Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #15440 from influxdata/4447/vault_launcher_flags 

feat(vault): add flags to influxd for vault configuration
pull/15444/head
Johnny Steenbergen 2019-10-17 09:09:36 -07:00 committed by GitHub
parent 975289fba1 cf2f785803
commit 984f64d8aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
cmd/influxd/launcher/launcher.go
View File

@ -113,6 +113,8 @@ func NewCommand() *cobra.Command {
return cmd return cmd
} }
var vaultConfig vault.Config
func buildLauncherCommand(l *Launcher, cmd *cobra.Command) { func buildLauncherCommand(l *Launcher, cmd *cobra.Command) {
dir, err := fs.InfluxDir() dir, err := fs.InfluxDir()
if err != nil { if err != nil {
@ -191,6 +193,51 @@ func buildLauncherCommand(l *Launcher, cmd *cobra.Command) {
Default: false, Default: false,
Desc: "disables automatically extending session ttl on request", Desc: "disables automatically extending session ttl on request",
}, },
{
DestP: &vaultConfig.Address,
Flag: "vault-address",
Desc: "address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/.",
},
{
DestP: &vaultConfig.ClientTimeout,
Flag: "vault-client-timeout",
Desc: "timeout variable. The default value is 60s.",
},
{
DestP: &vaultConfig.MaxRetries,
Flag: "vault-client-max-retries",
Desc: "maximum number of retries when a 5xx error code is encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying.",
},
{
DestP: &vaultConfig.CACert,
Flag: "vault-ca-cert",
Desc: "path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over VAULT_CAPATH.",
},
{
DestP: &vaultConfig.CAPath,
Flag: "vault-ca-path",
Desc: "path to a directory of PEM-encoded CA certificate files on the local disk. These certificates are used to verify the Vault server's SSL certificate.",
},
{
DestP: &vaultConfig.ClientCert,
Flag: "vault-client-cert",
Desc: "path to a PEM-encoded client certificate on the local disk. This file is used for TLS communication with the Vault server.",
},
{
DestP: &vaultConfig.ClientKey,
Flag: "vault-client-key",
Desc: "path to an unencrypted, PEM-encoded private key on disk which corresponds to the matching client certificate.",
},
{
DestP: &vaultConfig.InsecureSkipVerify,
Flag: "vault-skip-verify",
Desc: "do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.",
},
{
DestP: &vaultConfig.TLSServerName,
Flag: "vault-tls-server-name",
Desc: "name to use as the SNI host when connecting via TLS.",
},
} }
cli.BindOptions(cmd, opts) cli.BindOptions(cmd, opts)
@ -477,7 +524,7 @@ func (m *Launcher) run(ctx context.Context) (err error) {
case "vault": case "vault":
// The vault secret service is configured using the standard vault environment variables. // The vault secret service is configured using the standard vault environment variables.
// https://www.vaultproject.io/docs/commands/index.html#environment-variables // https://www.vaultproject.io/docs/commands/index.html#environment-variables
svc, err := vault.NewSecretService() svc, err := vault.NewSecretService(vault.WithConfig(vaultConfig))
if err != nil { if err != nil {
m.logger.Error("failed initializing vault secret service", zap.Error(err)) m.logger.Error("failed initializing vault secret service", zap.Error(err))
return err return err