diff options
author | Marc A. Paradise <marc.paradise@gmail.com> | 2021-08-26 13:06:09 -0400 |
---|---|---|
committer | Marc A. Paradise <marc.paradise@gmail.com> | 2021-08-27 16:09:23 -0400 |
commit | 377ba8443e42dcb002158bb489cb504dc67efc18 (patch) | |
tree | fac28222a7c001b34c87d1794f2c3d423fb5c157 /spec/unit | |
parent | fd68f7f1fb1e63f1cb40d7ef24346afd0884ed95 (diff) | |
download | chef-377ba8443e42dcb002158bb489cb504dc67efc18.tar.gz |
Add support for secrets stored in HashiCorp Vault
Vault secrets are stored as key-value pairs, so the return value
from a secret lookup is always a Hash.
Example:
```
file "/home/user/test1" do
content secret(name: "secret/example",
service: :hashi_vault,
config: {
vault_addr: "vault.example.com",
role_name: "example-role"
})[:answer]
end
```
As shown above, we are expecting a hash from Vault, and are populating the file
content based on the value of `:answer` in that hash.
Limitations:
* This iteration only supports instance authentication via a Vault
role connected to an IAM profile.
* This iteration does not support versioned secrets
Signed-off-by: Marc A. Paradise <marc.paradise@gmail.com>
Diffstat (limited to 'spec/unit')
-rw-r--r-- | spec/unit/secret_fetcher/hashi_vault_spec.rb | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/spec/unit/secret_fetcher/hashi_vault_spec.rb b/spec/unit/secret_fetcher/hashi_vault_spec.rb new file mode 100644 index 0000000000..02299474cf --- /dev/null +++ b/spec/unit/secret_fetcher/hashi_vault_spec.rb @@ -0,0 +1,57 @@ +# +# Author:: Marc Paradise <marc@chef.io> +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# + +require_relative "../../spec_helper" +require "chef/secret_fetcher/hashi_vault" + +describe Chef::SecretFetcher::HashiVault do + let(:node) { {} } + let(:run_context) { double("run_context", node: node) } + let(:fetcher_config) { {} } + let(:fetcher) { + Chef::SecretFetcher::HashiVault.new( fetcher_config, run_context ) + } + + context "when validating HashiVault provided configuration" do + context "and role_name is not provided" do + let(:fetcher_config) { { vault_addr: "vault.example.com" } } + it "raises ConfigurationInvalid" do + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + end + end + context "and vault_addr is not provided" do + let(:fetcher_config) { { role_name: "example-role" } } + it "raises ConfigurationInvalid" do + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + end + end + end + + context "when all required config is provided" do + let(:fetcher_config) { { vault_addr: "vault.example.com", role_name: "example-role" } } + it "obtains a token via AWS IAM auth" do + auth_stub = double("vault auth", aws_iam: nil) + allow(Aws::InstanceProfileCredentials).to receive(:new).and_return double("credentials") + allow(Vault).to receive(:auth).and_return(auth_stub) + fetcher.validate! + + end + end +end + |