Merge pull request #12 from numtide/ci

vault-secrets: change action from none to restart
main
Jörg Thalheim 2 years ago committed by GitHub
commit 6daead50b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -38,6 +38,7 @@ in {
config = { config = {
role_id_file_path = "/tmp/roleID"; role_id_file_path = "/tmp/roleID";
secret_id_file_path = "/tmp/secretID"; secret_id_file_path = "/tmp/secretID";
remove_secret_id_file_after_reading = false;
}; };
} }
]; ];
@ -91,12 +92,12 @@ in {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
script = '' script = ''
cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2 cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2
sleep infinity
''; '';
serviceConfig = { reload = ''
Type = "oneshot"; cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2-reload
RemainAfterExit = true; '';
LoadCredential = ["secret:/run/systemd-vaultd/sock"]; serviceConfig.LoadCredential = ["secret:/run/systemd-vaultd/sock"];
};
vault = { vault = {
template = '' template = ''
{{ with secret "secret/blocking-secret" }}{{ scratch.MapSet "secrets" "secret" .Data.data.foo }}{{ end }} {{ with secret "secret/blocking-secret" }}{{ scratch.MapSet "secrets" "secret" .Data.data.foo }}{{ end }}
@ -106,6 +107,17 @@ in {
}; };
}; };
systemd.package = pkgs.systemd.overrideAttrs (old: {
patches =
old.patches
++ [
(pkgs.fetchpatch {
url = "https://github.com/Mic92/systemd/commit/93a2921a81cab3be9b7eacab6b0095c96a0ae9e2.patch";
sha256 = "sha256-7WlhMLE7sfD3Cxn6n6R1sUNzUOvas7XMyabi3bsq7jM=";
})
];
});
services.vault.agents.default.settings = { services.vault.agents.default.settings = {
vault = { vault = {
address = "http://localhost:8200"; address = "http://localhost:8200";
@ -117,6 +129,7 @@ in {
config = { config = {
role_id_file_path = "/tmp/roleID"; role_id_file_path = "/tmp/roleID";
secret_id_file_path = "/tmp/secretID"; secret_id_file_path = "/tmp/secretID";
remove_secret_id_file_after_reading = false;
}; };
} }
]; ];
@ -132,11 +145,24 @@ in {
out = machine.succeed("cat /tmp/service1") out = machine.succeed("cat /tmp/service1")
print(out) print(out)
assert out == "bar", f"{out} != bar" assert out == "bar", f"{out} != bar"
out = machine.succeed("systemctl list-jobs")
out = machine.succeed("systemctl status service2")
print(out) print(out)
assert "service2.service" in out, "service2 should be still blocked" assert "(sd-mkdcreds)" in out, "service2 should be still blocked"
machine.succeed("vault kv put secret/blocking-secret foo=bar") machine.succeed("vault kv put secret/blocking-secret foo=bar")
machine.wait_for_unit("service2.service") out = machine.wait_until_succeeds("cat /tmp/service2")
print(out)
assert out == "bar", f"{out} != bar"
machine.succeed("vault kv put secret/blocking-secret foo=reload")
machine.succeed("rm /run/systemd-vaultd/secrets/service2.service.json")
machine.succeed("systemctl restart vault-agent-default")
machine.wait_until_succeeds("cat /run/systemd-vaultd/secrets/service2.service.json >&2")
machine.succeed("systemctl reload service2")
out = machine.wait_until_succeeds("cat /tmp/service2-reload")
print(out)
assert out == "reload", f"{out} != reload"
''; '';
}; };
unittests = makeTest' { unittests = makeTest' {

@ -54,13 +54,15 @@ in {
type = lib.types.attrsOf (lib.types.submodule ({config, ...}: { type = lib.types.attrsOf (lib.types.submodule ({config, ...}: {
options.vault = { options.vault = {
changeAction = lib.mkOption { changeAction = lib.mkOption {
description = "What to do if any secrets in the environment change."; description = ''
What to do with the service if any secrets change
'';
type = lib.types.nullOr (lib.types.enum [ type = lib.types.nullOr (lib.types.enum [
"none" "none"
"reload" "reload-or-restart"
"restart" "restart"
]); ]);
default = "none"; default = "reload-or-restart";
}; };
template = lib.mkOption { template = lib.mkOption {

Loading…
Cancel
Save