mirrors/versitygw
1
0
Fork 0
mirror of https://github.com/versity/versitygw.git synced 2026-01-03 10:35:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: split the vault mount path into kv and auth

Browse Source
This commit is contained in:
Maksim Loviagin
2025-07-15 18:57:44 +00:00
parent 9cc29af073
commit e39ab6f0ee
3 changed files with 32 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
auth/iam.go
View File

@@ -121,6 +121,7 @@ type Opts struct {
LDAPGroupIdAtr string LDAPGroupIdAtr string
VaultEndpointURL string VaultEndpointURL string
VaultSecretStoragePath string VaultSecretStoragePath string
VaultAuthMethod string
VaultMountPath string VaultMountPath string
VaultRootToken string VaultRootToken string
VaultRoleId string VaultRoleId string
@@ -166,7 +167,7 @@ func New(o *Opts) (IAMService, error) {
o.S3Endpoint, o.S3Bucket) o.S3Endpoint, o.S3Bucket)
case o.VaultEndpointURL != "": case o.VaultEndpointURL != "":
svc, err = NewVaultIAMService(o.RootAccount, o.VaultEndpointURL, o.VaultSecretStoragePath, svc, err = NewVaultIAMService(o.RootAccount, o.VaultEndpointURL, o.VaultSecretStoragePath,
o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret, o.VaultAuthMethod, o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
o.VaultServerCert, o.VaultClientCert, o.VaultClientCertKey) o.VaultServerCert, o.VaultClientCert, o.VaultClientCertKey)
fmt.Printf("initializing Vault IAM with %q\n", o.VaultEndpointURL) fmt.Printf("initializing Vault IAM with %q\n", o.VaultEndpointURL)
case o.IpaHost != "": case o.IpaHost != "":

30
auth/iam_vault.go
View File

@@ -28,14 +28,15 @@ import (
type VaultIAMService struct { type VaultIAMService struct {
client *vault.Client client *vault.Client
reqOpts []vault.RequestOption authReqOpts []vault.RequestOption
kvReqOpts []vault.RequestOption
secretStoragePath string secretStoragePath string
rootAcc Account rootAcc Account
} }
var _ IAMService = &VaultIAMService{} var _ IAMService = &VaultIAMService{}
func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error) { func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, authMethod, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error) {
opts := []vault.ClientOption{ opts := []vault.ClientOption{
vault.WithAddress(endpoint), vault.WithAddress(endpoint),
// set request timeout to 10 secs // set request timeout to 10 secs
@@ -62,10 +63,16 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
return nil, fmt.Errorf("init vault client: %w", err) return nil, fmt.Errorf("init vault client: %w", err)
} }
reqOpts := []vault.RequestOption{} authReqOpts := []vault.RequestOption{}
// if mount path is not specified, it defaults to "approle" // if auth method path is not specified, it defaults to "approle"
if authMethod != "" {
authReqOpts = append(authReqOpts, vault.WithMountPath(authMethod))
}
kvReqOpts := []vault.RequestOption{}
// if mount path is not specified, it defaults to "kv-v2"
if mountPath != "" { if mountPath != "" {
reqOpts = append(reqOpts, vault.WithMountPath(mountPath)) kvReqOpts = append(kvReqOpts, vault.WithMountPath(mountPath))
} }
// Authentication // Authentication
@@ -84,7 +91,7 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
resp, err := client.Auth.AppRoleLogin(ctx, schema.AppRoleLoginRequest{ resp, err := client.Auth.AppRoleLogin(ctx, schema.AppRoleLoginRequest{
RoleId: roleID, RoleId: roleID,
SecretId: roleSecret, SecretId: roleSecret,
}, reqOpts...) }, authReqOpts...)
cancel() cancel()
if err != nil { if err != nil {
return nil, fmt.Errorf("approle authentication failure: %w", err) return nil, fmt.Errorf("approle authentication failure: %w", err)
@@ -99,7 +106,8 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
return &VaultIAMService{ return &VaultIAMService{
client: client, client: client,
reqOpts: reqOpts, authReqOpts: authReqOpts,
kvReqOpts: kvReqOpts,
secretStoragePath: secretStoragePath, secretStoragePath: secretStoragePath,
rootAcc: rootAcc, rootAcc: rootAcc,
}, nil }, nil
@@ -117,7 +125,7 @@ func (vt *VaultIAMService) CreateAccount(account Account) error {
Options: map[string]interface{}{ Options: map[string]interface{}{
"cas": 0, "cas": 0,
}, },
}, vt.reqOpts...) }, vt.kvReqOpts...)
cancel() cancel()
if err != nil { if err != nil {
if strings.Contains(err.Error(), "check-and-set") { if strings.Contains(err.Error(), "check-and-set") {
@@ -134,7 +142,7 @@ func (vt *VaultIAMService) GetUserAccount(access string) (Account, error) {
return vt.rootAcc, nil return vt.rootAcc, nil
} }
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
resp, err := vt.client.Secrets.KvV2Read(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...) resp, err := vt.client.Secrets.KvV2Read(ctx, vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
cancel() cancel()
if err != nil { if err != nil {
return Account{}, err return Account{}, err
@@ -172,7 +180,7 @@ func (vt *VaultIAMService) UpdateUserAccount(access string, props MutableProps)
func (vt *VaultIAMService) DeleteUserAccount(access string) error { func (vt *VaultIAMService) DeleteUserAccount(access string) error {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...) _, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(ctx, vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
cancel() cancel()
if err != nil { if err != nil {
return err return err
@@ -182,7 +190,7 @@ func (vt *VaultIAMService) DeleteUserAccount(access string) error {
func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) { func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
resp, err := vt.client.Secrets.KvV2List(ctx, vt.secretStoragePath, vt.reqOpts...) resp, err := vt.client.Secrets.KvV2List(ctx, vt.secretStoragePath, vt.kvReqOpts...)
cancel() cancel()
if err != nil { if err != nil {
if vault.IsErrorStatus(err, 404) { if vault.IsErrorStatus(err, 404) {

15
cmd/versitygw/main.go
View File

@@ -61,10 +61,10 @@ var (
ldapAccessAtr, ldapSecAtr, ldapRoleAtr string ldapAccessAtr, ldapSecAtr, ldapRoleAtr string
ldapUserIdAtr, ldapGroupIdAtr string ldapUserIdAtr, ldapGroupIdAtr string
vaultEndpointURL, vaultSecretStoragePath string vaultEndpointURL, vaultSecretStoragePath string
vaultMountPath, vaultRootToken string vaultAuthMethod, vaultMountPath string
vaultRoleId, vaultRoleSecret string vaultRootToken, vaultRoleId string
vaultServerCert, vaultClientCert string vaultRoleSecret, vaultServerCert string
vaultClientCertKey string vaultClientCert, vaultClientCertKey string
s3IamAccess, s3IamSecret string s3IamAccess, s3IamSecret string
s3IamRegion, s3IamBucket string s3IamRegion, s3IamBucket string
s3IamEndpoint string s3IamEndpoint string
@@ -380,6 +380,12 @@ func initFlags() []cli.Flag {
EnvVars: []string{"VGW_IAM_VAULT_SECRET_STORAGE_PATH"}, EnvVars: []string{"VGW_IAM_VAULT_SECRET_STORAGE_PATH"},
Destination: &vaultSecretStoragePath, Destination: &vaultSecretStoragePath,
}, },
&cli.StringFlag{
Name: "iam-vault-auth-method",
Usage: "vault server auth method",
EnvVars: []string{"VGW_IAM_VAULT_AUTH_METHOD"},
Destination: &vaultAuthMethod,
},
&cli.StringFlag{ &cli.StringFlag{
Name: "iam-vault-mount-path", Name: "iam-vault-mount-path",
Usage: "vault server mount path", Usage: "vault server mount path",
@@ -658,6 +664,7 @@ func runGateway(ctx context.Context, be backend.Backend) error {
LDAPGroupIdAtr: ldapGroupIdAtr, LDAPGroupIdAtr: ldapGroupIdAtr,
VaultEndpointURL: vaultEndpointURL, VaultEndpointURL: vaultEndpointURL,
VaultSecretStoragePath: vaultSecretStoragePath, VaultSecretStoragePath: vaultSecretStoragePath,
VaultAuthMethod: vaultAuthMethod,
VaultMountPath: vaultMountPath, VaultMountPath: vaultMountPath,
VaultRootToken: vaultRootToken, VaultRootToken: vaultRootToken,
VaultRoleId: vaultRoleId, VaultRoleId: vaultRoleId,