github.com/mattyr/nomad@v0.3.3-0.20160919021406-3485a065154a/nomad/structs/config/vault.go

github.com/mattyr/nomad@v0.3.3-0.20160919021406-3485a065154a/nomad/structs/config/vault.go (about)

     1  package config
     2  
     3  import (
     4  	"time"
     5  
     6  	vault "github.com/hashicorp/vault/api"
     7  )
     8  
     9  const (
    10  	// DefaultVaultConnectRetryIntv is the retry interval between trying to
    11  	// connect to Vault
    12  	DefaultVaultConnectRetryIntv = 30 * time.Second
    13  )
    14  
    15  // VaultConfig contains the configuration information necessary to
    16  // communicate with Vault in order to:
    17  //
    18  // - Renew Vault tokens/leases.
    19  //
    20  // - Pass a token for the Nomad Server to derive sub-tokens.
    21  //
    22  // - Create child tokens with policy subsets of the Server's token.
    23  type VaultConfig struct {
    24  
    25  	// Enabled enables or disables Vault support.
    26  	Enabled bool `mapstructure:"enabled"`
    27  
    28  	// Token is the Vault token given to Nomad such that it can
    29  	// derive child tokens. Nomad will renew this token at half its lease
    30  	// lifetime.
    31  	Token string `mapstructure:"token"`
    32  
    33  	// AllowUnauthenticated allows users to submit jobs requiring Vault tokens
    34  	// without providing a Vault token proving they have access to these
    35  	// policies.
    36  	AllowUnauthenticated bool `mapstructure:"allow_unauthenticated"`
    37  
    38  	// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used
    39  	// by the client.  There should be a minimum time value such that the client
    40  	// does not have to renew with Vault at a very high frequency
    41  	TaskTokenTTL string `mapstructure:"task_token_ttl"`
    42  
    43  	// Addr is the address of the local Vault agent. This should be a complete
    44  	// URL such as "http://vault.example.com"
    45  	Addr string `mapstructure:"address"`
    46  
    47  	// ConnectionRetryIntv is the interval to wait before re-attempting to
    48  	// connect to Vault.
    49  	ConnectionRetryIntv time.Duration
    50  
    51  	// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
    52  	// Vault server SSL certificate.
    53  	TLSCaFile string `mapstructure:"tls_ca_file"`
    54  
    55  	// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
    56  	// verify the Vault server SSL certificate.
    57  	TLSCaPath string `mapstructure:"tls_ca_path"`
    58  
    59  	// TLSCertFile is the path to the certificate for Vault communication
    60  	TLSCertFile string `mapstructure:"tls_cert_file"`
    61  
    62  	// TLSKeyFile is the path to the private key for Vault communication
    63  	TLSKeyFile string `mapstructure:"tls_key_file"`
    64  
    65  	// TLSSkipVerify enables or disables SSL verification
    66  	TLSSkipVerify bool `mapstructure:"tls_skip_verify"`
    67  
    68  	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
    69  	TLSServerName string `mapstructure:"tls_server_name"`
    70  }
    71  
    72  // DefaultVaultConfig() returns the canonical defaults for the Nomad
    73  // `vault` configuration.
    74  func DefaultVaultConfig() *VaultConfig {
    75  	return &VaultConfig{
    76  		AllowUnauthenticated: false,
    77  		Addr:                 "https://vault.service.consul:8200",
    78  		ConnectionRetryIntv:  DefaultVaultConnectRetryIntv,
    79  	}
    80  }
    81  
    82  // Merge merges two Vault configurations together.
    83  func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig {
    84  	result := *a
    85  
    86  	if b.Token != "" {
    87  		result.Token = b.Token
    88  	}
    89  	if b.TaskTokenTTL != "" {
    90  		result.TaskTokenTTL = b.TaskTokenTTL
    91  	}
    92  	if b.Addr != "" {
    93  		result.Addr = b.Addr
    94  	}
    95  	if b.ConnectionRetryIntv.Nanoseconds() != 0 {
    96  		result.ConnectionRetryIntv = b.ConnectionRetryIntv
    97  	}
    98  	if b.TLSCaFile != "" {
    99  		result.TLSCaFile = b.TLSCaFile
   100  	}
   101  	if b.TLSCaPath != "" {
   102  		result.TLSCaPath = b.TLSCaPath
   103  	}
   104  	if b.TLSCertFile != "" {
   105  		result.TLSCertFile = b.TLSCertFile
   106  	}
   107  	if b.TLSKeyFile != "" {
   108  		result.TLSKeyFile = b.TLSKeyFile
   109  	}
   110  	if b.TLSServerName != "" {
   111  		result.TLSServerName = b.TLSServerName
   112  	}
   113  
   114  	result.AllowUnauthenticated = b.AllowUnauthenticated
   115  	result.TLSSkipVerify = b.TLSSkipVerify
   116  	result.Enabled = b.Enabled
   117  	return &result
   118  }
   119  
   120  // ApiConfig() returns a usable Vault config that can be passed directly to
   121  // hashicorp/vault/api.
   122  func (c *VaultConfig) ApiConfig() (*vault.Config, error) {
   123  	conf := vault.DefaultConfig()
   124  	tlsConf := &vault.TLSConfig{
   125  		CACert:        c.TLSCaFile,
   126  		CAPath:        c.TLSCaPath,
   127  		ClientCert:    c.TLSCertFile,
   128  		ClientKey:     c.TLSKeyFile,
   129  		TLSServerName: c.TLSServerName,
   130  		Insecure:      c.TLSSkipVerify,
   131  	}
   132  	if err := conf.ConfigureTLS(tlsConf); err != nil {
   133  		return nil, err
   134  	}
   135  
   136  	conf.Address = c.Addr
   137  	return conf, nil
   138  }
   139  
   140  // Copy returns a copy of this Vault config.
   141  func (c *VaultConfig) Copy() *VaultConfig {
   142  	if c == nil {
   143  		return nil
   144  	}
   145  
   146  	nc := new(VaultConfig)
   147  	*nc = *c
   148  	return nc
   149  }