Page MenuHomeDevCentral

Fetch credentials from Vault
ClosedPublic

Authored by dereckson on May 12 2022, 22:16.

Details

Summary

Connect to Vault. Allow to fetch a credential and login again if the token
is expired, as the current duration lease is 4 hours.

vendor/vault.tcl is a work-in-progress Vault client implementation in TCL,
to be integrated in a future tcllib revision. Once released, that file will
be removed from the repository to use directly the tcllib one.

Allow nickserv, MySQL and RabbitMQ to consume secrets. The first two are
handled by configuration, the RabbitMQ one by this change.

Ref T1733.

Test Plan

Tested live on Daeghrefn and with a full restart on Wearg.

Diff Detail

Repository
rVIPER ViperServ scripts
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

By coherence with TCL commands and our own commands (e.g. registry), I'd suggest to add a procedure vault to dispatch vault subcommand to vault_get, vault_login, etc. if they exists.

Vault.tcl
16

That worked at some point, probably when this was the last instruction,
but now it can't be the default return value if it's followed by another line (return $credential).

And indeed:

20:00:58 <Dereckson> .tcl vault_get broker password
20:01:00 <Daeghrefn> Tcl error: can't read "credential": no such variable

20:01:07 <Dereckson> .tcl putdebug
20:01:07 <Daeghrefn> [DEBUG] can't read "credential": no such variable
20:01:07 <Daeghrefn>     while executing
20:01:07 <Daeghrefn> "return $credential"
20:01:07 <Daeghrefn>     (procedure "vault_get" line 10)
20:01:07 <Daeghrefn>     invoked from within
20:01:07 <Daeghrefn> "vault_get broker password"
20:01:07 <Daeghrefn> Tcl:
vendor/vault.tcl
9

Does that package provides ::json::write?

Tcl error in file '/srv/viperserv/Wearg/eggdrop.conf':
invalid command name "::json::write"
    while executing
"::json::write string $v"
    (procedure "::vault::payload" line 3)
    invoked from within
"::vault::payload $params"
    (procedure "::vault::request" line 9)
    invoked from within
"::vault::request POST /v1/auth/approle/login $params"
    (procedure "::vault::appRoleLogin" line 3)
    invoked from within
"::vault::appRoleLogin $vault(roleID) $vault(secretID)"
    (procedure "vault_login" line 5)
    invoked from within
"vault_login"
    (file "scripts/Vault.tcl" line 22)
    invoked from within
"source scripts/Vault.tcl"
    (file "/srv/viperserv/Wearg/eggdrop.conf" line 58)
% ::json::write
invalid command name "::json::write"

% package require json
1.3.4

% ::json::write
invalid command name "::json::write"

Fixes the following issue:

  • invalid command name "::json::write"
  • not declared variable $token

Wearg successfully restarted with that change (and D2687):

Broker

11:38:07 < Wearg> dereckson forcely updated tommy (branch snyk-fix-6dc6119f8cb71f072b30e92a6fc487aa) — https://github.com/nasqueron/tommy/compare/snyk-fix-6dc6119f8cb71f072b30e92a6fc487aa

11:39:45 <Dereckson> .tcl mq connected
11:39:46 <Wearg> Tcl: 1

MySQL

11:43:59 <Dereckson> .tcl sql "SELECT 1+1"
11:43:59 <Wearg> Tcl: 2

NickServ

11:37:40 [Libera] -!- account : Wearg

dereckson retitled this revision from WIP: Fetch credentials from Vault to Fetch credentials from Vault.May 29 2022, 11:51
dereckson edited the summary of this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)
This revision is now accepted and ready to land.May 29 2022, 11:58
This revision was automatically updated to reflect the committed changes.