├── .github ├── lock.yml └── reaction.yml ├── CHANGELOG.md ├── Dockerfile ├── LICENSE ├── README.md ├── go.mod ├── go.sum └── main.go /.github/lock.yml: -------------------------------------------------------------------------------- 1 | daysUntilLock: 90 2 | lockLabel: false 3 | lockComment: false 4 | -------------------------------------------------------------------------------- /.github/reaction.yml: -------------------------------------------------------------------------------- 1 | reactionComment: false 2 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | ## [0.4.0] - 2019-08-10 6 | 7 | ### Added 8 | - Support for Vault namespaces 9 | 10 | ## [0.2.0] - 2019-02-19 11 | 12 | ### Added 13 | - Run as non-root user (appuser:appgroup - 1001:1001) 14 | - Token accessor and token path default to `/var/run/secrets/vaultproject.io` instead of `/` 15 | 16 | ### Changed 17 | - Base image is now alpine instead of scratch to support non-root users 18 | 19 | ## [0.1.2] 20 | 21 | ### Added 22 | - Changelog 23 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.12 AS builder 2 | 3 | ENV GO111MODULE=on \ 4 | CGO_ENABLED=0 \ 5 | GOOS=linux \ 6 | GOARCH=amd64 7 | 8 | WORKDIR /src 9 | COPY . . 10 | 11 | RUN go build \ 12 | -a \ 13 | -ldflags "-s -w -extldflags 'static'" \ 14 | -installsuffix cgo \ 15 | -tags netgo \ 16 | -mod vendor \ 17 | -o /bin/app \ 18 | . 19 | 20 | 21 | 22 | FROM alpine:latest 23 | RUN apk --no-cache add ca-certificates && \ 24 | update-ca-certificates 25 | 26 | RUN addgroup -g 1001 appgroup && \ 27 | adduser -H -D -s /bin/false -G appgroup -u 1001 appuser 28 | 29 | RUN mkdir -p /var/run/secrets/vaultproject.io/ && \ 30 | chown -R 1001:1001 /var/run/secrets/vaultproject.io/ 31 | 32 | USER 1001:1001 33 | COPY --from=builder /bin/app /bin/app 34 | CMD ["/bin/app"] 35 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # vault-kubernetes-authenticator 2 | 3 | The `vault-kubernetes-authenticator` is a small application/container that performs the [HashiCorp Vault][vault] [kubernetes authentication process][vault-k8s-auth] and places the Vault token in a well-known, configurable location. It is most commonly used as an init container to supply a Vault token to applications or services that are unaware of Vault. 4 | 5 | [vault]: https://www.vaultproject.io 6 | [vault-k8s-auth]: https://www.vaultproject.io/docs/auth/kubernetes.html#authentication 7 | 8 | 9 | ## Configuration 10 | 11 | - `VAULT_ADDR` - the address to the Vault server, including the protocol and port (like `https://my.vault.server:8200`). This defaults to `https://127.0.0.1:8200` if unspecified. 12 | 13 | - `VAULT_CAPEM` - the raw PEM contents of the CA file to use for SSL verification. 14 | 15 | - `VAULT_CACERT` - the path on disk to a single CA file to use for TSL verification. 16 | 17 | - `VAULT_CAPATH` - the path on disk to a directory of CA files (non-recursive) to use for TLS verification. 18 | 19 | - `VAULT_SKIP_VERIFY` - disable SSL validation (not recommended) 20 | 21 | - `VAULT_ROLE` - **Required** the name of the Vault role to use for authentication. 22 | 23 | - `VAULT_NAMESPACE` - the [Vault namespace](https://www.vaultproject.io/docs/enterprise/namespaces/index.html#usage), only available in Vault Enterprise 24 | 25 | - `TOKEN_DEST_PATH` - the destination path on disk to store the token. Usually this is a shared volume. Defaults to `/var/run/secrets/vaultproject.io/.vault-token`. 26 | 27 | - `ACCESSOR_DEST_PATH` - the destination path on disk to store the accessor. Usually this is a shared volume. Defaults to `/var/run/secrets/vaultproject.io/.vault-accessor`. 28 | 29 | - `SERVICE_ACCOUNT_PATH` - the path on disk where the kubernetes service account jtw token lives. This defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. 30 | 31 | - `VAULT_K8S_MOUNT_PATH` - the name of the mount where the Kubernetes auth method is enabled. This defaults to `kubernetes`, but if you changed the mount path you will need to set this value to that path. 32 | 33 | ```text 34 | vault auth enable -path=k8s kubernetes -> VAULT_K8S_MOUNT_PATH=k8s 35 | ``` 36 | 37 | ## Example Usage 38 | 39 | ```yaml 40 | --- 41 | apiVersion: v1 42 | kind: Pod 43 | metadata: 44 | name: vault-auther 45 | spec: 46 | securityContext: 47 | runAsUser: 1001 48 | fsGroup: 1001 49 | 50 | volumes: 51 | - name: vault-auth 52 | emptyDir: 53 | medium: Memory 54 | - name: vault-secrets 55 | emptyDir: 56 | medium: Memory 57 | 58 | initContainers: 59 | - name: vault-authenticator 60 | image: sethvargo/vault-kubernetes-authenticator:0.2.0 61 | imagePullPolicy: Always 62 | volumeMounts: 63 | - name: vault-auth 64 | mountPath: /var/run/secrets/vaultproject.io 65 | env: 66 | - name: VAULT_ROLE 67 | value: myapp-role 68 | securityContext: 69 | allowPrivilegeEscalation: false 70 | 71 | containers: 72 | # Your other containers would read from /home/vault/.vault-token, or set 73 | # HOME to /home/vault 74 | - name: consul-template 75 | image: hashicorp/consul-template:0.19.5.alpine 76 | volumeMounts: 77 | - name: vault-auth 78 | mountPath: /home/vault 79 | - name: vault-secrets 80 | mountPath: /var/run/secrets/vaultproject.io 81 | env: 82 | - name: HOME 83 | value: /home/vault 84 | 85 | # ... 86 | ``` 87 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/sethvargo/vault-kubernetes-authenticator 2 | 3 | go 1.12 4 | 5 | require ( 6 | github.com/pkg/errors v0.8.1 7 | golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 8 | ) 9 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= 2 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 3 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 4 | golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 h1:Ao/3l156eZf2AW5wK8a7/smtodRU+gha3+BeqJ69lRk= 5 | golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 6 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 7 | golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= 8 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 9 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "crypto/tls" 6 | "crypto/x509" 7 | "encoding/json" 8 | "fmt" 9 | "io" 10 | "io/ioutil" 11 | "log" 12 | "net/http" 13 | "os" 14 | "path/filepath" 15 | "strconv" 16 | "strings" 17 | 18 | "github.com/pkg/errors" 19 | "golang.org/x/net/http2" 20 | ) 21 | 22 | var ( 23 | vaultAddr string 24 | vaultCaPem string 25 | vaultCaCert string 26 | vaultCaPath string 27 | vaultNamespace string 28 | vaultSkipVerify bool 29 | vaultServerName string 30 | vaultK8SMountPath string 31 | ) 32 | 33 | func main() { 34 | vaultAddr = os.Getenv("VAULT_ADDR") 35 | if vaultAddr == "" { 36 | vaultAddr = "https://127.0.0.1:8200" 37 | } 38 | 39 | vaultCaPem = os.Getenv("VAULT_CAPEM") 40 | vaultCaCert = os.Getenv("VAULT_CACERT") 41 | vaultCaPath = os.Getenv("VAULT_CAPATH") 42 | vaultNamespace = os.Getenv("VAULT_NAMESPACE") 43 | vaultServerName = os.Getenv("VAULT_TLS_SERVER_NAME") 44 | 45 | if s := os.Getenv("VAULT_SKIP_VERIFY"); s != "" { 46 | b, err := strconv.ParseBool(s) 47 | if err != nil { 48 | log.Fatal(err) 49 | } 50 | vaultSkipVerify = b 51 | } 52 | 53 | vaultK8SMountPath = os.Getenv("VAULT_K8S_MOUNT_PATH") 54 | if vaultK8SMountPath == "" { 55 | vaultK8SMountPath = "kubernetes" 56 | } 57 | 58 | role := os.Getenv("VAULT_ROLE") 59 | if role == "" { 60 | log.Fatal("missing VAULT_ROLE") 61 | } 62 | 63 | tokenDest := os.Getenv("TOKEN_DEST_PATH") 64 | if tokenDest == "" { 65 | tokenDest = "/var/run/secrets/vaultproject.io/.vault-token" 66 | } 67 | 68 | accessorDest := os.Getenv("ACCESSOR_DEST_PATH") 69 | if accessorDest == "" { 70 | accessorDest = "/var/run/secrets/vaultproject.io/.vault-accessor" 71 | } 72 | 73 | saPath := os.Getenv("SERVICE_ACCOUNT_PATH") 74 | if saPath == "" { 75 | saPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" 76 | } 77 | 78 | // Read the JWT token from disk 79 | jwt, err := readJwtToken(saPath) 80 | if err != nil { 81 | log.Fatal(err) 82 | } 83 | 84 | // Authenticate to vault using the jwt token 85 | token, accessor, err := authenticate(role, jwt) 86 | if err != nil { 87 | log.Fatal(err) 88 | } 89 | 90 | // Persist the vault token to disk 91 | if err := saveToken(token, tokenDest); err != nil { 92 | log.Fatal(err) 93 | } 94 | 95 | // Persist the vault accessor to disk 96 | if err := saveAccessor(accessor, accessorDest); err != nil { 97 | log.Fatal(err) 98 | } 99 | 100 | log.Printf("successfully stored vault token at %s", tokenDest) 101 | log.Printf("successfully stored vault accessor at %s", accessorDest) 102 | 103 | os.Exit(0) 104 | } 105 | 106 | func readJwtToken(path string) (string, error) { 107 | data, err := ioutil.ReadFile(path) 108 | if err != nil { 109 | return "", errors.Wrap(err, "failed to read jwt token") 110 | } 111 | 112 | return string(bytes.TrimSpace(data)), nil 113 | } 114 | 115 | func authenticate(role, jwt string) (string, string, error) { 116 | // Setup the TLS (especially required for custom CAs) 117 | rootCAs, err := rootCAs() 118 | if err != nil { 119 | return "", "", err 120 | } 121 | 122 | tlsClientConfig := &tls.Config{ 123 | MinVersion: tls.VersionTLS12, 124 | RootCAs: rootCAs, 125 | } 126 | 127 | if vaultSkipVerify { 128 | tlsClientConfig.InsecureSkipVerify = true 129 | } 130 | 131 | if vaultServerName != "" { 132 | tlsClientConfig.ServerName = vaultServerName 133 | } 134 | 135 | transport := &http.Transport{ 136 | TLSClientConfig: tlsClientConfig, 137 | } 138 | 139 | if err := http2.ConfigureTransport(transport); err != nil { 140 | return "", "", errors.New("failed to configure http2") 141 | } 142 | 143 | client := &http.Client{ 144 | Transport: transport, 145 | } 146 | 147 | transport.Proxy = http.ProxyFromEnvironment 148 | 149 | addr := vaultAddr + "/v1/auth/" + vaultK8SMountPath + "/login" 150 | body := fmt.Sprintf(`{"role": "%s", "jwt": "%s"}`, role, jwt) 151 | 152 | req, err := http.NewRequest(http.MethodPost, addr, strings.NewReader(body)) 153 | req.Header.Set("Content-Type", "application/json") 154 | if err != nil { 155 | return "", "", errors.Wrap(err, "failed to create request") 156 | } 157 | if vaultNamespace != "" { 158 | req.Header.Set("X-Vault-Namespace", vaultNamespace) 159 | } 160 | 161 | resp, err := client.Do(req) 162 | if err != nil { 163 | return "", "", errors.Wrap(err, "failed to login") 164 | } 165 | defer resp.Body.Close() 166 | 167 | if resp.StatusCode != 200 { 168 | var b bytes.Buffer 169 | if _, err := io.Copy(&b, resp.Body); err != nil { 170 | log.Printf("failed to copy response body: %s", err) 171 | } 172 | return "", "", fmt.Errorf("failed to get successful response: %#v, %s", 173 | resp, b.String()) 174 | } 175 | 176 | var s struct { 177 | Auth struct { 178 | ClientToken string `json:"client_token"` 179 | ClientAccessor string `json:"accessor"` 180 | } `json:"auth"` 181 | } 182 | 183 | if err := json.NewDecoder(resp.Body).Decode(&s); err != nil { 184 | return "", "", errors.Wrap(err, "failed to read body") 185 | } 186 | 187 | return s.Auth.ClientToken, s.Auth.ClientAccessor, nil 188 | } 189 | 190 | func saveToken(token, dest string) error { 191 | if err := ioutil.WriteFile(dest, []byte(token), 0600); err != nil { 192 | return errors.Wrap(err, "failed to save token") 193 | } 194 | return nil 195 | } 196 | 197 | func saveAccessor(accessor, dest string) error { 198 | if err := ioutil.WriteFile(dest, []byte(accessor), 0644); err != nil { 199 | return errors.Wrap(err, "failed to save token") 200 | } 201 | return nil 202 | } 203 | 204 | // rootCAs returns the list of trusted root CAs based off the provided 205 | // configuration. If no CAs were specified, the system roots are used. 206 | func rootCAs() (*x509.CertPool, error) { 207 | switch { 208 | case vaultCaPem != "": 209 | pool := x509.NewCertPool() 210 | if err := loadCert(pool, []byte(vaultCaPem)); err != nil { 211 | return nil, err 212 | } 213 | return pool, nil 214 | case vaultCaCert != "": 215 | pool := x509.NewCertPool() 216 | if err := loadCertFile(pool, vaultCaCert); err != nil { 217 | return nil, err 218 | } 219 | return pool, nil 220 | case vaultCaPath != "": 221 | pool := x509.NewCertPool() 222 | if err := loadCertFolder(pool, vaultCaPath); err != nil { 223 | return nil, err 224 | } 225 | return pool, nil 226 | default: 227 | pool, err := x509.SystemCertPool() 228 | if err != nil { 229 | return nil, errors.Wrap(err, "failed to load system certs") 230 | } 231 | return pool, err 232 | } 233 | } 234 | 235 | // loadCert loads a single pem-encoded certificate into the given pool. 236 | func loadCert(pool *x509.CertPool, pem []byte) error { 237 | if ok := pool.AppendCertsFromPEM(pem); !ok { 238 | return fmt.Errorf("failed to parse PEM") 239 | } 240 | return nil 241 | } 242 | 243 | // loadCertFile loads the certificate at the given path into the given pool. 244 | func loadCertFile(pool *x509.CertPool, p string) error { 245 | pem, err := ioutil.ReadFile(p) 246 | if err != nil { 247 | return errors.Wrap(err, "failed to read CA file from disk") 248 | } 249 | 250 | if err := loadCert(pool, pem); err != nil { 251 | return errors.Wrapf(err, "failed to load CA at %s", p) 252 | } 253 | 254 | return nil 255 | } 256 | 257 | // loadCertFolder iterates exactly one level below the given directory path and 258 | // loads all certificates in that path. It does not recurse 259 | func loadCertFolder(pool *x509.CertPool, p string) error { 260 | if err := filepath.Walk(p, func(path string, info os.FileInfo, err error) error { 261 | if err != nil { 262 | return err 263 | } 264 | 265 | if info.IsDir() { 266 | return nil 267 | } 268 | 269 | return loadCertFile(pool, path) 270 | }); err != nil { 271 | return errors.Wrapf(err, "failed to load CAs at %s", p) 272 | } 273 | return nil 274 | } 275 | --------------------------------------------------------------------------------