Make directory containing secrets configurable (#16)

easwars · web-flow · commit 2558ec79df06 · 2021-03-31T14:34:41.000-07:00
diff --git a/main.go b/main.go
@@ -24,6 +24,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path"
 	"strconv"
 	"time"
 
@@ -39,6 +40,7 @@ var (
 	localityZone       = flag.String("locality-zone", "", "the locality zone to use, instead of retrieving it from the metadata server. Useful when not running on GCP and/or for testing")
 	includeV3Features  = flag.Bool("include-v3-features-experimental", true, "whether or not to generate configs which works with the xDS v3 implementation in TD. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
 	includePSMSecurity = flag.Bool("include-psm-security-experimental", false, "whether or not to generate config required for PSM security. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
+	secretsDir         = flag.String("secrets-dir-experimental", "/var/run/secrets/workload-spiffe-credentials", "path to a directory containing TLS certificates and keys required for PSM security. Used only if --include-psm-security-experimental is set. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
 )
 
 func main() {
@@ -76,6 +78,7 @@ func main() {
 		zone:               zone,
 		includeV3Features:  *includeV3Features,
 		includePSMSecurity: *includePSMSecurity,
+		secretsDir:         *secretsDir,
 		metadataLabels:     nodeMetadata,
 	})
 	if err != nil {
@@ -117,6 +120,7 @@ type configInput struct {
 	zone               string
 	includeV3Features  bool
 	includePSMSecurity bool
+	secretsDir         string
 	metadataLabels     map[string]string
 }
 
@@ -161,9 +165,9 @@ func generate(in configInput) ([]byte, error) {
 			"google_cloud_private_spiffe": {
 				PluginName: "file_watcher",
 				Config: privateSPIFFEConfig{
-					CertificateFile:   "/var/run/gke-spiffe/certs/certificates.pem",
-					PrivateKeyFile:    "/var/run/gke-spiffe/certs/private_key.pem",
-					CACertificateFile: "/var/run/gke-spiffe/certs/ca_certificates.pem",
+					CertificateFile:   path.Join(in.secretsDir, "certificates.pem"),
+					PrivateKeyFile:    path.Join(in.secretsDir, "private_key.pem"),
+					CACertificateFile: path.Join(in.secretsDir, "ca_certificates.pem"),
 					// The file_watcher plugin will parse this a Duration proto, but it is totally
 					// fine to just emit a string here.
 					RefreshInterval: "600s",
diff --git a/main_test.go b/main_test.go
@@ -117,6 +117,7 @@ func TestGenerate(t *testing.T) {
 				zone:               "uscentral-5",
 				includeV3Features:  true,
 				includePSMSecurity: true,
+				secretsDir:         "/secrets/dir/",
 			},
 			wantOutput: `{
   "xds_servers": [
@@ -148,9 +149,9 @@ func TestGenerate(t *testing.T) {
     "google_cloud_private_spiffe": {
       "plugin_name": "file_watcher",
       "config": {
-        "certificate_file": "/var/run/gke-spiffe/certs/certificates.pem",
-        "private_key_file": "/var/run/gke-spiffe/certs/private_key.pem",
-        "ca_certificate_file": "/var/run/gke-spiffe/certs/ca_certificates.pem",
+        "certificate_file": "/secrets/dir/certificates.pem",
+        "private_key_file": "/secrets/dir/private_key.pem",
+        "ca_certificate_file": "/secrets/dir/ca_certificates.pem",
         "refresh_interval": "600s"
       }
     }
