README
¶
vault-gatekeeper
Vault-Gatekeeper is a small service for delivering Vault token to other services who's lifecycles are managed by a container scheduler such as Mesos or ECS.
Vault-Gatekeeper takes the Cubbyhole Authenication approach outlined by Jeff Mitchell on Vault Blog. Specifically Vault response wrapping is used as outlined in the Vault documentation.
In short, a service will request a vault token from VG supplying its Mesos task id or ECS task arn. VG will then check with Mesos/ECS to
ensure that the task has been recently started and that VG has not already issued a token for that task id. Then VG will check its configuration to understand what role that task is assigned and request a response wrapped token from Vault. VG will then pass the token to the service which can then unwrap the response with /sys/wrapping/unwrap to retrieve the token.
Requirements
- Vault 0.6.2+
- Mesos 1.0.0+ (if using Mesos)
Documentation
Visit http://nemosupremo.github.io/vault-gatekeeper
Quickstart
This guide assumes that you 1.) have a Vault instance running, 2.) have a Mesos instance running and 3.) have an approle policy in Vault named test.
- Install a sample policy in Vault
$ echo '{"mesos:*":{"roles":["test"],"num_uses":1}}' | ./gatekeeper policy update --vault-token 'MY_TOKEN' '-'
- Start a Gatekeeper instance
$ ./gatekeeper server --mesos-master 'http://leader.mesos:5050' --vault-addr http://localhost:8200
- Unseal the Gatekeeper instance with a token. (The token must have at least the policy defined in
gatekeeper-policy.hcl).
$ ./gatekeeper unseal token --vault-token 'GK_TOKEN'
- Launch a task on mesos and retrieve a token:
$ curl -X POST -d"{\"task_id\":\"${MESOS_TASK_ID}\"}" 'http://gatekeeper-host/token'
Downloading
You can grab a binary from the releases or deploy the docker image nemosupremo/vault-gatekeeper.
License
Documentation
¶
Index ¶
- Variables
- func GetLog(r *http.Request) logrus.FieldLogger
- func ListenAndServeTLS(addr, certFile, keyFile string, handler http.Handler) error
- func LogEntrySetField(r *http.Request, key string, value interface{})
- func LogEntrySetFields(r *http.Request, fields map[string]interface{})
- func NewKeypairReloader(certFile, keyFile string) (*keypairReloader, error)
- func NewLogger(logger *logrus.Logger) func(next http.Handler) http.Handler
- type Config
- type Gatekeeper
- func (g *Gatekeeper) ErrorResponse(w http.ResponseWriter, code int, err string)
- func (g *Gatekeeper) GetPolicyConfig() ([]byte, error)
- func (g *Gatekeeper) GetRoleId(roleName string, authToken string) (string, error)
- func (g *Gatekeeper) GetSecretId(roleName string, authToken string) (string, error)
- func (g *Gatekeeper) IsUnsealed() bool
- func (g *Gatekeeper) LoadPeers(myId string, startup bool) ([]peer, error)
- func (g *Gatekeeper) NewMetrics(conf Config) (*metrics, error)
- func (g *Gatekeeper) OkResponse(w http.ResponseWriter, message string)
- func (g *Gatekeeper) Peers() []peer
- func (g *Gatekeeper) RenewToken() error
- func (g *Gatekeeper) RenewalWorker(controlChan chan struct{})
- func (g *Gatekeeper) RequestToken(providerKey string, taskId string, requestedRole string, remoteAddr string) (string, time.Duration, error)
- func (g *Gatekeeper) Routes() http.Handler
- func (g *Gatekeeper) Seal() error
- func (g *Gatekeeper) Serve() error
- func (g *Gatekeeper) TokenTtl() (time.Duration, error)
- func (g *Gatekeeper) Unseal(u unsealer.Unsealer) error
Constants ¶
This section is empty.
Variables ¶
View Source
var ErrHostMismatch = errors.New("The service's remote address requesting this token does not match the host of the service running this task.")
View Source
var ErrMaxTokensGiven = errors.New("Maximum number of tokens given to this task.")
View Source
var ErrNoPolicy = errors.New("Your task doesn't match any configured policy.")
View Source
var ErrNoPolicyConfigured = errors.New("No policies have been configured.")
View Source
var ErrNoSuchRole = errors.New("The role requested does not exist.")
View Source
var ErrRoleMismatch = errors.New("Your task does not have permission to use this role.")
View Source
var ErrSealed = errors.New("Gatekeeper is sealed.")
View Source
var ErrTaskNotFresh = errors.New("This task has been running too long to request a token.")
Functions ¶
func ListenAndServeTLS ¶
This works just like http.ListenAndServeTLS but certificates are loaded into a wrapper struct that reloads certificates from disk when a SIGHUP is received.
func LogEntrySetField ¶
func LogEntrySetFields ¶
func NewKeypairReloader ¶
Types ¶
type Config ¶
type Config struct {
ListenAddress string
TlsCert string
TlsKey string
DefaultScheduler string
Schedulers []string
Store string
StoreVaultPath string
Peers string
HostCheck bool
UseImageNames bool
Vault struct {
Address string
CaCert string
CaPath string
ClientCert string
ClientKey string
Insecure bool
KvVersion string
AppRoleMount string
}
Metrics struct {
Ticker time.Duration
Statsd struct {
Host string
Prefix string
Influx bool
Datadog bool
}
}
PolicyPath string
MaxTaskLife time.Duration
Unsealer unsealer.Unsealer
Version string
SkipPolicyLoading bool
Backoff *backoff.ExponentialBackOff
}
type Gatekeeper ¶
type Gatekeeper struct {
Store usagestore.UsageStore
Schedulers map[string]scheduler.Scheduler
Policies *policy.Policies `json:"-"`
Stats struct {
Requests int32 `json:"requests"`
Successful int32 `json:"successful"`
Denied int32 `json:"denied"`
Failed int32 `json:"failed"`
} `json:"stats"`
Started time.Time `json:"started"`
Token string `json:"-"`
PeerId string `json:"peer_id"`
sync.RWMutex
// contains filtered or unexported fields
}
func NewGatekeeper ¶
func NewGatekeeper(conf Config) (*Gatekeeper, error)
func (*Gatekeeper) ErrorResponse ¶
func (g *Gatekeeper) ErrorResponse(w http.ResponseWriter, code int, err string)
func (*Gatekeeper) GetPolicyConfig ¶
func (g *Gatekeeper) GetPolicyConfig() ([]byte, error)
func (*Gatekeeper) GetRoleId ¶
func (g *Gatekeeper) GetRoleId(roleName string, authToken string) (string, error)
func (*Gatekeeper) GetSecretId ¶
func (g *Gatekeeper) GetSecretId(roleName string, authToken string) (string, error)
func (*Gatekeeper) IsUnsealed ¶
func (g *Gatekeeper) IsUnsealed() bool
func (*Gatekeeper) LoadPeers ¶
func (g *Gatekeeper) LoadPeers(myId string, startup bool) ([]peer, error)
func (*Gatekeeper) NewMetrics ¶
func (g *Gatekeeper) NewMetrics(conf Config) (*metrics, error)
func (*Gatekeeper) OkResponse ¶
func (g *Gatekeeper) OkResponse(w http.ResponseWriter, message string)
func (*Gatekeeper) Peers ¶
func (g *Gatekeeper) Peers() []peer
func (*Gatekeeper) RenewToken ¶
func (g *Gatekeeper) RenewToken() error
func (*Gatekeeper) RenewalWorker ¶
func (g *Gatekeeper) RenewalWorker(controlChan chan struct{})
func (*Gatekeeper) RequestToken ¶
func (*Gatekeeper) Routes ¶
func (g *Gatekeeper) Routes() http.Handler
func (*Gatekeeper) Seal ¶
func (g *Gatekeeper) Seal() error
func (*Gatekeeper) Serve ¶
func (g *Gatekeeper) Serve() error
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.