Skip to content

Commit

Permalink
Add Vault AuthMethod to sidecar
Browse files Browse the repository at this point in the history
  • Loading branch information
@johanbrandhorst
johanbrandhorst committed Dec 29, 2019
1 parent e88df38 commit b42492b
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 11 deletions.
48 changes: 40 additions & 8 deletions cmd/proxy/internal/envtypes/issuer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ import (
"net/url"
"strings"
"time"

"github.com/johanbrandhorst/certify/issuers/vault"
)

// Issuer is an enumeration of supported issuers
Expand Down Expand Up @@ -32,16 +34,46 @@ func (i *Issuer) UnmarshalText(in []byte) error {
return nil
}

// AuthMethod is an enumeration of supported auth methods
type AuthMethod int

// Supported auth methods
const (
UnknownAuthMethod = iota
ConstantTokenAuthMethod
RenewingTokenAuthMethod
)

// UnmarshalText implements encoding.TextUnmarshaler for AuthMethod.
func (am *AuthMethod) UnmarshalText(in []byte) error {
switch strings.ToLower(string(in)) {
case "constant", "token", "constant_token":
*am = ConstantTokenAuthMethod
case "renewing", "renewing_token":
*am = RenewingTokenAuthMethod
default:
*am = UnknownAuthMethod
}
return nil
}

// Vault issuer configuration.
type Vault struct {
URL url.URL `desc:"The URL of the Vault instance."`
Token string `desc:"The Vault secret token that should be used when issuing certificates."`
Mount string `default:"pki" desc:"The name under which the PKI secrets engine is mounted."`
Role string `desc:"The Vault Role that should be used when issuing certificates."`
CACertPath string `envconfig:"CA_CERT_PATH" desc:"The path to the CA cert to use when connecting to Vault. If not set, will use publically trusted CAs."`
TimeToLive time.Duration `split_words:"true" default:"720h" desc:"Configures the lifetime of certificates requested from the Vault server."`
URISubjectAlternativeNames []string `envconfig:"URI_SUBJECT_ALTERNATIVE_NAMES" desc:"Custom URI SANs that should be used in issued certificates. The format is a URI and must match the value specified in allowed_uri_sans, eg spiffe://hostname/foobar."`
OtherSubjectAlternativeNames []string `envconfig:"OTHER_SUBJECT_ALTERNATIVE_NAMES" desc:"Custom OID/UTF8-string SANs that should be used in issued certificates. The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid <type> is UTF8."`
URL url.URL `desc:"The URL of the Vault instance."`
Token string `desc:"The Vault secret token that should be used when issuing certificates. DEPRECATED; use AuthMethod instead."`
AuthMethod AuthMethod `split_words:"true" desc:"The method to use for authenticating against Vault. Supported methods are constant and renewing."`
AuthMethodRenewingToken struct {
Initial string `desc:"The token used to initially authenticate against Vault. It must be renewable."`
RenewBefore time.Duration `split_words:"true" default:"30m" desc:"How long before the expiry of the token it should be renewed."`
TimeToLive time.Duration `split_words:"true" default:"24h" desc:"How long the new token should be valid for."`
} `split_words:"true" desc:"Configuration of the renewing token."`
AuthMethodConstantToken vault.ConstantToken `split_words:"true" desc:"The constant token to use when talking to Vault."`
Mount string `default:"pki" desc:"The name under which the PKI secrets engine is mounted."`
Role string `desc:"The Vault Role that should be used when issuing certificates."`
CACertPath string `envconfig:"CA_CERT_PATH" desc:"The path to the CA cert to use when connecting to Vault. If not set, will use publically trusted CAs."`
TimeToLive time.Duration `split_words:"true" default:"720h" desc:"Configures the lifetime of certificates requested from the Vault server."`
URISubjectAlternativeNames []string `envconfig:"URI_SUBJECT_ALTERNATIVE_NAMES" desc:"Custom URI SANs that should be used in issued certificates. The format is a URI and must match the value specified in allowed_uri_sans, eg spiffe://hostname/foobar."`
OtherSubjectAlternativeNames []string `envconfig:"OTHER_SUBJECT_ALTERNATIVE_NAMES" desc:"Custom OID/UTF8-string SANs that should be used in issued certificates. The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid <type> is UTF8."`
}

// CFSSL issuer configuration.
Expand Down
23 changes: 20 additions & 3 deletions cmd/proxy/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,22 +141,39 @@ func vaultIssuer(conf envtypes.Vault) (*vault.Issuer, error) {
if conf.URL.String() == "" {
return nil, errors.New("vault URL is required")
}
if conf.Token == "" {
return nil, errors.New("vault Token is required")
if conf.Token == "" && conf.AuthMethod == envtypes.UnknownAuthMethod {
return nil, errors.New("vault Token or AuthMethod is required")
}
if conf.Role == "" {
return nil, errors.New("vault Role is required")
}
v := &vault.Issuer{
URL: &conf.URL,
Token: conf.Token,
Role: conf.Role,
Mount: conf.Mount,
TimeToLive: conf.TimeToLive,
URISubjectAlternativeNames: conf.URISubjectAlternativeNames,
OtherSubjectAlternativeNames: conf.OtherSubjectAlternativeNames,
TLSConfig: &tls.Config{},
}
switch conf.AuthMethod {
case envtypes.ConstantTokenAuthMethod:
if conf.AuthMethodConstantToken == "" {
return nil, errors.New("vault constant token is required when using the constant auth method")
}
v.AuthMethod = conf.AuthMethodConstantToken
case envtypes.RenewingTokenAuthMethod:
if conf.AuthMethodRenewingToken.Initial == "" {
return nil, errors.New("vault initial renewing token is required when using the renewing auth method")
}
v.AuthMethod = &vault.RenewingToken{
Initial: conf.AuthMethodRenewingToken.Initial,
RenewBefore: conf.AuthMethodRenewingToken.RenewBefore,
TimeToLive: conf.AuthMethodRenewingToken.TimeToLive,
}
default:
v.AuthMethod = vault.ConstantToken(conf.Token)
}
if conf.CACertPath != "" {
v.TLSConfig.RootCAs = x509.NewCertPool()
bts, err := ioutil.ReadFile(conf.CACertPath)
Expand Down

0 comments on commit b42492b

Please sign in to comment.