mirrors/khuedoan-homelab
1
0
Fork 0
mirror of https://github.com/khuedoan/homelab.git synced 2025-07-15 10:18:33 +07:00
Code Issues Packages Projects Releases Wiki Activity

feat(vault): create random secret if not exists (WIP)

Browse Source
This commit is contained in:
Khue Doan
2022-03-01 02:18:45 +07:00
parent 51e487ffde
commit 19f9d44f70
2 changed files with 49 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
platform/vault/files/generate-secrets/go.mod
View File

@ -2,8 +2,9 @@ module git.khuedoan.com/khuedoan/homelab/vault/init
go 1.17 go 1.17
require github.com/hashicorp/vault/api v1.4.1
require ( require (
github.com/hashicorp/vault/api v1.4.1
github.com/armon/go-metrics v0.3.9 // indirect github.com/armon/go-metrics v0.3.9 // indirect
github.com/armon/go-radix v1.0.0 // indirect github.com/armon/go-radix v1.0.0 // indirect
github.com/cenkalti/backoff/v3 v3.0.0 // indirect github.com/cenkalti/backoff/v3 v3.0.0 // indirect
@ -38,6 +39,7 @@ require (
github.com/oklog/run v1.0.0 // indirect github.com/oklog/run v1.0.0 // indirect
github.com/pierrec/lz4 v2.5.2+incompatible // indirect github.com/pierrec/lz4 v2.5.2+incompatible // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sethvargo/go-password v0.2.0 // indirect
go.uber.org/atomic v1.9.0 // indirect go.uber.org/atomic v1.9.0 // indirect
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect

59
platform/vault/files/generate-secrets/main.go
View File

@ -1,10 +1,32 @@
package main package main
// TODO WIP
// TODO env vars
// export VAULT_ADDR='https://127.0.0.1:8200'
// export VAULT_TOKEN=root
// TODO ACL policy
// path "secret/*" {
// capabilities = [
// "create",
// "list"
// ]
// }
// TODO config syntax with yaml
// randomPasswords:
// - path: gitea/admin-password
// length: 32
// special: false
// state: present
import ( import (
"log" "log"
// "crypto/rand" // "crypto/rand"
vault "github.com/hashicorp/vault/api" vault "github.com/hashicorp/vault/api"
"github.com/sethvargo/go-password/password"
) )
func main() { func main() {
@ -17,20 +39,31 @@ func main() {
log.Fatalf("unable to initialize Vault client: %v", err) log.Fatalf("unable to initialize Vault client: %v", err)
} }
// Authenticate client.SetToken("root")
// WARNING: This quickstart uses the root token for our Vault dev server.
// Don't do this in production!
client.SetToken("root") // TODO use secure token
secretData := map[string]interface{}{ path := "secret/data/gitea/admin-password"
"data": map[string]interface{}{
"value": "verystronkpassword",
},
}
_, err = client.Logical().Write("secret/data/gitea/admin-password", secretData) secret, _ := client.Logical().Read(path)
if err != nil {
log.Fatalf("Unable to write secret: %v", err) if secret == nil {
res, err := password.Generate(32, 24, 8, false, true)
if err != nil {
log.Fatal(err)
}
secretData := map[string]interface{}{
"data": map[string]interface{}{
"value": res,
},
}
_, err = client.Logical().Write(path, secretData)
if err != nil {
log.Fatalf("Unable to write secret: %v", err)
} else {
log.Println("Secret written successfully.")
}
} else {
log.Println("Secret already existed.")
} }
log.Println("Secret written successfully.")
} }