github.com/ferranbt/nomad@v0.9.3-0.20190607002617-85c449b7667c/nomad/structs/config/vault.go (about) 1 package config 2 3 import ( 4 "time" 5 6 vault "github.com/hashicorp/vault/api" 7 ) 8 9 const ( 10 // DefaultVaultConnectRetryIntv is the retry interval between trying to 11 // connect to Vault 12 DefaultVaultConnectRetryIntv = 30 * time.Second 13 ) 14 15 // VaultConfig contains the configuration information necessary to 16 // communicate with Vault in order to: 17 // 18 // - Renew Vault tokens/leases. 19 // 20 // - Pass a token for the Nomad Server to derive sub-tokens. 21 // 22 // - Create child tokens with policy subsets of the Server's token. 23 type VaultConfig struct { 24 25 // Enabled enables or disables Vault support. 26 Enabled *bool `hcl:"enabled"` 27 28 // Token is the Vault token given to Nomad such that it can 29 // derive child tokens. Nomad will renew this token at half its lease 30 // lifetime. 31 Token string `hcl:"token"` 32 33 // Role sets the role in which to create tokens from. The Token given to 34 // Nomad does not have to be created from this role but must have "update" 35 // capability on "auth/token/create/<create_from_role>". If this value is 36 // unset and the token is created from a role, the value is defaulted to the 37 // role the token is from. 38 Role string `hcl:"create_from_role"` 39 40 // Namespace sets the Vault namespace used for all calls against the 41 // Vault API. If this is unset, then Nomad does not use Vault namespaces. 42 Namespace string `mapstructure:"namespace"` 43 44 // AllowUnauthenticated allows users to submit jobs requiring Vault tokens 45 // without providing a Vault token proving they have access to these 46 // policies. 47 AllowUnauthenticated *bool `hcl:"allow_unauthenticated"` 48 49 // TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used 50 // by the client. There should be a minimum time value such that the client 51 // does not have to renew with Vault at a very high frequency 52 TaskTokenTTL string `hcl:"task_token_ttl"` 53 54 // Addr is the address of the local Vault agent. This should be a complete 55 // URL such as "http://vault.example.com" 56 Addr string `hcl:"address"` 57 58 // ConnectionRetryIntv is the interval to wait before re-attempting to 59 // connect to Vault. 60 ConnectionRetryIntv time.Duration 61 62 // TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the 63 // Vault server SSL certificate. 64 TLSCaFile string `hcl:"ca_file"` 65 66 // TLSCaFile is the path to a directory of PEM-encoded CA cert files to 67 // verify the Vault server SSL certificate. 68 TLSCaPath string `hcl:"ca_path"` 69 70 // TLSCertFile is the path to the certificate for Vault communication 71 TLSCertFile string `hcl:"cert_file"` 72 73 // TLSKeyFile is the path to the private key for Vault communication 74 TLSKeyFile string `hcl:"key_file"` 75 76 // TLSSkipVerify enables or disables SSL verification 77 TLSSkipVerify *bool `hcl:"tls_skip_verify"` 78 79 // TLSServerName, if set, is used to set the SNI host when connecting via TLS. 80 TLSServerName string `hcl:"tls_server_name"` 81 } 82 83 // DefaultVaultConfig() returns the canonical defaults for the Nomad 84 // `vault` configuration. 85 func DefaultVaultConfig() *VaultConfig { 86 return &VaultConfig{ 87 Addr: "https://vault.service.consul:8200", 88 ConnectionRetryIntv: DefaultVaultConnectRetryIntv, 89 AllowUnauthenticated: func(b bool) *bool { 90 return &b 91 }(true), 92 } 93 } 94 95 // IsEnabled returns whether the config enables Vault integration 96 func (a *VaultConfig) IsEnabled() bool { 97 return a.Enabled != nil && *a.Enabled 98 } 99 100 // AllowsUnauthenticated returns whether the config allows unauthenticated 101 // access to Vault 102 func (a *VaultConfig) AllowsUnauthenticated() bool { 103 return a.AllowUnauthenticated != nil && *a.AllowUnauthenticated 104 } 105 106 // Merge merges two Vault configurations together. 107 func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig { 108 result := *a 109 110 if b.Token != "" { 111 result.Token = b.Token 112 } 113 if b.Namespace != "" { 114 result.Namespace = b.Namespace 115 } 116 if b.Role != "" { 117 result.Role = b.Role 118 } 119 if b.TaskTokenTTL != "" { 120 result.TaskTokenTTL = b.TaskTokenTTL 121 } 122 if b.Addr != "" { 123 result.Addr = b.Addr 124 } 125 if b.ConnectionRetryIntv.Nanoseconds() != 0 { 126 result.ConnectionRetryIntv = b.ConnectionRetryIntv 127 } 128 if b.TLSCaFile != "" { 129 result.TLSCaFile = b.TLSCaFile 130 } 131 if b.TLSCaPath != "" { 132 result.TLSCaPath = b.TLSCaPath 133 } 134 if b.TLSCertFile != "" { 135 result.TLSCertFile = b.TLSCertFile 136 } 137 if b.TLSKeyFile != "" { 138 result.TLSKeyFile = b.TLSKeyFile 139 } 140 if b.TLSServerName != "" { 141 result.TLSServerName = b.TLSServerName 142 } 143 if b.AllowUnauthenticated != nil { 144 result.AllowUnauthenticated = b.AllowUnauthenticated 145 } 146 if b.TLSSkipVerify != nil { 147 result.TLSSkipVerify = b.TLSSkipVerify 148 } 149 if b.Enabled != nil { 150 result.Enabled = b.Enabled 151 } 152 153 return &result 154 } 155 156 // ApiConfig() returns a usable Vault config that can be passed directly to 157 // hashicorp/vault/api. 158 func (c *VaultConfig) ApiConfig() (*vault.Config, error) { 159 conf := vault.DefaultConfig() 160 tlsConf := &vault.TLSConfig{ 161 CACert: c.TLSCaFile, 162 CAPath: c.TLSCaPath, 163 ClientCert: c.TLSCertFile, 164 ClientKey: c.TLSKeyFile, 165 TLSServerName: c.TLSServerName, 166 } 167 if c.TLSSkipVerify != nil { 168 tlsConf.Insecure = *c.TLSSkipVerify 169 } else { 170 tlsConf.Insecure = false 171 } 172 173 if err := conf.ConfigureTLS(tlsConf); err != nil { 174 return nil, err 175 } 176 177 conf.Address = c.Addr 178 return conf, nil 179 } 180 181 // Copy returns a copy of this Vault config. 182 func (c *VaultConfig) Copy() *VaultConfig { 183 if c == nil { 184 return nil 185 } 186 187 nc := new(VaultConfig) 188 *nc = *c 189 return nc 190 } 191 192 // IsEqual compares two Vault configurations and returns a boolean indicating 193 // if they are equal. 194 func (a *VaultConfig) IsEqual(b *VaultConfig) bool { 195 if a == nil && b != nil { 196 return false 197 } 198 if a != nil && b == nil { 199 return false 200 } 201 202 if a.Token != b.Token { 203 return false 204 } 205 if a.Role != b.Role { 206 return false 207 } 208 if a.TaskTokenTTL != b.TaskTokenTTL { 209 return false 210 } 211 if a.Addr != b.Addr { 212 return false 213 } 214 if a.ConnectionRetryIntv.Nanoseconds() != b.ConnectionRetryIntv.Nanoseconds() { 215 return false 216 } 217 if a.TLSCaFile != b.TLSCaFile { 218 return false 219 } 220 if a.TLSCaPath != b.TLSCaPath { 221 return false 222 } 223 if a.TLSCertFile != b.TLSCertFile { 224 return false 225 } 226 if a.TLSKeyFile != b.TLSKeyFile { 227 return false 228 } 229 if a.TLSServerName != b.TLSServerName { 230 return false 231 } 232 if a.AllowUnauthenticated != b.AllowUnauthenticated { 233 return false 234 } 235 if a.TLSSkipVerify != b.TLSSkipVerify { 236 return false 237 } 238 if a.Enabled != b.Enabled { 239 return false 240 } 241 return true 242 }