Module: Jerakia::Datasource::Vault

Defined in:
lib/jerakia/datasource/vault.rb

Instance Method Summary collapse

Instance Method Details

#runObject

Raises:

  • (Jerakia::Error) 


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/jerakia/datasource/vault.rb', line 8

def run

  option :host,       type:  String, default: '127.0.0.1'
  option :port,       type:  Integer, default: 8200
  option :scheme,     type:  Symbol, default: :http
  option :token,      type:  String
  option :searchpath, type:  Array,  default:  [ 'secret' ]
  option :field,      type:  Symbol, default:  lookup.request.key.to_sym
  option :dig,        type:  [FalseClass, TrueClass], default: true
  option :map_key,    type:  [FalseClass, TrueClass], default: false


  addr = "#{options[:scheme].to_s}://#{options[:host]}:#{options[:port]}"

  Jerakia.log.debug("[jerakia-vault]: Using address #{addr}")

  begin
    vault = ::Vault::Client.new
    vault.configure do |conf|
      conf.address = addr
      conf.token   = options[:token] if options[:token]
    end

    sealed = vault.sys.seal_status.sealed?

  rescue ::Vault::HTTPConnectionError => e
    raise Jerakia::Error, "Cannot connect to vault server.  #{e.message}"
  end

  raise Jerakia::Error, "Connected to sealed vault" if sealed

  hierarchy = options[:searchpath].map { |s|
    [s, lookup.request.namespace ].flatten.join("/")
  }

  hierarchy.each do |level|

    # Don't perform any more lookups if Jerakia reports that
    # it doesn't want any more.
    break unless response.want?

    # If map_key option is set then we should append the lookup key to
    # the search path
    level << "/#{lookup.request.key}" if options[:map_key]

    Jerakia.log.debug("[jerakia-vault]: looking up #{level}")

    secret = vault.logical.read(level)

    if secret.is_a?(::Vault::Secret)
      Jerakia.log.debug("[jerakia-vault]: valid answer returned #{secret.data}")

      # If dig is true then we should lookup the key from the hash
      # response, if not then we just return the whole hash
      #
      if options[:dig]
        if result = secret.data[options[:field]]
          Jerakia.log.debug("[jerakia-vault]: found key #{lookup.request.key.to_sym}")
          response.submit result
        end
      else
        response.submit secret.data unless secret.data.empty?
      end
    end
  end
end