bff for callbacks
This commit is contained in:
Stephan D
@@ -8,10 +8,12 @@ import (
|
||||
|
||||
// Config describes Vault KV v2 connection settings.
|
||||
type Config struct {
|
||||
Address string `mapstructure:"address" yaml:"address"`
|
||||
TokenEnv string `mapstructure:"token_env" yaml:"token_env"`
|
||||
Namespace string `mapstructure:"namespace" yaml:"namespace"`
|
||||
MountPath string `mapstructure:"mount_path" yaml:"mount_path"`
|
||||
Address string `mapstructure:"address" yaml:"address"`
|
||||
TokenEnv string `mapstructure:"token_env" yaml:"token_env"`
|
||||
TokenFileEnv string `mapstructure:"token_file_env" yaml:"token_file_env"`
|
||||
TokenFile string `mapstructure:"token_file" yaml:"token_file"`
|
||||
Namespace string `mapstructure:"namespace" yaml:"namespace"`
|
||||
MountPath string `mapstructure:"mount_path" yaml:"mount_path"`
|
||||
}
|
||||
|
||||
// Client defines KV operations used by services.
|
||||
|
||||
@@ -36,16 +36,14 @@ func newService(opts Options) (Client, error) {
|
||||
return nil, merrors.InvalidArgument(component + ": address is required")
|
||||
}
|
||||
|
||||
tokenEnv := strings.TrimSpace(opts.Config.TokenEnv)
|
||||
if tokenEnv == "" {
|
||||
logger.Error("Vault token env missing")
|
||||
return nil, merrors.InvalidArgument(component + ": token_env is required")
|
||||
token, tokenSource, err := resolveToken(opts.Config)
|
||||
if err != nil {
|
||||
logger.Error("Vault token configuration is invalid", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
token := strings.TrimSpace(os.Getenv(tokenEnv))
|
||||
if token == "" {
|
||||
logger.Error("Vault token missing; expected Vault Agent to export token", zap.String("env", tokenEnv))
|
||||
return nil, merrors.InvalidArgument(component + ": token env " + tokenEnv + " is not set (expected Vault Agent sink to populate it)")
|
||||
logger.Error("Vault token missing", zap.String("source", tokenSource))
|
||||
return nil, merrors.InvalidArgument(component + ": vault token is empty")
|
||||
}
|
||||
|
||||
mountPath := strings.Trim(strings.TrimSpace(opts.Config.MountPath), "/")
|
||||
@@ -148,4 +146,36 @@ func normalizePath(secretPath string) (string, error) {
|
||||
return normalizedPath, nil
|
||||
}
|
||||
|
||||
func resolveToken(config Config) (string, string, error) {
|
||||
tokenEnv := strings.TrimSpace(config.TokenEnv)
|
||||
if tokenEnv != "" {
|
||||
if token := strings.TrimSpace(os.Getenv(tokenEnv)); token != "" {
|
||||
return token, "token_env:" + tokenEnv, nil
|
||||
}
|
||||
}
|
||||
|
||||
tokenFilePath := strings.TrimSpace(config.TokenFile)
|
||||
if tokenFileEnv := strings.TrimSpace(config.TokenFileEnv); tokenFileEnv != "" {
|
||||
if resolved := strings.TrimSpace(os.Getenv(tokenFileEnv)); resolved != "" {
|
||||
tokenFilePath = resolved
|
||||
}
|
||||
}
|
||||
if tokenFilePath != "" {
|
||||
raw, err := os.ReadFile(tokenFilePath)
|
||||
if err != nil {
|
||||
return "", "", merrors.Internal("vault kv: failed to read token file " + tokenFilePath + ": " + err.Error())
|
||||
}
|
||||
return strings.TrimSpace(string(raw)), "token_file:" + tokenFilePath, nil
|
||||
}
|
||||
|
||||
if tokenEnv != "" {
|
||||
return "", "token_env:" + tokenEnv, merrors.InvalidArgument("vault kv: token env " + tokenEnv + " is empty")
|
||||
}
|
||||
if strings.TrimSpace(config.TokenFileEnv) != "" {
|
||||
return "", "token_file_env:" + strings.TrimSpace(config.TokenFileEnv), merrors.InvalidArgument("vault kv: token file env is empty")
|
||||
}
|
||||
|
||||
return "", "", merrors.InvalidArgument("vault kv: either token_env or token_file/token_file_env must be configured")
|
||||
}
|
||||
|
||||
var _ Client = (*service)(nil)
|
||||
|
||||
@@ -10,11 +10,13 @@ import (
|
||||
|
||||
// Config describes how to connect to Vault for managed wallet keys.
|
||||
type Config struct {
|
||||
Address string `mapstructure:"address" yaml:"address"`
|
||||
TokenEnv string `mapstructure:"token_env" yaml:"token_env"`
|
||||
Namespace string `mapstructure:"namespace" yaml:"namespace"`
|
||||
MountPath string `mapstructure:"mount_path" yaml:"mount_path"`
|
||||
KeyPrefix string `mapstructure:"key_prefix" yaml:"key_prefix"`
|
||||
Address string `mapstructure:"address" yaml:"address"`
|
||||
TokenEnv string `mapstructure:"token_env" yaml:"token_env"`
|
||||
TokenFileEnv string `mapstructure:"token_file_env" yaml:"token_file_env"`
|
||||
TokenFile string `mapstructure:"token_file" yaml:"token_file"`
|
||||
Namespace string `mapstructure:"namespace" yaml:"namespace"`
|
||||
MountPath string `mapstructure:"mount_path" yaml:"mount_path"`
|
||||
KeyPrefix string `mapstructure:"key_prefix" yaml:"key_prefix"`
|
||||
}
|
||||
|
||||
// ManagedWalletKey captures metadata returned after key provisioning.
|
||||
|
||||
@@ -38,10 +38,12 @@ func newService(opts Options) (Service, error) {
|
||||
store, err := kv.New(kv.Options{
|
||||
Logger: logger,
|
||||
Config: kv.Config{
|
||||
Address: opts.Config.Address,
|
||||
TokenEnv: opts.Config.TokenEnv,
|
||||
Namespace: opts.Config.Namespace,
|
||||
MountPath: opts.Config.MountPath,
|
||||
Address: opts.Config.Address,
|
||||
TokenEnv: opts.Config.TokenEnv,
|
||||
TokenFileEnv: opts.Config.TokenFileEnv,
|
||||
TokenFile: opts.Config.TokenFile,
|
||||
Namespace: opts.Config.Namespace,
|
||||
MountPath: opts.Config.MountPath,
|
||||
},
|
||||
Component: component,
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user