app rolename as vault paths. added cli parameter for rolename.

gbevan · gbevan · commit 50788b21ea8f · 2018-09-07T17:31:44.000+01:00
diff --git a/README.md b/README.md
@@ -122,7 +122,7 @@ PLAY RECAP *********************************************************************
 ### Running kubectl & helm via gostint
 Using a KUBECONFIG stored base64 encoded in the vault as a secret:
 ```
-$ vault kv put secret/k8s_cluster_1 kubeconfig_base64=$(base64 -w0 admin.conf)
+$ vault kv put secret/k8s_cluster_1 kubeconfig_base64=$(base64 -w0 ~/k8s/openstack/admin.conf)
 Success! Data written to: secret/k8s_cluster_1
 ```
 Test kubectl can use the vaulted config:
@@ -181,7 +181,7 @@ path "auth/token/create" {
 path "auth/approle/role/gostint-role/secret-id" {
   capabilities = ["update"]
 }
-path "transit/encrypt/gostint" {
+path "transit/encrypt/gostint-role" {
   capabilities = ["update"]
 }
 EOF
@@ -196,7 +196,7 @@ vault write auth/approle/role/gostint-client-role \
 ```
 Get the Role_Id for the AppRole:
 ```
-vault read /auth/approle/role/gostint-client-role/role-id
+vault read auth/approle/role/gostint-client-role/role-id
 ```
 For this example we will use PUSH mode on the AppRole (not the secret_id was a
 random uuid) - you would probably prefer to use PULL mode in production:
diff --git a/clientapi/clientapi.go b/clientapi/clientapi.go
@@ -62,6 +62,7 @@ type APIRequest struct {
 	AppRoleID      *string
 	AppSecretID    *string // AppRole auth or Token
 	Token          *string
+	GoStintRole    *string
 	JobJSON        *string // request can be whole JSON:
 	QName          *string // or can be passed as parameters:
 	ContainerImage *string
@@ -342,7 +343,10 @@ func RunJob(c *APIRequest, debugLogging bool, pollSecs int, waitFor bool) (*GetR
 
 	debug("Getting Wrapped Secret_ID for the AppRole")
 	vc.SetWrappingLookupFunc(func(op, path string) string { return "1h" })
-	sec, err = vc.Logical().Write("auth/approle/role/gostint-role/secret-id", nil)
+	sec, err = vc.Logical().Write(
+		fmt.Sprintf("auth/approle/role/%s/secret-id", *c.GoStintRole),
+		nil,
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -358,7 +362,10 @@ func RunJob(c *APIRequest, debugLogging bool, pollSecs int, waitFor bool) (*GetR
 	data = map[string]interface{}{
 		"plaintext": base64.StdEncoding.EncodeToString(jsonBytes),
 	}
-	sec, err = vc.Logical().Write("transit/encrypt/gostint", data)
+	sec, err = vc.Logical().Write(
+		fmt.Sprintf("transit/encrypt/%s", *c.GoStintRole),
+		data,
+	)
 	if err != nil {
 		return nil, err
 	}
diff --git a/main.go b/main.go
@@ -94,6 +94,8 @@ func main() {
 	c.AppSecretID = flag.String("vault-secretid", "", "Vault App Secret ID (can read file e.g. '@secret_id.txt')")
 	c.Token = flag.String("vault-token", "", "Vault token - used instead of App Role (can read file e.g. '@token.txt')")
 
+	c.GoStintRole = flag.String("gostint-approle", "gostint-role", "Vault App Role Name of GoStint to run job on (can read file e.g. '@gostint_role.txt')")
+
 	c.JobJSON = flag.String("job-json", "", "JSON Job request")
 
 	c.QName = flag.String("qname", "", "Job Queue to submit to, overrides value in job-json")
@@ -127,6 +129,8 @@ func main() {
 	chkError(err)
 	err = tryResolveFile(c.Token)
 	chkError(err)
+	err = tryResolveFile(c.GoStintRole)
+	chkError(err)
 	err = tryResolveFile(c.JobJSON)
 	chkError(err)
 
