vault_resolver/configuration.rb
|
|
86
86
|
- lib/settings_reader/vault_resolver/engines/abstract.rb
|
|
87
87
|
- lib/settings_reader/vault_resolver/engines/auth.rb
|
|
88
|
+
- lib/settings_reader/vault_resolver/engines/aws.rb
|
|
88
89
|
- lib/settings_reader/vault_resolver/engines/database.rb
|
|
89
90
|
- lib/settings_reader/vault_resolver/engines/kv2.rb
|
|
90
91
|
- lib/settings_reader/vault_resolver/entry.rb
|