WIP: Containerized secret server

cloud66-oss · Mar 24, 2018 · 616600f · 616600f
1 parent 59bc94b
commit 616600f
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 48 deletions.
diff --git a/api/server.go b/api/server.go
@@ -6,35 +6,37 @@ import (
 	"os"
 
 	"github.com/ant0ine/go-json-rest/rest"
-	"github.com/cloud66/habitus/build"
+	"github.com/cloud66/habitus/configuration"
+	"github.com/cloud66/habitus/secrets"
 )
 
 var (
-	VERSION         string = "dev"
+	VERSION string = "dev"
 )
 
-
 type Server struct {
-	Builder *build.Builder
+	Conf            *configuration.Server
+	secretProviders map[string]secrets.SecretProvider
 }
 
 func (s *Server) StartServer(version string) error {
 	VERSION = version
 	secret_api := rest.NewApi()
 
-	if s.Builder.Conf.UseAuthenticatedSecretServer {
+	s.secretProviders = secrets.GetProviders()
+
+	if s.Conf.UseAuthenticatedSecretServer {
 		secret_api.Use(&rest.AuthBasicMiddleware{
 			Realm: "Habitus secret service",
 			Authenticator: func(userId string, password string) bool {
-				if userId == s.Builder.Conf.AuthenticatedSecretServerUser && password == s.Builder.Conf.AuthenticatedSecretServerPassword {
+				if userId == s.Conf.AuthenticatedSecretServerUser && password == s.Conf.AuthenticatedSecretServerPassword {
 					return true
 				}
 				return false
 			},
 		})
 	}
 
-
 	router, err := rest.MakeRouter(
 		// system
 		&rest.Route{"GET", "/v1/ping", s.ping},
@@ -51,11 +53,11 @@ func (s *Server) StartServer(version string) error {
 	secret_api.SetApp(router)
 
 	go func() {
-		s.Builder.Conf.Logger.Infof("Starting API on %d", s.Builder.Conf.ApiPort)
+		s.Conf.Logger.Infof("Starting API on %d", s.Conf.ApiPort)
 
 		// 192.168.99.1
-		if err := http.ListenAndServe(fmt.Sprintf("%s:%d", s.Builder.Conf.ApiBinding, s.Builder.Conf.ApiPort), secret_api.MakeHandler()); err != nil {
-			s.Builder.Conf.Logger.Errorf("Failed to start API %s", err.Error())
+		if err := http.ListenAndServe(fmt.Sprintf("%s:%d", s.Conf.ApiBinding, s.Conf.ApiPort), secret_api.MakeHandler()); err != nil {
+			s.Conf.Logger.Errorf("Failed to start API %s", err.Error())
 			os.Exit(2)
 		}
 
@@ -74,7 +76,7 @@ func (a *Server) version(w rest.ResponseWriter, r *rest.Request) {
 
 func (a *Server) serveSecret(w rest.ResponseWriter, r *rest.Request) {
 	// get the provider
-	provider := a.Builder.Build.SecretProviders[r.PathParam("type")]
+	provider := a.secretProviders[r.PathParam("type")]
 	result, err := provider.GetSecret(r.PathParam("name"))
 	if err != nil {
 		rest.Error(w, err.Error(), http.StatusBadRequest)

diff --git a/build.yml b/build.yml
@@ -13,4 +13,9 @@ build:
       dockerfile: Dockerfile.crosscompile
       artifacts:
         # copy all the artifacts from the compiled folder
-        - /usr/local/go/src/github.com/cloud66/habitus/compiled:.
+        - /usr/local/go/src/github.com/cloud66/habitus/compiled:.
+    server:
+      name: server
+      depends_on:
+        - crosscompile
+      dockerfile: Dockerfile.server
diff --git a/build/manifest.go b/build/manifest.go
@@ -134,10 +134,8 @@ func LoadBuildFromFile(config *configuration.Config) (*Manifest, error) {
 
 func (n *namespace) convertToBuild(version string) (*Manifest, error) {
 	manifest := Manifest{
-		SecretProviders: make(map[string]secrets.SecretProvider),
+		SecretProviders: secrets.GetProviders(),
 	}
-	manifest.SecretProviders["file"] = &secrets.FileProvider{}
-	manifest.SecretProviders["env"] = &secrets.EnvProvider{}
 
 	manifest.IsPrivileged = false
 	manifest.Steps = []Step{}

diff --git a/configuration/config.go b/configuration/config.go
@@ -14,39 +14,44 @@ type TupleItem struct {
 
 type TupleArray []TupleItem
 
-// Config stores application configurations
-type Config struct {
-	Buildfile                         string
-	Workdir                           string
-	NoCache                           bool
-	SuppressOutput                    bool
-	RmTmpContainers                   bool
-	ForceRmTmpContainer               bool
-	UniqueID                          string
-	Logger                            logging.Logger
-	DockerHost                        string
-	DockerCert                        string
-	EnvVars                           TupleArray
-	BuildArgs                         TupleArray
-	KeepSteps                         bool
-	KeepArtifacts                     bool
-	Network                           string
-	NoSquash                          bool
-	NoPruneRmImages                   bool
-	UseTLS                            bool
-	UseStatForPermissions             bool
-	FroceRmImages                     bool
-	ApiPort                           int
+type Server struct {
 	ApiBinding                        string
-	SecretService                     bool
-	AllowAfterBuildCommands           bool
-	SecretProviders                   string
-	DockerMemory                      string
-	DockerCPUSetCPUs                  string
-	DockerCPUShares                   int
-	UseAuthenticatedSecretServer      bool
-	AuthenticatedSecretServerPassword string
+	ApiPort                           int
 	AuthenticatedSecretServerUser     string
+	AuthenticatedSecretServerPassword string
+	Logger                            logging.Logger
+	UseAuthenticatedSecretServer      bool
+}
+
+// Config stores application configurations
+type Config struct {
+	Server
+	Buildfile               string
+	Workdir                 string
+	NoCache                 bool
+	SuppressOutput          bool
+	RmTmpContainers         bool
+	ForceRmTmpContainer     bool
+	UniqueID                string
+	Logger                  logging.Logger
+	DockerHost              string
+	DockerCert              string
+	EnvVars                 TupleArray
+	BuildArgs               TupleArray
+	KeepSteps               bool
+	KeepArtifacts           bool
+	Network                 string
+	NoSquash                bool
+	NoPruneRmImages         bool
+	UseTLS                  bool
+	UseStatForPermissions   bool
+	FroceRmImages           bool
+	SecretService           bool
+	AllowAfterBuildCommands bool
+	SecretProviders         string
+	DockerMemory            string
+	DockerCPUSetCPUs        string
+	DockerCPUShares         int
 }
 
 func (i *TupleArray) String() string {

diff --git a/main.go b/main.go
@@ -145,8 +145,9 @@ func main() {
 
 	if config.SecretService {
 		// start the API
-		secret_service := &api.Server{Builder: b}
-		err = secret_service.StartServer(VERSION)
+		// TODO Wrap this into a docker-container in case of -containerize-server
+		server := &api.Server{Conf: &b.Conf.Server}
+		err = server.StartServer(VERSION)
 		if err != nil {
 			log.Fatalf("Cannot start API server due to %s", err.Error())
 			os.Exit(2)

diff --git a/secrets/get_providers.go b/secrets/get_providers.go
@@ -0,0 +1,8 @@
+package secrets
+
+func GetProviders() map[string]SecretProvider {
+	return map[string]SecretProvider{
+		"file": &FileProvider{},
+		"env":  &EnvProvider{},
+	}
+}