Page MenuHomeDevCentral

Fetch credentials from Vault

Authored by dereckson on May 12 2022, 22:16.



Connect to Vault. Allow to fetch a credential and login again if the token
is expired, as the current duration lease is 4 hours.

vendor/vault.tcl is a work-in-progress Vault client implementation in TCL,
to be integrated in a future tcllib revision. Once released, that file will
be removed from the repository to use directly the tcllib one.

Allow nickserv, MySQL and RabbitMQ to consume secrets. The first two are
handled by configuration, the RabbitMQ one by this change.

Ref T1733.

Test Plan

Tested live on Daeghrefn and with a full restart on Wearg.

Diff Detail

rVIPER ViperServ scripts
Lint Not Applicable
Tests Not Applicable

Event Timeline

dereckson created this revision.

By coherence with TCL commands and our own commands (e.g. registry), I'd suggest to add a procedure vault to dispatch vault subcommand to vault_get, vault_login, etc. if they exists.


That worked at some point, probably when this was the last instruction,
but now it can't be the default return value if it's followed by another line (return $credential).

And indeed:

20:00:58 <Dereckson> .tcl vault_get broker password
20:01:00 <Daeghrefn> Tcl error: can't read "credential": no such variable

20:01:07 <Dereckson> .tcl putdebug
20:01:07 <Daeghrefn> [DEBUG] can't read "credential": no such variable
20:01:07 <Daeghrefn>     while executing
20:01:07 <Daeghrefn> "return $credential"
20:01:07 <Daeghrefn>     (procedure "vault_get" line 10)
20:01:07 <Daeghrefn>     invoked from within
20:01:07 <Daeghrefn> "vault_get broker password"
20:01:07 <Daeghrefn> Tcl:

Does that package provides ::json::write?

Tcl error in file '/srv/viperserv/Wearg/eggdrop.conf':
invalid command name "::json::write"
    while executing
"::json::write string $v"
    (procedure "::vault::payload" line 3)
    invoked from within
"::vault::payload $params"
    (procedure "::vault::request" line 9)
    invoked from within
"::vault::request POST /v1/auth/approle/login $params"
    (procedure "::vault::appRoleLogin" line 3)
    invoked from within
"::vault::appRoleLogin $vault(roleID) $vault(secretID)"
    (procedure "vault_login" line 5)
    invoked from within
    (file "scripts/Vault.tcl" line 22)
    invoked from within
"source scripts/Vault.tcl"
    (file "/srv/viperserv/Wearg/eggdrop.conf" line 58)
% ::json::write
invalid command name "::json::write"

% package require json

% ::json::write
invalid command name "::json::write"

Fixes the following issue:

  • invalid command name "::json::write"
  • not declared variable $token

Wearg successfully restarted with that change (and D2687):


11:38:07 < Wearg> dereckson forcely updated tommy (branch snyk-fix-6dc6119f8cb71f072b30e92a6fc487aa) —

11:39:45 <Dereckson> .tcl mq connected
11:39:46 <Wearg> Tcl: 1


11:43:59 <Dereckson> .tcl sql "SELECT 1+1"
11:43:59 <Wearg> Tcl: 2


11:37:40 [Libera] -!- account : Wearg

dereckson retitled this revision from WIP: Fetch credentials from Vault to Fetch credentials from Vault.May 29 2022, 11:51
dereckson edited the summary of this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)
This revision is now accepted and ready to land.May 29 2022, 11:58
This revision was automatically updated to reflect the committed changes.