github.com/metaprov/modela-operator@v0.0.0-20240118193048-f378be8b74d2/pkg/vault/vault.go

github.com/metaprov/modela-operator@v0.0.0-20240118193048-f378be8b74d2/pkg/vault/vault.go (about)

     1  package vault
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  	"github.com/hashicorp/vault/api"
     7  	"github.com/hashicorp/vault/api/auth/kubernetes"
     8  	managementv1 "github.com/metaprov/modela-operator/api/v1alpha1"
     9  	"github.com/metaprov/modela-operator/pkg/kube"
    10  	"github.com/pkg/errors"
    11  )
    12  
    13  func GetUnauthenticatedClientInCluster() (*api.Client, error) {
    14  	config := api.DefaultConfig()
    15  	config.Address = "http://modela-vault.modela-system.svc.cluster.local:8200"
    16  	client, err := api.NewClient(config)
    17  	if err != nil {
    18  		return nil, err
    19  	}
    20  
    21  	_, err = client.Sys().Health()
    22  	if err != nil {
    23  		return nil, err
    24  	}
    25  
    26  	return client, nil
    27  }
    28  
    29  func GetUnauthenticatedClient(modela *managementv1.Modela) (*api.Client, error) {
    30  	var address string
    31  	if modela.Spec.Vault.VaultAddress == nil || *modela.Spec.Vault.VaultAddress == "" {
    32  		address = "http://modela-vault.modela-system.svc.cluster.local:8200"
    33  	} else {
    34  		address = *modela.Spec.Vault.VaultAddress
    35  	}
    36  
    37  	config := api.DefaultConfig()
    38  	config.Address = address
    39  	client, err := api.NewClient(config)
    40  	if err != nil {
    41  		return nil, err
    42  	}
    43  
    44  	_, err = client.Sys().Health()
    45  	if err != nil {
    46  		return nil, err
    47  	}
    48  
    49  	return client, nil
    50  }
    51  
    52  func GetAuthenticatedClient(modela *managementv1.Modela) (*api.Client, error) {
    53  	var address string
    54  	if modela.Spec.Vault.VaultAddress == nil || *modela.Spec.Vault.VaultAddress == "" {
    55  		address = "http://modela-vault.modela-system.svc.cluster.local:8200"
    56  	} else {
    57  		address = *modela.Spec.Vault.VaultAddress
    58  	}
    59  
    60  	config := api.DefaultConfig()
    61  	config.Address = address
    62  	client, err := api.NewClient(config)
    63  	if err != nil {
    64  		return nil, err
    65  	}
    66  
    67  	auth, err := kubernetes.NewKubernetesAuth("modela")
    68  	if err != nil {
    69  		return nil, err
    70  	}
    71  
    72  	// Skip Kubernetes authentication if we already have a root token on our cluster
    73  	if exists, err := kube.IsNamespaceCreated("modela-system"); exists && err == nil {
    74  		if secret, err := kube.GetSecret("modela-system", "vault-root-token"); err == nil {
    75  			if token, ok := secret.Data["token"]; ok {
    76  				client.SetToken(string(token))
    77  				return client, nil
    78  			}
    79  		}
    80  	}
    81  
    82  	if _, err := client.Auth().Login(context.Background(), auth); err != nil {
    83  		return nil, err
    84  	}
    85  
    86  	return client, nil
    87  }
    88  
    89  func ApplySecret(modela *managementv1.Modela, key string, value map[string]interface{}) error {
    90  	client, err := GetAuthenticatedClient(modela)
    91  	if err != nil {
    92  		return errors.Wrap(err, fmt.Sprintf("failed to apply vault secret %s", key))
    93  	}
    94  
    95  	kv := client.KVv2(modela.Spec.Vault.MountPath)
    96  	if _, err = kv.Put(context.Background(), key, value); err != nil {
    97  		return errors.Wrap(err, fmt.Sprintf("failed to apply vault secret %s", key))
    98  	}
    99  
   100  	return nil
   101  }