Initial import

.gitignore

@@ -10,3 +10,4 @@
 
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
+vendor

Makefile

@@ -0,0 +1,34 @@
+VAULT_ADDR=http://127.0.0.1:8200
+export VAULT_ADDR
+SHA256SUM=$(shell sha256sum vault/plugin/vault-plugin-secrets-k8s | awk {'print $$1'})
+PLUGIN_NAME=vault-plugin-secrets-k8s
+
+build:
+	CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o vault/plugin/vault-plugin-secrets-k8s .
+
+login:
+	echo "123qwe" | vault login -
+
+add-plugin:
+	vault write sys/plugins/catalog/${PLUGIN_NAME} sha256="${SHA256SUM}" command=${PLUGIN_NAME}
+
+enable-plugin:
+	vault secrets enable -path=k8s -plugin-name=${PLUGIN_NAME} plugin
+	vault secrets list
+
+list-plugins:
+	vault list sys/plugins/catalog
+
+configure-plugin:
+	vault write k8s/config token=${TOKEN} api-url=${MASTER_URL} CA=${MASTER_CA}
+	vault read k8s/config
+
+up:
+	docker-compose down
+	docker-compose up -d
+
+test:
+	go test -v -cover $(shell go list ./... | grep -v /vendor/)
+
+init-plugin: login add-plugin enable-plugin list-plugins
+

README.md

@@ -1,2 +1,50 @@
 # vault-plugin-secrets-k8s
 Vault secrets manager plugin for kubernetes
+
+# Description
+TBD
+
+# How to setup 
+TBD
+
+# How to build and run locally
+Requirements:
+* make sha256sum (apt-get install make coreutils)
+* golang ~1.10
+* docker
+* docker-compose
+* vault CLI utility
+
+```bash
+$ glide up -v
+$ make test
+$ make build up init-plugin
+$ VAULT_ADDR=http://127.0.0.1:8200 vault login  # token = 123qwe
+$ VAULT_ADDR=http://127.0.0.1:8200 vault path-help k8s/config
+Request:        config
+Matching Route: ^config$
+
+Configure the Kubernetes backend
+
+## PARAMETERS
+
+    CA (string)
+        Kubernetes apiserver Certificate Authority (base64 encoded)
+
+    api-url (string)
+        URL to kubernetes apiserver https endpoint
+
+    max-ttl (duration (sec))
+        Maximum time a secret is valid for. If <= 0, will use system default.
+
+    token (string)
+        ServiceAccount token with permissions to list, create, delete Secrets
+
+    ttl (duration (sec))
+        Default lease for generated secrets. If <= 0, will use system default.
+
+## DESCRIPTION
+
+The Kubernetes backend requires credentials for managing Secrets in cluster. This endpoint is used to configure those
+ credentials as well as default values for the backend in general
+```

backend/backend.go

@@ -0,0 +1,52 @@
+package backend
+
+import (
+	"context"
+	"time"
+
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/logical/framework"
+)
+
+type kubeBackend struct {
+	*framework.Backend
+	testMode bool
+}
+
+// New creates and returns new instance of Kubernetes secrets manager backend
+func New() *kubeBackend {
+	var b kubeBackend
+
+	b.Backend = &framework.Backend{
+		BackendType: logical.TypeLogical,
+
+		PathsSpecial: &logical.Paths{
+			Unauthenticated: []string{"login"},
+		},
+		WALRollback:       b.walRollback,
+		WALRollbackMinAge: 5 * time.Minute,
+		Paths: []*framework.Path{
+			pathConfig(&b),
+			pathServiceAccounts(&b),
+			pathSecrets(&b),
+			// TODO P1 pathListRoles
+			// TODO P1 pathConfigRotateToken
+		},
+		Secrets: []*framework.Secret{
+			secretAccessTokens(&b),
+		},
+	}
+
+	b.testMode = false
+
+	return &b
+}
+
+// Factory creates and returns new backend with BackendConfig
+func Factory(ctx context.Context, c *logical.BackendConfig) (logical.Backend, error) {
+	b := New()
+	if err := b.Setup(ctx, c); err != nil {
+		return nil, err
+	}
+	return b, nil
+}

backend/backend_test.go

@@ -0,0 +1,58 @@
+package backend
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/helper/logging"
+	"github.com/hashicorp/vault/logical"
+)
+
+const (
+	defaultLeaseTTLHr = 1
+	maxLeaseTTLHr     = 12
+)
+
+func getTestBackend(t *testing.T) (logical.Backend, logical.Storage) {
+	b := New()
+
+	c := &logical.BackendConfig{
+		Logger: logging.NewVaultLogger(log.Trace),
+		System: &logical.StaticSystemView{
+			DefaultLeaseTTLVal: defaultLeaseTTLHr * time.Hour,
+			MaxLeaseTTLVal:     maxLeaseTTLHr * time.Hour,
+		},
+		StorageView: &logical.InmemStorage{},
+	}
+	b.testMode = true
+	err := b.Setup(context.Background(), c)
+	if err != nil {
+		t.Fatalf("unable to create backend: %v", err)
+	}
+
+	return b, c.StorageView
+}
+
+func assertNoErrorRequest(t *testing.T, b logical.Backend, r *logical.Request) *logical.Response {
+	resp, err := b.HandleRequest(context.Background(), r)
+	if err != nil {
+		t.Errorf("Should not errors here, but get error '%s'", err)
+	} else if resp != nil && resp.IsError() {
+		t.Errorf("Should not errors here, but get error '%s'", resp.Error())
+	}
+	return resp
+}
+
+func assertEquals(t *testing.T, value1 interface{}, value2 interface{}, message string) {
+	if value1 != value2 {
+		t.Errorf("%s != %s, %s", value1, value2, message)
+	}
+}
+
+func assertNoError(t *testing.T, err error) {
+	if err != nil {
+		t.Errorf("Error should be nil, but get %s", err.Error())
+	}
+}

backend/client.go

@@ -0,0 +1,30 @@
+package backend
+
+import (
+	"encoding/base64"
+
+	"github.com/hashicorp/errwrap"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+func getClientSet(c *config) (*kubernetes.Clientset, error) {
+	data, err := base64.StdEncoding.DecodeString(c.CA)
+	if err != nil {
+		return nil, errwrap.Wrapf("Unable to create kubernetes client, unable to decode CA '{{err}}'", err)
+	}
+
+	clientConf := &rest.Config{
+		Host: c.APIURL,
+		TLSClientConfig: rest.TLSClientConfig{
+			CAData: data,
+		},
+		BearerToken: c.Token,
+	}
+	clientset, err := kubernetes.NewForConfig(clientConf)
+	if err != nil {
+		return nil, errwrap.Wrapf("Unable to create kubernetes client '{{err}}'", err)
+	}
+	return clientset, nil
+}