search

UKHomeOffice / vault-sidekick

Vault sidekick
Apache License 2.0
195 stars 62 forks source link

Add client auth #99

Open AkhilGNair opened 4 years ago

AkhilGNair commented 4 years ago

Add CLI flags to supply client-side authorisation files.

Example behavior:

vault-sidekick can't access vault without client authorisation

$ export VAULT_ADDR=https://${vault_addr}:${vault_port}
$ export VAULT_AUTH_METHOD=kubernetes
$ export VAULT_SIDEKICK_ROLE=example
$
$ bin/vault-sidekick

[error] unable to create the vault client: Post https://${vault_addr}:${vault_port}/v1/auth/kubernetes/login: remote error: tls: bad certificate

Supplying the key + cert, we can now talk to vault (hitting an expected error)

$ bin/vault-sidekick \
    -client-cert vault-client.crt \
    -client-key vault-client.key

[error] unable to create the vault client: Error making API request.

URL: POST https://${vault_addr}:${vault_port}/v1/auth/kubernetes/login
Code: 400. Errors:

* missing client token

Error if you try to supply only the key or cert

$ bin/vault-sidekick \
    -client-cert vault-client.crt

[error] invalid options, you are supplying the client certificate, but not the private key
s3bw commented 4 years ago

The build is failing because you haven't formatted the go files. Run go fmt on the scripts