github.com/maier/nomad@v0.4.1-0.20161110003312-a9e3d0b8549d/nomad/structs/config/vault.go (about) 1 package config 2 3 import ( 4 "time" 5 6 vault "github.com/hashicorp/vault/api" 7 ) 8 9 const ( 10 // DefaultVaultConnectRetryIntv is the retry interval between trying to 11 // connect to Vault 12 DefaultVaultConnectRetryIntv = 30 * time.Second 13 ) 14 15 // VaultConfig contains the configuration information necessary to 16 // communicate with Vault in order to: 17 // 18 // - Renew Vault tokens/leases. 19 // 20 // - Pass a token for the Nomad Server to derive sub-tokens. 21 // 22 // - Create child tokens with policy subsets of the Server's token. 23 type VaultConfig struct { 24 25 // Enabled enables or disables Vault support. 26 Enabled *bool `mapstructure:"enabled"` 27 28 // Token is the Vault token given to Nomad such that it can 29 // derive child tokens. Nomad will renew this token at half its lease 30 // lifetime. 31 Token string `mapstructure:"token"` 32 33 // AllowUnauthenticated allows users to submit jobs requiring Vault tokens 34 // without providing a Vault token proving they have access to these 35 // policies. 36 AllowUnauthenticated *bool `mapstructure:"allow_unauthenticated"` 37 38 // TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used 39 // by the client. There should be a minimum time value such that the client 40 // does not have to renew with Vault at a very high frequency 41 TaskTokenTTL string `mapstructure:"task_token_ttl"` 42 43 // Addr is the address of the local Vault agent. This should be a complete 44 // URL such as "http://vault.example.com" 45 Addr string `mapstructure:"address"` 46 47 // ConnectionRetryIntv is the interval to wait before re-attempting to 48 // connect to Vault. 49 ConnectionRetryIntv time.Duration 50 51 // TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the 52 // Vault server SSL certificate. 53 TLSCaFile string `mapstructure:"ca_file"` 54 55 // TLSCaFile is the path to a directory of PEM-encoded CA cert files to 56 // verify the Vault server SSL certificate. 57 TLSCaPath string `mapstructure:"ca_path"` 58 59 // TLSCertFile is the path to the certificate for Vault communication 60 TLSCertFile string `mapstructure:"cert_file"` 61 62 // TLSKeyFile is the path to the private key for Vault communication 63 TLSKeyFile string `mapstructure:"key_file"` 64 65 // TLSSkipVerify enables or disables SSL verification 66 TLSSkipVerify *bool `mapstructure:"tls_skip_verify"` 67 68 // TLSServerName, if set, is used to set the SNI host when connecting via TLS. 69 TLSServerName string `mapstructure:"tls_server_name"` 70 } 71 72 // DefaultVaultConfig() returns the canonical defaults for the Nomad 73 // `vault` configuration. 74 func DefaultVaultConfig() *VaultConfig { 75 return &VaultConfig{ 76 Addr: "https://vault.service.consul:8200", 77 ConnectionRetryIntv: DefaultVaultConnectRetryIntv, 78 AllowUnauthenticated: func(b bool) *bool { 79 return &b 80 }(true), 81 } 82 } 83 84 // IsEnabled returns whether the config enables Vault integration 85 func (a *VaultConfig) IsEnabled() bool { 86 return a.Enabled != nil && *a.Enabled 87 } 88 89 // AllowsUnauthenticated returns whether the config allows unauthenticated 90 // access to Vault 91 func (a *VaultConfig) AllowsUnauthenticated() bool { 92 return a.AllowUnauthenticated != nil && *a.AllowUnauthenticated 93 } 94 95 // Merge merges two Vault configurations together. 96 func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig { 97 result := *a 98 99 if b.Token != "" { 100 result.Token = b.Token 101 } 102 if b.TaskTokenTTL != "" { 103 result.TaskTokenTTL = b.TaskTokenTTL 104 } 105 if b.Addr != "" { 106 result.Addr = b.Addr 107 } 108 if b.ConnectionRetryIntv.Nanoseconds() != 0 { 109 result.ConnectionRetryIntv = b.ConnectionRetryIntv 110 } 111 if b.TLSCaFile != "" { 112 result.TLSCaFile = b.TLSCaFile 113 } 114 if b.TLSCaPath != "" { 115 result.TLSCaPath = b.TLSCaPath 116 } 117 if b.TLSCertFile != "" { 118 result.TLSCertFile = b.TLSCertFile 119 } 120 if b.TLSKeyFile != "" { 121 result.TLSKeyFile = b.TLSKeyFile 122 } 123 if b.TLSServerName != "" { 124 result.TLSServerName = b.TLSServerName 125 } 126 if b.AllowUnauthenticated != nil { 127 result.AllowUnauthenticated = b.AllowUnauthenticated 128 } 129 if b.TLSSkipVerify != nil { 130 result.TLSSkipVerify = b.TLSSkipVerify 131 } 132 if b.Enabled != nil { 133 result.Enabled = b.Enabled 134 } 135 136 return &result 137 } 138 139 // ApiConfig() returns a usable Vault config that can be passed directly to 140 // hashicorp/vault/api. 141 func (c *VaultConfig) ApiConfig() (*vault.Config, error) { 142 conf := vault.DefaultConfig() 143 tlsConf := &vault.TLSConfig{ 144 CACert: c.TLSCaFile, 145 CAPath: c.TLSCaPath, 146 ClientCert: c.TLSCertFile, 147 ClientKey: c.TLSKeyFile, 148 TLSServerName: c.TLSServerName, 149 } 150 if c.TLSSkipVerify != nil { 151 tlsConf.Insecure = *c.TLSSkipVerify 152 } else { 153 tlsConf.Insecure = false 154 } 155 156 if err := conf.ConfigureTLS(tlsConf); err != nil { 157 return nil, err 158 } 159 160 conf.Address = c.Addr 161 return conf, nil 162 } 163 164 // Copy returns a copy of this Vault config. 165 func (c *VaultConfig) Copy() *VaultConfig { 166 if c == nil { 167 return nil 168 } 169 170 nc := new(VaultConfig) 171 *nc = *c 172 return nc 173 }