Merge pull request kelseyhightower#708 from okushchenko/vault-path

Add option to specify auth backend mount path in Vault

.travis.yml

@@ -3,7 +3,7 @@ go:
   - 1.x
   - tip
 env:
-  - VAULT_ADDR='http://127.0.0.1:8200' CONSUL_VERSION=0.9.3 ETCD_VERSION=3.3.1 DYNAMODB_VERSION=2017-02-16 VAULT_VERSION=0.8.1 ZOOKEEPER_VERSION=3.4.10 RANCHER_VERSION=0.6.0
+  - VAULT_ADDR='http://127.0.0.1:8200' CONSUL_VERSION=0.9.3 ETCD_VERSION=3.3.1 DYNAMODB_VERSION=2017-02-16 VAULT_VERSION=0.10.1 ZOOKEEPER_VERSION=3.4.10 RANCHER_VERSION=0.6.0
 services:
   - redis
 before_install:

backends/client.go

@@ -75,6 +75,7 @@ func New(config Config) (StoreClient, error) {
 			"cert":      config.ClientCert,
 			"key":       config.ClientKey,
 			"caCert":    config.ClientCaKeys,
+			"path":      config.Path,
 		}
 		return vault.New(backendNodes[0], config.AuthType, vaultConfig)
 	case "dynamodb":

backends/config.go

@@ -23,6 +23,7 @@ type Config struct {
 	RoleID       string     `toml:"role_id"`
 	SecretID     string     `toml:"secret_id"`
 	YAMLFile     util.Nodes `toml:"file"`
-  	Filter       string     `toml:"filter"`
+	Filter       string     `toml:"filter"`
+	Path         string     `toml:"path"`
 	Role         string
 }

backends/vault/client.go

@@ -51,40 +51,49 @@ func authenticate(c *vaultapi.Client, authType string, params map[string]string)
 	// this would happen when we get a parameter that is missing
 	defer panicToError(&err)
 
+	path := params["path"]
+	if path == "" {
+		path = authType
+		if authType == "app-role" {
+			path = "approle"
+		}
+	}
+	url := fmt.Sprintf("/auth/%s/login", path)
+
 	switch authType {
 	case "app-role":
-		secret, err = c.Logical().Write("/auth/approle/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"role_id":   getParameter("role-id", params),
 			"secret_id": getParameter("secret-id", params),
 		})
 	case "app-id":
-		secret, err = c.Logical().Write("/auth/app-id/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"app_id":  getParameter("app-id", params),
 			"user_id": getParameter("user-id", params),
 		})
 	case "github":
-		secret, err = c.Logical().Write("/auth/github/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"token": getParameter("token", params),
 		})
 	case "token":
 		c.SetToken(getParameter("token", params))
 		secret, err = c.Logical().Read("/auth/token/lookup-self")
 	case "userpass":
 		username, password := getParameter("username", params), getParameter("password", params)
-		secret, err = c.Logical().Write(fmt.Sprintf("/auth/userpass/login/%s", username), map[string]interface{}{
+		secret, err = c.Logical().Write(fmt.Sprintf("%s/%s", url, username), map[string]interface{}{
 			"password": password,
 		})
 	case "kubernetes":
 		jwt, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
 		if err != nil {
 			return err
 		}
-		secret, err = c.Logical().Write("/auth/kubernetes/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"jwt":  string(jwt[:]),
 			"role": getParameter("role-id", params),
 		})
 	case "cert":
-		secret, err = c.Logical().Write("/auth/cert/login", map[string]interface{}{})
+		secret, err = c.Logical().Write(url, map[string]interface{}{})
 	}
 
 	if err != nil {

config.go

@@ -66,6 +66,7 @@ func init() {
 	flag.StringVar(&config.UserID, "user-id", "", "Vault user-id to use with the app-id backend (only used with -backend=value and auth-type=app-id)")
 	flag.StringVar(&config.RoleID, "role-id", "", "Vault role-id to use with the AppRole, Kubernetes backends (only used with -backend=vault and either auth-type=app-role or auth-type=kubernetes)")
 	flag.StringVar(&config.SecretID, "secret-id", "", "Vault secret-id to use with the AppRole backend (only used with -backend=vault and auth-type=app-role)")
+	flag.StringVar(&config.Path, "path", "", "Vault mount path of the auth method (only used with -backend=vault)")
 	flag.StringVar(&config.Table, "table", "", "the name of the DynamoDB table (only used with -backend=dynamodb)")
 	flag.StringVar(&config.Separator, "separator", "", "the separator to replace '/' with when looking up keys in the backend, prefixed '/' will also be removed (only used with -backend=redis)")
 	flag.StringVar(&config.Username, "username", "", "the username to authenticate as (only used with vault and etcd backends)")

docs/command-line-flags.md

@@ -27,11 +27,11 @@ Usage of confd:
   -confdir string
       confd conf directory (default "/etc/confd")
   -config-file string
-      the confd config file
-  -file string
-      list of files/directories with data represented in YAML to watch for changes
+      the confd config file (default "/etc/confd/confd.toml")
+  -file value
+      the YAML file to watch for changes (only used with -backend=file)
   -filter string
-      regex for files and dirs filtering
+      files filter (only used with -backend=file) (default "*")
   -interval int
       backend polling interval (default 600)
   -keep-stage-file
@@ -46,16 +46,20 @@ Usage of confd:
       run once and exit
   -password string
       the password to authenticate with (only used with vault and etcd backends)
+  -path string
+      Vault mount path of the auth method (only used with -backend=vault)
   -prefix string
       key path prefix
   -role-id string
-      Vault role-id to use with the AppRole, Kubernetes backend (only used with -backend=vault and either auth-type=app-role or auth-type=kubernetes)
+      Vault role-id to use with the AppRole, Kubernetes backends (only used with -backend=vault and either auth-type=app-role or auth-type=kubernetes)
   -scheme string
       the backend URI scheme for nodes retrieved from DNS SRV records (http or https) (default "http")
   -secret-id string
       Vault secret-id to use with the AppRole backend (only used with -backend=vault and auth-type=app-role)
   -secret-keyring string
       path to armored PGP secret keyring (for use with crypt functions)
+  -separator string
+      the separator to replace '/' with when looking up keys in the backend, prefixed '/' will also be removed (only used with -backend=redis)
   -srv-domain string
       the name of the resource record
   -srv-record string
@@ -64,8 +68,6 @@ Usage of confd:
       sync without check_cmd and reload_cmd
   -table string
       the name of the DynamoDB table (only used with -backend=dynamodb)
-  -separator string
-      the separator to replace '/' with when looking up keys in the backend, prefixed "/" will also be removed (only used with -backend=redis, default "/")
   -user-id string
       Vault user-id to use with the app-id backend (only used with -backend=value and auth-type=app-id)
   -username string

docs/configuration-guide.md

@@ -22,6 +22,20 @@ Optional:
 * `srv_record` (string) - The SRV record to search for backends nodes.
 * `sync-only` (bool) - sync without check_cmd and reload_cmd.
 * `watch` (bool) - Enable watch support.
+* `auth_token` (string) - Auth bearer token to use.
+* `auth_type` (string) - Vault auth backend type to use.
+* `basic_auth` (bool) - Use Basic Auth to authenticate (only used with -backend=consul and -backend=etcd).
+* `table` (string) - The name of the DynamoDB table (only used with -backend=dynamodb).
+* `separator` (string) - The separator to replace '/' with when looking up keys in the backend, prefixed '/' will also be removed (only used with -backend=redis)
+* `username` (string) - The username to authenticate as (only used with vault and etcd backends).
+* `password` (string) - The password to authenticate with (only used with vault and etcd backends).
+* `app_id` (string) - Vault app-id to use with the app-id backend (only used with -backend=vault and auth-type=app-id).
+* `user_id` (string) - Vault user-id to use with the app-id backend (only used with -backend=value and auth-type=app-id).
+* `role_id` (string) - Vault role-id to use with the AppRole, Kubernetes backends (only used with -backend=vault and either auth-type=app-role or auth-type=kubernetes).
+* `secret_id` (string) - Vault secret-id to use with the AppRole backend (only used with -backend=vault and auth-type=app-role).
+* `file` (array of strings) - The YAML file to watch for changes (only used with -backend=file).
+* `filter` (string) - Files filter (only used with -backend=file) (default "*").
+* `path` (string) - Vault mount path of the auth method (only used with -backend=vault).
 
 Example:
 

integration/vault-path/test.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+export HOSTNAME="localhost"
+export ROOT_TOKEN="$(vault read -field id auth/token/lookup-self)"
+
+vault secrets enable -path database kv
+vault secrets enable -path key kv
+vault secrets enable -path upstream kv
+vault secrets enable -path nested kv
+
+vault write key value=foobar
+vault write database/host value=127.0.0.1
+vault write database/port value=3306
+vault write database/username value=confd
+vault write database/password value=p@sSw0rd
+vault write upstream app1=10.0.1.10:8080 app2=10.0.1.11:8080
+vault write nested/east/app1 value=10.0.1.10:8080
+vault write nested/west/app2 value=10.0.1.11:8080
+
+vault auth enable -path=test approle
+
+echo 'path "*" {
+  capabilities = ["read"]
+}' > my-policy.hcl
+
+vault write sys/policy/my-policy [email protected]
+
+vault write auth/test/role/my-role secret_id_ttl=120m token_num_uses=1000 token_ttl=60m token_max_ttl=120m secret_id_num_uses=10000 policies=my-policy
+
+export ROLE_ID=$(vault read -field=role_id auth/test/role/my-role/role-id)
+export SECRET_ID=$(vault write -f -field=secret_id auth/test/role/my-role/secret-id)
+
+# Run confd
+confd --onetime --log-level debug \
+      --confdir ./integration/confdir \
+      --backend vault \
+      --auth-type app-role \
+      --role-id $ROLE_ID \
+      --secret-id $SECRET_ID \
+      --path=test \
+      --node http://127.0.0.1:8200

integration/vault/test.sh

@@ -3,10 +3,10 @@
 export HOSTNAME="localhost"
 export ROOT_TOKEN="$(vault read -field id auth/token/lookup-self)"
 
-vault mount -path database generic
-vault mount -path key generic
-vault mount -path upstream generic
-vault mount -path nested generic
+vault secrets enable -path database kv
+vault secrets enable -path key kv
+vault secrets enable -path upstream kv
+vault secrets enable -path nested kv
 
 vault write key value=foobar
 vault write database/host value=127.0.0.1