settings_reader-vault_resolver 0.4.10 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/main.yml +38 -24
- data/Gemfile.lock +2 -2
- data/docker-compose.yml +22 -1
- data/lib/settings_reader/vault_resolver/cache.rb +2 -2
- data/lib/settings_reader/vault_resolver/configuration.rb +1 -0
- data/lib/settings_reader/vault_resolver/engines/abstract.rb +1 -1
- data/lib/settings_reader/vault_resolver/engines/aws.rb +29 -0
- data/lib/settings_reader/vault_resolver/entry.rb +5 -1
- data/lib/settings_reader/vault_resolver/refresher.rb +1 -1
- data/lib/settings_reader/vault_resolver/version.rb +1 -1
- data/lib/settings_reader/vault_resolver.rb +1 -0
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f3e683be3539c3e3fd46bf0de60c78f11c7aeda4bbc321246298ec19b068fa84
|
|
4
|
+
data.tar.gz: 80a0bae40ee7bef3f22ac77761685fa89a53eeb21311295590dea2378c2b0a9b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c957e71f2730a18abe2b8a21e10d4fd93f1f0efcf779d7ca1f4cca791363a5bc5a2daeee83510b9a03b71045c7b8700957ce571ca5462355976e2fd203bd71a
|
|
7
|
+
data.tar.gz: ce4d399a56ec38e4bf39f87ecb759a0f5a77b7269f84de42a8d32b0ef477e25b38522513c03bcd92f60a47eeb43867a69af797a751f1e108ab071fb0f0a6cebf
|
data/.github/workflows/main.yml
CHANGED
|
@@ -18,28 +18,39 @@ jobs:
|
|
|
18
18
|
runs-on: ubuntu-latest
|
|
19
19
|
strategy:
|
|
20
20
|
matrix:
|
|
21
|
-
ruby: [ '2.
|
|
22
|
-
services:
|
|
23
|
-
vault:
|
|
24
|
-
image: hashicorp/vault
|
|
25
|
-
ports:
|
|
26
|
-
- "8200:8200"
|
|
27
|
-
env:
|
|
28
|
-
VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
|
|
29
|
-
SKIP_SETCAP: true
|
|
30
|
-
database:
|
|
31
|
-
image: postgres:14.1-alpine
|
|
32
|
-
ports:
|
|
33
|
-
- "5432:5432"
|
|
34
|
-
env:
|
|
35
|
-
POSTGRES_USER: 'vault_root'
|
|
36
|
-
POSTGRES_PASSWORD: 'root_password'
|
|
37
|
-
POSTGRES_DB: 'app_db'
|
|
38
|
-
options: >-
|
|
39
|
-
--health-cmd pg_isready
|
|
40
|
-
--health-interval 10s
|
|
41
|
-
--health-timeout 5s
|
|
42
|
-
--health-retries 5
|
|
21
|
+
ruby: [ '2.7', '3.0', '3.3' ]
|
|
22
|
+
# services:
|
|
23
|
+
# vault:
|
|
24
|
+
# image: hashicorp/vault
|
|
25
|
+
# ports:
|
|
26
|
+
# - "8200:8200"
|
|
27
|
+
# env:
|
|
28
|
+
# VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
|
|
29
|
+
# SKIP_SETCAP: true
|
|
30
|
+
# database:
|
|
31
|
+
# image: postgres:14.1-alpine
|
|
32
|
+
# ports:
|
|
33
|
+
# - "5432:5432"
|
|
34
|
+
# env:
|
|
35
|
+
# POSTGRES_USER: 'vault_root'
|
|
36
|
+
# POSTGRES_PASSWORD: 'root_password'
|
|
37
|
+
# POSTGRES_DB: 'app_db'
|
|
38
|
+
# options: >-
|
|
39
|
+
# --health-cmd pg_isready
|
|
40
|
+
# --health-interval 10s
|
|
41
|
+
# --health-timeout 5s
|
|
42
|
+
# --health-retries 5
|
|
43
|
+
# aws:
|
|
44
|
+
# image: localstack/localstack
|
|
45
|
+
# ports:
|
|
46
|
+
# - "127.0.0.1:4566:4566" # LocalStack Gateway
|
|
47
|
+
# - "127.0.0.1:4510-4559:4510-4559" # external services port range
|
|
48
|
+
# env:
|
|
49
|
+
# DEBUG: 0
|
|
50
|
+
# volumes:
|
|
51
|
+
# - '/home/runner/work/settings_reader-vault_resolver/local/localstack/app-access-policy.json:/etc/localstack/init/ready.d/app-access-policy.json'
|
|
52
|
+
# - '/home/runner/work/settings_reader-vault_resolver/local/localstack/app-assume-policy.json:/etc/localstack/init/ready.d/app-assume-policy.json'
|
|
53
|
+
# - '/home/runner/work/settings_reader-vault_resolver/local/localstack/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh'
|
|
43
54
|
steps:
|
|
44
55
|
- name: Checkout
|
|
45
56
|
uses: actions/checkout@v1
|
|
@@ -50,8 +61,11 @@ jobs:
|
|
|
50
61
|
ruby-version: ${{ matrix.ruby }}
|
|
51
62
|
bundler-cache: true
|
|
52
63
|
|
|
53
|
-
- name:
|
|
54
|
-
run:
|
|
64
|
+
- name: Start Dependencies
|
|
65
|
+
run: |
|
|
66
|
+
docker-compose up -d
|
|
67
|
+
echo "Waiting 15 seconds for initial configuraiton"
|
|
68
|
+
sleep 15
|
|
55
69
|
|
|
56
70
|
- name: Run specs
|
|
57
71
|
env:
|
data/Gemfile.lock
CHANGED
|
@@ -58,7 +58,7 @@ GEM
|
|
|
58
58
|
simplecov-html (~> 0.11)
|
|
59
59
|
simplecov_json_formatter (~> 0.1)
|
|
60
60
|
simplecov-html (0.12.3)
|
|
61
|
-
simplecov_json_formatter (0.1.
|
|
61
|
+
simplecov_json_formatter (0.1.4)
|
|
62
62
|
timecop (0.9.4)
|
|
63
63
|
unicode-display_width (2.1.0)
|
|
64
64
|
vault (0.16.0)
|
|
@@ -78,4 +78,4 @@ DEPENDENCIES
|
|
|
78
78
|
timecop
|
|
79
79
|
|
|
80
80
|
BUNDLED WITH
|
|
81
|
-
2.
|
|
81
|
+
2.2.32
|
data/docker-compose.yml
CHANGED
|
@@ -2,12 +2,20 @@
|
|
|
2
2
|
version: '3'
|
|
3
3
|
services:
|
|
4
4
|
vault:
|
|
5
|
-
image: vault
|
|
5
|
+
image: hashicorp/vault
|
|
6
6
|
ports:
|
|
7
7
|
- "8200:8200"
|
|
8
8
|
environment:
|
|
9
9
|
VAULT_DEV_ROOT_TOKEN_ID: 'vault_root_token'
|
|
10
10
|
SKIP_SETCAP: 'true'
|
|
11
|
+
# playground:
|
|
12
|
+
# image: hashicorp/vault
|
|
13
|
+
# command:
|
|
14
|
+
# - sleep
|
|
15
|
+
# - '10000000000'
|
|
16
|
+
# environment:
|
|
17
|
+
# VAULT_ADDR: 'http://aws:8200'
|
|
18
|
+
# VAULT_TOKEN: 'vault_root_token'
|
|
11
19
|
db:
|
|
12
20
|
image: postgres:14.1-alpine
|
|
13
21
|
ports:
|
|
@@ -16,11 +24,24 @@ services:
|
|
|
16
24
|
POSTGRES_USER: 'vault_root'
|
|
17
25
|
POSTGRES_PASSWORD: 'root_password'
|
|
18
26
|
POSTGRES_DB: 'app_db'
|
|
27
|
+
aws:
|
|
28
|
+
image: localstack/localstack
|
|
29
|
+
ports:
|
|
30
|
+
- "127.0.0.1:4566:4566" # LocalStack Gateway
|
|
31
|
+
- "127.0.0.1:4510-4559:4510-4559" # external services port range
|
|
32
|
+
environment:
|
|
33
|
+
# LocalStack configuration: https://docs.localstack.cloud/references/configuration/
|
|
34
|
+
- DEBUG=${DEBUG:-0}
|
|
35
|
+
volumes:
|
|
36
|
+
- './local/localstack/app-access-policy.json:/etc/localstack/init/ready.d/app-access-policy.json'
|
|
37
|
+
- './local/localstack/app-assume-policy.json:/etc/localstack/init/ready.d/app-assume-policy.json'
|
|
38
|
+
- './local/localstack/init-aws.sh:/etc/localstack/init/ready.d/init-aws.sh'
|
|
19
39
|
init:
|
|
20
40
|
image: curlimages/curl
|
|
21
41
|
depends_on:
|
|
22
42
|
- vault
|
|
23
43
|
- db
|
|
44
|
+
- aws
|
|
24
45
|
volumes:
|
|
25
46
|
- './local/vault/setup.sh:/etc/vault/setup.sh'
|
|
26
47
|
environment:
|
|
@@ -23,8 +23,8 @@ module SettingsReader
|
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
def fetch(address, &block)
|
|
26
|
-
if !address.no_cache? && (
|
|
27
|
-
|
|
26
|
+
if !address.no_cache? && (existing_entry = retrieve(address))
|
|
27
|
+
existing_entry
|
|
28
28
|
else
|
|
29
29
|
new_entry = block.call(address)
|
|
30
30
|
save(new_entry) if new_entry
|
|
@@ -70,6 +70,7 @@ module SettingsReader
|
|
|
70
70
|
@vault_engines ||= [
|
|
71
71
|
SettingsReader::VaultResolver::Engines::KV2.new(self),
|
|
72
72
|
SettingsReader::VaultResolver::Engines::Database.new(self),
|
|
73
|
+
SettingsReader::VaultResolver::Engines::Aws.new(self),
|
|
73
74
|
SettingsReader::VaultResolver::Engines::Auth.new(self)
|
|
74
75
|
]
|
|
75
76
|
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module SettingsReader
|
|
2
|
+
module VaultResolver
|
|
3
|
+
module Engines
|
|
4
|
+
# Adapter to retrieve / renew secret from database engine
|
|
5
|
+
class Aws < Abstract
|
|
6
|
+
MOUNT = 'aws'.freeze
|
|
7
|
+
|
|
8
|
+
def retrieves?(address)
|
|
9
|
+
address.mount == MOUNT
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
|
|
14
|
+
def get_secret(address)
|
|
15
|
+
debug { "Fetching new aws secret at: #{address}" }
|
|
16
|
+
Vault.logical.read(address.full_path)
|
|
17
|
+
rescue Vault::HTTPClientError => e
|
|
18
|
+
return nil if e.message.match?('Role ".*" not found')
|
|
19
|
+
|
|
20
|
+
raise e
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def renew_lease(entry)
|
|
24
|
+
Vault.sys.renew(entry.lease_id)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -13,10 +13,14 @@ module SettingsReader
|
|
|
13
13
|
@lease_started = Time.now
|
|
14
14
|
end
|
|
15
15
|
|
|
16
|
-
def
|
|
16
|
+
def renewable?
|
|
17
17
|
@secret.renewable?
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
+
def leased?
|
|
21
|
+
renewable? || @secret.lease_duration&.positive?
|
|
22
|
+
end
|
|
23
|
+
|
|
20
24
|
def expired?
|
|
21
25
|
return false unless leased?
|
|
22
26
|
|
|
@@ -19,7 +19,7 @@ module SettingsReader
|
|
|
19
19
|
def refresh
|
|
20
20
|
info { 'Performing Vault leases refresh' }
|
|
21
21
|
promises = cache.active_entries.map do |entry|
|
|
22
|
-
debug { "Checking lease for #{entry}.
|
|
22
|
+
debug { "Checking lease for #{entry}. Renewable?: #{entry.renewable?}. Expires in: #{entry.expires_in}s" }
|
|
23
23
|
refresh_entry(entry)
|
|
24
24
|
end.compact
|
|
25
25
|
promises.each(&:wait)
|
|
@@ -11,6 +11,7 @@ require_relative 'vault_resolver/engines/abstract'
|
|
|
11
11
|
require_relative 'vault_resolver/engines/auth'
|
|
12
12
|
require_relative 'vault_resolver/engines/kv2'
|
|
13
13
|
require_relative 'vault_resolver/engines/database'
|
|
14
|
+
require_relative 'vault_resolver/engines/aws'
|
|
14
15
|
require_relative 'vault_resolver/cache'
|
|
15
16
|
require_relative 'vault_resolver/refresher'
|
|
16
17
|
require_relative 'vault_resolver/refresher_observer'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: settings_reader-vault_resolver
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Volodymyr Mykhailyk
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-01-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: concurrent-ruby
|
|
@@ -85,6 +85,7 @@ files:
|
|
|
85
85
|
- lib/settings_reader/vault_resolver/configuration.rb
|
|
86
86
|
- lib/settings_reader/vault_resolver/engines/abstract.rb
|
|
87
87
|
- lib/settings_reader/vault_resolver/engines/auth.rb
|
|
88
|
+
- lib/settings_reader/vault_resolver/engines/aws.rb
|
|
88
89
|
- lib/settings_reader/vault_resolver/engines/database.rb
|
|
89
90
|
- lib/settings_reader/vault_resolver/engines/kv2.rb
|
|
90
91
|
- lib/settings_reader/vault_resolver/entry.rb
|