Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
influxdb/vault
History
Johnny Steenbergen 6b023a5cfd fix(vault): add configuration dependency to vault service constructor 
this fix allows the DI of the vault service configuration. There are place
where we'd like to adminster this with flags, but are locked into
the default env var setup we had previously. One other note is that
calling api.DefaultConfig() calls the ReadEnvironment() method already,
so that was dropped.
 		2019-10-14 10:01:30 -07:00
..
README.md chore(platform): cleanup, document, and use secret service 2018-12-28 11:11:21 -05:00
secret.go fix(vault): add configuration dependency to vault service constructor 2019-10-14 10:01:30 -07:00
secret_test.go fix(vault): correct testcontainers-go dep 2019-01-24 14:14:11 +01:00

README.md

Vault Secret Service

This package implements platform.SecretService using vault.

Key layout

All secrets are stored in vault as key value pairs that can be found under the key /secret/data/:orgID.

For example

/secret/data/031c8cbefe101000 ->
  github_api_key: foo
  some_other_key: bar
  a_secret: key

Configuration

When a new secret service is instatiated with vault.NewSecretService() we read the environment for the standard vault environment variables.

It is expected that the vault provided is unsealed and that the VAULT_TOKEN has sufficient privileges to access the key space described above.

Test/Dev

The vault secret service may be used by starting a vault server

vault server -dev

VAULT_ADDR='<vault address>' VAULT_TOKEN='<vault token>' influxd --secret-store vault

Once the vault and influxdb servers have been started and initialized, you may test the service by executing the following:

curl --request GET \
  --url http://localhost:9999/api/v2/orgs/<org id>/secrets \
  --header 'authorization: Token <authorization token>

# should return
#
#  {
#    "links": {
#      "org": "/api/v2/orgs/031c8cbefe101000",
#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
#    },
#    "secrets": []
#  }

curl --request PATCH \
  --url http://localhost:9999/api/v2/orgs/<org id>/secrets \
  --header 'authorization: Token <authorization token> \
  --header 'content-type: application/json' \
  --data '{
	"foo": "bar",
	"hello": "world"
}'

# should return 204 no content

curl --request GET \
  --url http://localhost:9999/api/v2/orgs/<org id>/secrets \
  --header 'authorization: Token <authorization token>

# should return
#
#  {
#    "links": {
#      "org": "/api/v2/orgs/031c8cbefe101000",
#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
#    },
#    "secrets": [
#      "foo",
#      "hello"
#    ]
#  }