github.com/metaprov/modela-operator@v0.0.0-20240118193048-f378be8b74d2/pkg/vault/vault.go (about) 1 package vault 2 3 import ( 4 "context" 5 "fmt" 6 "github.com/hashicorp/vault/api" 7 "github.com/hashicorp/vault/api/auth/kubernetes" 8 managementv1 "github.com/metaprov/modela-operator/api/v1alpha1" 9 "github.com/metaprov/modela-operator/pkg/kube" 10 "github.com/pkg/errors" 11 ) 12 13 func GetUnauthenticatedClientInCluster() (*api.Client, error) { 14 config := api.DefaultConfig() 15 config.Address = "http://modela-vault.modela-system.svc.cluster.local:8200" 16 client, err := api.NewClient(config) 17 if err != nil { 18 return nil, err 19 } 20 21 _, err = client.Sys().Health() 22 if err != nil { 23 return nil, err 24 } 25 26 return client, nil 27 } 28 29 func GetUnauthenticatedClient(modela *managementv1.Modela) (*api.Client, error) { 30 var address string 31 if modela.Spec.Vault.VaultAddress == nil || *modela.Spec.Vault.VaultAddress == "" { 32 address = "http://modela-vault.modela-system.svc.cluster.local:8200" 33 } else { 34 address = *modela.Spec.Vault.VaultAddress 35 } 36 37 config := api.DefaultConfig() 38 config.Address = address 39 client, err := api.NewClient(config) 40 if err != nil { 41 return nil, err 42 } 43 44 _, err = client.Sys().Health() 45 if err != nil { 46 return nil, err 47 } 48 49 return client, nil 50 } 51 52 func GetAuthenticatedClient(modela *managementv1.Modela) (*api.Client, error) { 53 var address string 54 if modela.Spec.Vault.VaultAddress == nil || *modela.Spec.Vault.VaultAddress == "" { 55 address = "http://modela-vault.modela-system.svc.cluster.local:8200" 56 } else { 57 address = *modela.Spec.Vault.VaultAddress 58 } 59 60 config := api.DefaultConfig() 61 config.Address = address 62 client, err := api.NewClient(config) 63 if err != nil { 64 return nil, err 65 } 66 67 auth, err := kubernetes.NewKubernetesAuth("modela") 68 if err != nil { 69 return nil, err 70 } 71 72 // Skip Kubernetes authentication if we already have a root token on our cluster 73 if exists, err := kube.IsNamespaceCreated("modela-system"); exists && err == nil { 74 if secret, err := kube.GetSecret("modela-system", "vault-root-token"); err == nil { 75 if token, ok := secret.Data["token"]; ok { 76 client.SetToken(string(token)) 77 return client, nil 78 } 79 } 80 } 81 82 if _, err := client.Auth().Login(context.Background(), auth); err != nil { 83 return nil, err 84 } 85 86 return client, nil 87 } 88 89 func ApplySecret(modela *managementv1.Modela, key string, value map[string]interface{}) error { 90 client, err := GetAuthenticatedClient(modela) 91 if err != nil { 92 return errors.Wrap(err, fmt.Sprintf("failed to apply vault secret %s", key)) 93 } 94 95 kv := client.KVv2(modela.Spec.Vault.MountPath) 96 if _, err = kv.Put(context.Background(), key, value); err != nil { 97 return errors.Wrap(err, fmt.Sprintf("failed to apply vault secret %s", key)) 98 } 99 100 return nil 101 }