feat: add bao provider (#92)

* feat: add bao provider Signed-off-by: Bence Csati <[email protected]> * feat: add bao provider to docs Signed-off-by: Bence Csati <[email protected]> * feat: fully integrate openbao Signed-off-by: Bence Csati <[email protected]> chore: bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.1 to 3.0.3. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md) - [Commits](go-jose/go-jose@v3.0.1...v3.0.3) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump docker/build-push-action from 5.1.0 to 5.2.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.1.0 to 5.2.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@4a13e50...af5a7ed) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump docker/build-push-action from 5.2.0 to 5.3.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@af5a7ed...2cdde99) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump actions/checkout from 4.1.1 to 4.1.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@b4ffde6...9bb5618) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump golang from 1.22.0-alpine3.18 to 1.22.1-alpine3.18 Bumps golang from 1.22.0-alpine3.18 to 1.22.1-alpine3.18. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.17.0 to 0.18.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@84384bd...062f259) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump github.com/stretchr/testify from 1.8.4 to 1.9.0 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump actions/cache from 4.0.0 to 4.0.1 Bumps [actions/cache](https://github.com/actions/cache) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@13aacd8...ab5e6d0) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump cachix/install-nix-action from 25 to 26 Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action) from 25 to 26. - [Release notes](https://github.com/cachix/install-nix-action/releases) - [Commits](cachix/install-nix-action@6004951...8887e59) --- updated-dependencies: - dependency-name: cachix/install-nix-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump DeterminateSystems/magic-nix-cache-action from 3 to 4 Bumps [DeterminateSystems/magic-nix-cache-action](https://github.com/determinatesystems/magic-nix-cache-action) from 3 to 4. - [Release notes](https://github.com/determinatesystems/magic-nix-cache-action/releases) - [Commits](DeterminateSystems/magic-nix-cache-action@eeabdb0...fc6aace) --- updated-dependencies: - dependency-name: DeterminateSystems/magic-nix-cache-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump docker/setup-buildx-action from 3.1.0 to 3.2.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@0d103c3...2b51285) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump docker/login-action from 3.0.0 to 3.1.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@343f7c4...e92390c) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump golang from `010f3b3` to `ede158f` Bumps golang from `010f3b3` to `ede158f`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump github.com/hashicorp/vault/api from 1.12.1 to 1.12.2 Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.12.1 to 1.12.2. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](hashicorp/vault@v1.12.1...v1.12.2) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump actions/cache from 4.0.1 to 4.0.2 Bumps [actions/cache](https://github.com/actions/cache) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@ab5e6d0...0c45773) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> chore: bump actions/dependency-review-action from 4.1.3 to 4.2.3 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.1.3 to 4.2.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@9129d7d...0fa40c3) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * chore Signed-off-by: Bence Csati <[email protected]> * fix: add temp openbao docker image Signed-off-by: Bence Csati <[email protected]> * fix: remove toolchain Signed-off-by: Bence Csati <[email protected]> * fix: add bao container to the ci Signed-off-by: Bence Csati <[email protected]> * fix: container image in ci Signed-off-by: Bence Csati <[email protected]> * fix: remove failing test Signed-off-by: Bence Csati <[email protected]> fix: add back test Signed-off-by: Bence Csati <[email protected]> fix: test Signed-off-by: Bence Csati <[email protected]> fix: test Signed-off-by: Bence Csati <[email protected]> fix: test Signed-off-by: Bence Csati <[email protected]> fix: test Signed-off-by: Bence Csati <[email protected]> fix: test Signed-off-by: Bence Csati <[email protected]> * feat: add bao service to ci Signed-off-by: Bence Csati <[email protected]> * fix(e2e): daemon-mode e2e tests, and examples fixed Signed-off-by: Bence Csati <[email protected]> fix(): e2e Signed-off-by: Bence Csati <[email protected]> fix(): e2e Signed-off-by: Bence Csati <[email protected]> fix: e2e Signed-off-by: Bence Csati <[email protected]> * fix: remarks Signed-off-by: Bence Csati <[email protected]> * fix: remarks Signed-off-by: Bence Csati <[email protected]> --------- Signed-off-by: Bence Csati <[email protected]> Signed-off-by: dependabot[bot] <[email protected]>
bank-vaults · Apr 8, 2024 · 746bc73 · 746bc73
1 parent 06a28c8
commit 746bc73
Show file tree

Hide file tree

Showing 27 changed files with 1,773 additions and 306 deletions.
diff --git a/.envrc b/.envrc
@@ -6,3 +6,7 @@ use flake . --impure
 # Vault
 export VAULT_ADDR=http://127.0.0.1:8200
 export VAULT_TOKEN=227e1cce-6bf7-30bb-2d2a-acc854318caf
+
+# Bao
+export BAO_ADDR=http://127.0.0.1:8300
+export BAO_TOKEN=227e1cce-6bf7-30bb-2d2a-acc854318caf
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -63,6 +63,15 @@ jobs:
           VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
         ports:
           - 8200:8200
+      bao:
+        image: csatib02/openbao:dev
+        env:
+          SKIP_SETCAP: "true"
+          BAO_ADDR: http://127.0.0.1:8200
+          BAO_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+          BAO_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+        ports:
+          - 8300:8200
 
     steps:
       - name: Checkout repository
@@ -239,6 +248,15 @@ jobs:
           VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
         ports:
           - 8200:8200
+      bao:
+        image: csatib02/openbao:dev
+        env:
+          SKIP_SETCAP: "true"
+          BAO_ADDR: http://127.0.0.1:8200
+          BAO_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+          BAO_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+        ports:
+          - 8300:8200
 
     steps:
       - name: Checkout repository

diff --git a/README.md b/README.md
@@ -7,7 +7,6 @@
 
 ## Features
 
-
 - **Multi-provider support** - Automatically deduces and initializes required secret providers from environment variable references.
 - **Async loading** - Secrets are loaded asynchronously to improve speed.
 - **Renew secrets** - Use daemon mode to renew secrets in the background.
@@ -16,6 +15,7 @@
 |--------------------------------------------------------------|----------------|
 |  Local provider                                              | ✅ Implemented  |
 | [HashiCorp Vault](https://www.vaultproject.io)               | ✅ Implemented  |
+| [OpenBao](https://github.com/openbao/openbao)                | ✅ Implemented  |
 | [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)| Upcoming       |
 
 ## Getting started

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -2,7 +2,7 @@ version: "3.9"
 
 services:
   vault:
-    container_name: vault
+    container_name: secret-init-vault
     image: hashicorp/vault:1.14.1
     ports:
       - 127.0.0.1:8200:8200
@@ -11,3 +11,14 @@ services:
       VAULT_ADDR: http://127.0.0.1:8200
       VAULT_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf
       VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+
+  bao:
+    container_name: secret-init-bao
+    image: csatib02/openbao:dev
+    ports:
+      - 127.0.0.1:8300:8200
+    environment:
+      SKIP_SETCAP: "true"
+      BAO_ADDR: http://127.0.0.1:8200
+      BAO_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf
+      BAO_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
diff --git a/e2e/bao-provider.bats b/e2e/bao-provider.bats
@@ -0,0 +1,220 @@
+bao_container_name="secret-init-bao"
+
+setup() {
+  bats_load_library bats-support
+  bats_load_library bats-assert
+
+  run go build
+  assert_success
+}
+
+setup_bao_provider() {
+  TMPFILE_TOKEN=$(mktemp)
+  printf "227e1cce-6bf7-30bb-2d2a-acc854318caf" > "$TMPFILE_TOKEN"
+
+  export BAO_ADDR="http://127.0.0.1:8300"
+  export BAO_TOKEN_FILE="$TMPFILE_TOKEN"
+
+  export API_KEY="bao:secret/data/test/api#API_KEY"
+  export RABBITMQ_USERNAME="bao:secret/data/test/rabbitmq#RABBITMQ_USERNAME"
+  export RABBITMQ_PASSWORD="bao:secret/data/test/rabbitmq#RABBITMQ_PASSWORD"
+
+  start_bao
+}
+
+start_bao() {
+  docker compose up -d
+
+  # wait for Bao to be ready
+  max_attempts=${MAX_ATTEMPTS:-10}
+  for ((attempts = 0; attempts < max_attempts; attempts++)); do
+    if docker compose exec -T "$bao_container_name"  bao status > /dev/null 2>&1; then
+      break
+    fi
+    sleep 1
+  done
+}
+
+set_bao_token() {
+  local token=$1
+  export BAO_TOKEN="$token"
+}
+
+set_daemon_mode() {
+  export SECRET_INIT_DAEMON="true"
+}
+
+setup_database_for_daemon_mode() {
+  docker network create my-network
+
+  # Start a PostgreSQL container so a renewable secret can be created
+  docker run --network=my-network --name my-postgres -e POSTGRES_PASSWORD=mysecretpassword -e POSTGRES_DB=mydb -p 5432:5432 -d postgres
+
+  # wait for Postgre to be ready
+  max_attempts=${MAX_ATTEMPTS:-10}
+  for ((attempts = 0; attempts < max_attempts; attempts++)); do
+    if docker exec my-postgres pg_isready -U postgres -d mydb > /dev/null 2>&1; then
+      break
+    fi
+    sleep 1
+  done
+
+  docker network connect my-network "$bao_container_name"
+
+  # Enable the database secrets engine
+  docker exec "$bao_container_name" bao secrets enable database
+
+  # Configure the database secrets engine
+  docker exec "$bao_container_name" bao write database/config/my-database \
+      plugin_name=postgresql-database-plugin \
+      allowed_roles="my-role" \
+      connection_url="postgresql://postgres:mysecretpassword@my-postgres:5432/mydb?sslmode=disable" \
+      username="postgres" \
+      password="mysecretpassword"
+
+  # Create a role with a short TTL
+  docker exec "$bao_container_name" bao write database/roles/my-role \
+      db_name=my-database \
+      creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
+      default_ttl="10s" \
+      max_ttl="10s"
+
+  # Set the environment variables so they can be renewed
+  export DATABASE_USERNAME="bao:database/creds/my-role#username"
+  export DATABASE_PASSWORD="bao:database/creds/my-role#password"
+}
+
+add_secrets_to_bao() {
+  docker exec "$bao_container_name" bao kv put secret/test/api API_KEY=sensitiveApiKey
+  docker exec "$bao_container_name" bao kv put secret/test/rabbitmq RABBITMQ_USERNAME=rabbitmqUser RABBITMQ_PASSWORD=rabbitmqPassword
+}
+
+add_custom_secret_to_bao() {
+  local path="$1"
+  shift
+  local data=()
+
+  for secret in "$@"; do
+    data+=("$secret")
+  done
+
+  docker exec "$bao_container_name" bao kv put "$path" "${data[@]}"
+}
+
+teardown() {
+  docker compose down
+  docker rm -f my-postgres
+  docker network rm my-network
+
+  rm -f "$TMPFILE_TOKEN"
+  rm -f secret-init
+}
+
+assert_output_contains() {
+  local expected=$1
+  local output=$2
+
+  echo "$output" | grep -qF "$expected" || fail "Expected line not found: $expected"
+}
+
+@test "secrets successfully loaded from bao" {
+  setup_bao_provider
+  set_bao_token 227e1cce-6bf7-30bb-2d2a-acc854318caf
+  add_secrets_to_bao
+
+  run_output=$(./secret-init env | grep 'API_KEY\|RABBITMQ_USERNAME\|RABBITMQ_PASSWORD')
+  assert_success
+
+  assert_output_contains "API_KEY=sensitiveApiKey" "$run_output"
+  assert_output_contains "RABBITMQ_USERNAME=rabbitmqUser" "$run_output"
+  assert_output_contains "RABBITMQ_PASSWORD=rabbitmqPassword" "$run_output"
+}
+
+@test "secrets successfully loaded from bao using bao:login as token" {
+  setup_bao_provider
+  set_bao_token "bao:login"
+  add_secrets_to_bao
+
+  run_output=$(./secret-init env | grep 'API_KEY\|RABBITMQ_USERNAME\|RABBITMQ_PASSWORD')
+  assert_success
+
+  assert_output_contains "API_KEY=sensitiveApiKey" "$run_output"
+  assert_output_contains "RABBITMQ_USERNAME=rabbitmqUser" "$run_output"
+  assert_output_contains "RABBITMQ_PASSWORD=rabbitmqPassword" "$run_output"
+}
+
+@test "secrets successfully loaded and renewed from bao with daemon mode enabled" {
+  setup_bao_provider
+  set_bao_token 227e1cce-6bf7-30bb-2d2a-acc854318caf
+  add_secrets_to_bao
+
+  set_daemon_mode
+  setup_database_for_daemon_mode
+
+  # Generate a new secret and get its lease ID
+  secret_info_before=$(docker exec "$bao_container_name" bao read -format=json database/creds/my-role)
+  lease_id_before=$(echo "$secret_info_before" | jq -r '.lease_id')
+
+  run_output=$(./secret-init env | grep 'API_KEY\|RABBITMQ_USERNAME\|RABBITMQ_PASSWORD')
+  assert_success
+
+  # Get the lease ID after renewing the secret
+  secret_info_after=$(docker exec "$bao_container_name" bao read -format=json database/creds/my-role)
+  lease_id_after=$(echo "$secret_info_after" | jq -r '.lease_id')
+
+  assert_output_contains "API_KEY=sensitiveApiKey" "$run_output"
+  assert_output_contains "RABBITMQ_USERNAME=rabbitmqUser" "$run_output"
+  assert_output_contains "RABBITMQ_PASSWORD=rabbitmqPassword" "$run_output"
+
+  # Check if the lease ID has changed
+  if [ "$lease_id_before" == "$lease_id_after" ]; then
+    fail "Secret was not renewed"
+  fi
+}
+
+@test "secrets successfully loaded from bao using BAO_FROM_PATH" {
+  # unset env vars to ensure secret-init will utilize BAO_FROM_PATH
+  unset API_KEY
+  unset RABBITMQ_USERNAME
+  unset RABBITMQ_PASSWORD
+
+  setup_bao_provider
+  set_bao_token 227e1cce-6bf7-30bb-2d2a-acc854318caf
+  add_secrets_to_bao
+  export BAO_FROM_PATH="secret/data/test/api,secret/data/test/rabbitmq"
+
+  run_output=$(./secret-init env | grep 'API_KEY\|RABBITMQ_USERNAME\|RABBITMQ_PASSWORD')
+  assert_success
+
+  assert_output_contains "API_KEY=sensitiveApiKey" "$run_output"
+  assert_output_contains "RABBITMQ_USERNAME=rabbitmqUser" "$run_output"
+  assert_output_contains "RABBITMQ_PASSWORD=rabbitmqPassword" "$run_output"
+}
+
+@test "secrets successfully loaded from bao using different injection cases" {
+  setup_bao_provider
+  set_bao_token 227e1cce-6bf7-30bb-2d2a-acc854318caf
+  add_secrets_to_bao
+
+  # Secret with version
+  add_custom_secret_to_bao "secret/test/api" "API_KEY=modify3dAPIs3cr3t"
+  export API_KEY="bao:secret/data/test/api#API_KEY#2"
+
+  # Inline secrets with scheme
+  add_custom_secret_to_bao "secret/test/scheme" "SCHEME_SECRET1=sch3m3s3cr3tONE" "SCHEME_SECRET2=sch3m3s3cr3tTWO"
+  export SCHEME_SECRET_BAO="scheme://\${bao:secret/data/test/scheme#SCHEME_SECRET1}:\${bao:secret/data/test/scheme#SCHEME_SECRET2}@$BAO_ADDR"
+
+  # Enable pki secrets engine and generate root certificates
+  docker exec "$bao_container_name" bao secrets enable -path=pki pki
+  export ROOT_CERT=">>bao:pki/root/generate/internal#certificate"
+  export ROOT_CERT_CACHED=">>bao:pki/root/generate/internal#certificate"
+
+  run_output=$(./secret-init env | grep 'API_KEY\|SCHEME_SECRET\|ROOT_CERT\|ROOT_CERT_CACHED')
+  assert_success
+
+  assert_output_contains "API_KEY=modify3dAPIs3cr3t" "$run_output"
+  assert_output_contains "SCHEME_SECRET_BAO=scheme://sch3m3s3cr3tONE:sch3m3s3cr3tTWO@$BAO_ADDR" "$run_output"
+
+  [ $ROOT_CERT == $ROOT_CERT_CACHED ]
+  assert_success "ROOT_CERT and ROOT_CERT_CACHED are not the same"
+}
diff --git a/e2e/file-provider.bats b/e2e/file-provider.bats
@@ -10,7 +10,6 @@ setup_file_provider() {
   add_secret_file
 
   export FILE_MOUNT_PATH="/"
-
   export FILE_SECRET="file:$TMPFILE_SECRET"
 }