feat(vault): create random secret if not exists (WIP)

2025-07-08 23:08:40 +07:00 · 2022-03-01 02:18:45 +07:00
parent 51e487ffde
commit 19f9d44f70
2 changed files with 49 additions and 14 deletions
--- a/platform/vault/files/generate-secrets/go.mod
+++ b/platform/vault/files/generate-secrets/go.mod
@ -2,8 +2,9 @@ module git.khuedoan.com/khuedoan/homelab/vault/init

 go 1.17

+require github.com/hashicorp/vault/api v1.4.1
+
 require (
-	github.com/hashicorp/vault/api v1.4.1
 	github.com/armon/go-metrics v0.3.9 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
@ -38,6 +39,7 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/sethvargo/go-password v0.2.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
--- a/platform/vault/files/generate-secrets/main.go
+++ b/platform/vault/files/generate-secrets/main.go
@ -1,10 +1,32 @@
 package main

+// TODO WIP
+
+// TODO env vars
+// export VAULT_ADDR='https://127.0.0.1:8200'
+// export VAULT_TOKEN=root
+
+// TODO ACL policy
+// path "secret/*" {
+//   capabilities = [
+//     "create",
+//     "list"
+//   ]
+// }
+
+// TODO config syntax with yaml
+// randomPasswords:
+//   - path: gitea/admin-password
+//     length: 32
+//     special: false
+//     state: present
+
 import (
 	"log"
 	// "crypto/rand"

 	vault "github.com/hashicorp/vault/api"
+	"github.com/sethvargo/go-password/password"
 )

 func main() {
@ -17,20 +39,31 @@ func main() {
 		log.Fatalf("unable to initialize Vault client: %v", err)
 	}

-	// Authenticate
-	// WARNING: This quickstart uses the root token for our Vault dev server.
-	// Don't do this in production!
-	client.SetToken("root") // TODO use secure token
+	client.SetToken("root")
+
+	path := "secret/data/gitea/admin-password"
+
+	secret, _ := client.Logical().Read(path)
+
+	if secret == nil {
+		res, err := password.Generate(32, 24, 8, false, true)
+		if err != nil {
+			log.Fatal(err)
+		}

 		secretData := map[string]interface{}{
 			"data": map[string]interface{}{
-			"value": "verystronkpassword",
+				"value": res,
 			},
 		}

-	_, err = client.Logical().Write("secret/data/gitea/admin-password", secretData)
+		_, err = client.Logical().Write(path, secretData)
 		if err != nil {
 			log.Fatalf("Unable to write secret: %v", err)
-	}
+		} else {
 			log.Println("Secret written successfully.")
+		}
+	} else {
+		log.Println("Secret already existed.")
+	}
 }