github.com/smithx10/nomad@v0.9.1-rc1/nomad/structs/config/vault.go (about)

     1  package config
     2  
     3  import (
     4  	"time"
     5  
     6  	vault "github.com/hashicorp/vault/api"
     7  )
     8  
     9  const (
    10  	// DefaultVaultConnectRetryIntv is the retry interval between trying to
    11  	// connect to Vault
    12  	DefaultVaultConnectRetryIntv = 30 * time.Second
    13  )
    14  
    15  // VaultConfig contains the configuration information necessary to
    16  // communicate with Vault in order to:
    17  //
    18  // - Renew Vault tokens/leases.
    19  //
    20  // - Pass a token for the Nomad Server to derive sub-tokens.
    21  //
    22  // - Create child tokens with policy subsets of the Server's token.
    23  type VaultConfig struct {
    24  
    25  	// Enabled enables or disables Vault support.
    26  	Enabled *bool `mapstructure:"enabled"`
    27  
    28  	// Token is the Vault token given to Nomad such that it can
    29  	// derive child tokens. Nomad will renew this token at half its lease
    30  	// lifetime.
    31  	Token string `mapstructure:"token"`
    32  
    33  	// Role sets the role in which to create tokens from. The Token given to
    34  	// Nomad does not have to be created from this role but must have "update"
    35  	// capability on "auth/token/create/<create_from_role>". If this value is
    36  	// unset and the token is created from a role, the value is defaulted to the
    37  	// role the token is from.
    38  	Role string `mapstructure:"create_from_role"`
    39  
    40  	// AllowUnauthenticated allows users to submit jobs requiring Vault tokens
    41  	// without providing a Vault token proving they have access to these
    42  	// policies.
    43  	AllowUnauthenticated *bool `mapstructure:"allow_unauthenticated"`
    44  
    45  	// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used
    46  	// by the client.  There should be a minimum time value such that the client
    47  	// does not have to renew with Vault at a very high frequency
    48  	TaskTokenTTL string `mapstructure:"task_token_ttl"`
    49  
    50  	// Addr is the address of the local Vault agent. This should be a complete
    51  	// URL such as "http://vault.example.com"
    52  	Addr string `mapstructure:"address"`
    53  
    54  	// ConnectionRetryIntv is the interval to wait before re-attempting to
    55  	// connect to Vault.
    56  	ConnectionRetryIntv time.Duration
    57  
    58  	// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
    59  	// Vault server SSL certificate.
    60  	TLSCaFile string `mapstructure:"ca_file"`
    61  
    62  	// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
    63  	// verify the Vault server SSL certificate.
    64  	TLSCaPath string `mapstructure:"ca_path"`
    65  
    66  	// TLSCertFile is the path to the certificate for Vault communication
    67  	TLSCertFile string `mapstructure:"cert_file"`
    68  
    69  	// TLSKeyFile is the path to the private key for Vault communication
    70  	TLSKeyFile string `mapstructure:"key_file"`
    71  
    72  	// TLSSkipVerify enables or disables SSL verification
    73  	TLSSkipVerify *bool `mapstructure:"tls_skip_verify"`
    74  
    75  	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
    76  	TLSServerName string `mapstructure:"tls_server_name"`
    77  }
    78  
    79  // DefaultVaultConfig() returns the canonical defaults for the Nomad
    80  // `vault` configuration.
    81  func DefaultVaultConfig() *VaultConfig {
    82  	return &VaultConfig{
    83  		Addr:                "https://vault.service.consul:8200",
    84  		ConnectionRetryIntv: DefaultVaultConnectRetryIntv,
    85  		AllowUnauthenticated: func(b bool) *bool {
    86  			return &b
    87  		}(true),
    88  	}
    89  }
    90  
    91  // IsEnabled returns whether the config enables Vault integration
    92  func (a *VaultConfig) IsEnabled() bool {
    93  	return a.Enabled != nil && *a.Enabled
    94  }
    95  
    96  // AllowsUnauthenticated returns whether the config allows unauthenticated
    97  // access to Vault
    98  func (a *VaultConfig) AllowsUnauthenticated() bool {
    99  	return a.AllowUnauthenticated != nil && *a.AllowUnauthenticated
   100  }
   101  
   102  // Merge merges two Vault configurations together.
   103  func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig {
   104  	result := *a
   105  
   106  	if b.Token != "" {
   107  		result.Token = b.Token
   108  	}
   109  	if b.Role != "" {
   110  		result.Role = b.Role
   111  	}
   112  	if b.TaskTokenTTL != "" {
   113  		result.TaskTokenTTL = b.TaskTokenTTL
   114  	}
   115  	if b.Addr != "" {
   116  		result.Addr = b.Addr
   117  	}
   118  	if b.ConnectionRetryIntv.Nanoseconds() != 0 {
   119  		result.ConnectionRetryIntv = b.ConnectionRetryIntv
   120  	}
   121  	if b.TLSCaFile != "" {
   122  		result.TLSCaFile = b.TLSCaFile
   123  	}
   124  	if b.TLSCaPath != "" {
   125  		result.TLSCaPath = b.TLSCaPath
   126  	}
   127  	if b.TLSCertFile != "" {
   128  		result.TLSCertFile = b.TLSCertFile
   129  	}
   130  	if b.TLSKeyFile != "" {
   131  		result.TLSKeyFile = b.TLSKeyFile
   132  	}
   133  	if b.TLSServerName != "" {
   134  		result.TLSServerName = b.TLSServerName
   135  	}
   136  	if b.AllowUnauthenticated != nil {
   137  		result.AllowUnauthenticated = b.AllowUnauthenticated
   138  	}
   139  	if b.TLSSkipVerify != nil {
   140  		result.TLSSkipVerify = b.TLSSkipVerify
   141  	}
   142  	if b.Enabled != nil {
   143  		result.Enabled = b.Enabled
   144  	}
   145  
   146  	return &result
   147  }
   148  
   149  // ApiConfig() returns a usable Vault config that can be passed directly to
   150  // hashicorp/vault/api.
   151  func (c *VaultConfig) ApiConfig() (*vault.Config, error) {
   152  	conf := vault.DefaultConfig()
   153  	tlsConf := &vault.TLSConfig{
   154  		CACert:        c.TLSCaFile,
   155  		CAPath:        c.TLSCaPath,
   156  		ClientCert:    c.TLSCertFile,
   157  		ClientKey:     c.TLSKeyFile,
   158  		TLSServerName: c.TLSServerName,
   159  	}
   160  	if c.TLSSkipVerify != nil {
   161  		tlsConf.Insecure = *c.TLSSkipVerify
   162  	} else {
   163  		tlsConf.Insecure = false
   164  	}
   165  
   166  	if err := conf.ConfigureTLS(tlsConf); err != nil {
   167  		return nil, err
   168  	}
   169  
   170  	conf.Address = c.Addr
   171  	return conf, nil
   172  }
   173  
   174  // Copy returns a copy of this Vault config.
   175  func (c *VaultConfig) Copy() *VaultConfig {
   176  	if c == nil {
   177  		return nil
   178  	}
   179  
   180  	nc := new(VaultConfig)
   181  	*nc = *c
   182  	return nc
   183  }
   184  
   185  // IsEqual compares two Vault configurations and returns a boolean indicating
   186  // if they are equal.
   187  func (a *VaultConfig) IsEqual(b *VaultConfig) bool {
   188  	if a == nil && b != nil {
   189  		return false
   190  	}
   191  	if a != nil && b == nil {
   192  		return false
   193  	}
   194  
   195  	if a.Token != b.Token {
   196  		return false
   197  	}
   198  	if a.Role != b.Role {
   199  		return false
   200  	}
   201  	if a.TaskTokenTTL != b.TaskTokenTTL {
   202  		return false
   203  	}
   204  	if a.Addr != b.Addr {
   205  		return false
   206  	}
   207  	if a.ConnectionRetryIntv.Nanoseconds() != b.ConnectionRetryIntv.Nanoseconds() {
   208  		return false
   209  	}
   210  	if a.TLSCaFile != b.TLSCaFile {
   211  		return false
   212  	}
   213  	if a.TLSCaPath != b.TLSCaPath {
   214  		return false
   215  	}
   216  	if a.TLSCertFile != b.TLSCertFile {
   217  		return false
   218  	}
   219  	if a.TLSKeyFile != b.TLSKeyFile {
   220  		return false
   221  	}
   222  	if a.TLSServerName != b.TLSServerName {
   223  		return false
   224  	}
   225  	if a.AllowUnauthenticated != b.AllowUnauthenticated {
   226  		return false
   227  	}
   228  	if a.TLSSkipVerify != b.TLSSkipVerify {
   229  		return false
   230  	}
   231  	if a.Enabled != b.Enabled {
   232  		return false
   233  	}
   234  	return true
   235  }