Merge pull request #39 from rundeck-plugins/new-namespace-auth

add auth namespace

README.md

@@ -74,6 +74,17 @@ rundeck.storage.provider.[index].config.githubToken=githubToken
 ```
 
 
+* **namespace**: Namespace. Vault namespace (Optional)
+```
+rundeck.storage.provider.[index].config.namespace=namespace
+```
+
+* **authNamespace**: Authentication Namespace. Vault authentication namespace used for authentication(Optional)
+```
+rundeck.storage.provider.[index].config.authNamespace=namespace
+```
+
+
 * **keyStoreFile**: Key store file
 A Java keystore, containing a client certificate that's registered with Vault's TLS Certificate auth backend.
 

build.gradle

@@ -1,11 +1,15 @@
 plugins {
     id 'pl.allegro.tech.build.axion-release' version '1.11.0'
+    id 'groovy'
+
 }
 ext.rundeckVersion='3.0.2-20180803'
 defaultTasks 'clean','build'
 apply plugin: 'java'
 apply plugin: 'idea'
 apply plugin: 'pl.allegro.tech.build.axion-release'
+apply plugin: 'groovy'
+
 sourceCompatibility = 1.8
 ext.rundeckPluginVersion= '1.2'
 
@@ -15,6 +19,7 @@ ext.rundeckPluginVersion= '1.2'
  */
 ext.pluginClassNames='io.github.valfadeev.rundeck.plugin.vault.VaultStoragePlugin'
 
+
 scmVersion {
     ignoreUncommittedChanges = false
     tag {
@@ -51,7 +56,7 @@ dependencies {
     // add any third-party jar dependencies you wish to include in the plugin
     // using the `pluginLibs` configuration as shown here:
 
-    pluginLibs group: 'com.bettercloud', name: 'vault-java-driver', version: '4.0.0', ext: 'jar'
+    pluginLibs group: 'com.bettercloud', name: 'vault-java-driver', version: '5.1.0', ext: 'jar'
 
 
     //the compile dependency won't add the rundeck-core jar to the plugin contents
@@ -64,7 +69,11 @@ dependencies {
             [group: 'net.bytebuddy', name: 'byte-buddy', version: '1.12.1'],
             [group: 'net.bytebuddy', name: 'byte-buddy-agent', version: '1.12.1'],
             [group: 'org.objenesis', name: 'objenesis', version: '3.2']
+
     )
+    testCompile "org.codehaus.groovy:groovy-all:2.4.15"
+    testCompile "org.spockframework:spock-core:1.0-groovy-2.4"
+    testCompile "cglib:cglib-nodep:2.2.2"
 
 }
 

docker/.env-enterprise

@@ -0,0 +1,8 @@
+VAULT_TOKEN=myroot1
+mem_limit=1200000000
+VAULT_IMAGE=hashicorp/vault-enterprise
+VAULT_APPROLE_ID=123
+VAULT_APPROLE_SECRET_ID=123
+
+RUNDECK_IMAGE=rundeckpro/enterprise:SNAPSHOT
+VAULT_LICENSE=xxxxx

docker/.gitignore

@@ -0,0 +1,2 @@
+data/envs.txt
+rundeck/plugins/vault-storage-*

docker/Makefile

@@ -1,25 +1,28 @@
 all:
 
 #env vars
-DOCKER_COMPOSE_SPEC="docker-compose.yaml"
+DOCKER_COMPOSE_SPEC ?= docker-compose.yaml
+ENV_FILE ?= .env
+
 build:
 	set -e
 	# re-build docker env
-	docker-compose -f $(DOCKER_COMPOSE_SPEC) build
+	docker-compose -f $(DOCKER_COMPOSE_SPEC) --env-file $(ENV_FILE) build
 
 start:
 	# run docker
-	docker-compose -f $(DOCKER_COMPOSE_SPEC) up -d
-	
+	docker-compose -f $(DOCKER_COMPOSE_SPEC) --env-file $(ENV_FILE) up -d
+
 clean:
 	# clean up docker env
-	docker-compose -f $(DOCKER_COMPOSE_SPEC) down --volumes --remove-orphans
+	docker-compose -f $(DOCKER_COMPOSE_SPEC) --env-file $(ENV_FILE) down --volumes --remove-orphans
+	rm data/envs.txt
 
 build_and_start:
 	set -e
 	# re-build docker env
-	docker-compose -f $(DOCKER_COMPOSE_SPEC) build
+	docker-compose -f $(DOCKER_COMPOSE_SPEC) --env-file $(ENV_FILE) build
 	# clean up docker env
-	docker-compose -f $(DOCKER_COMPOSE_SPEC) down --volumes --remove-orphans
+	docker-compose -f $(DOCKER_COMPOSE_SPEC) --env-file $(ENV_FILE) down --volumes --remove-orphans
 	# run docker
-	docker-compose -f $(DOCKER_COMPOSE_SPEC) up -d
+	docker-compose -f $(DOCKER_COMPOSE_SPEC) --env-file $(ENV_FILE) up -d

docker/README.md

@@ -6,7 +6,7 @@ This is a docker compose environment wih rundeck, mysql and vault
 
 * Copy vault plugin to `docker/rundeck/plugins`
 
-### How to use it
+### Simple example with Vault OSS
 
 * Build
 
@@ -27,3 +27,28 @@ make start
 make clean
 ```
 
+
+### Example with Vault Enterprise using approle
+
+* Build
+
+```
+export DOCKER_COMPOSE_SPEC=docker-compose-approle.yaml 
+export ENV_FILE=.env-enterprise 
+
+make build
+```
+
+* Start
+
+```
+make start
+```
+
+
+* Stop
+
+```
+make clean
+```
+

docker/docker-compose-approle.yaml

@@ -0,0 +1,66 @@
+version: '2'
+
+services:
+  vault:
+    build:
+      context: vault-enterprise
+      args:
+        IMAGE: ${VAULT_IMAGE}
+    ports:
+      - "8200:8200"
+    cap_add:
+      - IPC_LOCK
+    environment:
+      - VAULT_DEV_ROOT_TOKEN_ID=${VAULT_TOKEN}
+      - VAULT_DEV_LISTEN_ADDRESS=vault:8200
+      - VAULT_ADDR=http://vault:8200
+      - VAULT_TOKEN=${VAULT_TOKEN}
+      - VAULT_LICENSE=${VAULT_LICENSE}
+    volumes:
+      - ./data:/data
+  rundeck:
+    hostname: rundeck
+    build:
+      context: rundeck
+      args:
+        IMAGE: ${RUNDECK_IMAGE}
+    mem_limit: ${mem_limit}
+    #command: -Dlogging.config=/home/rundeck/server/config/logback.groovy
+    environment:
+    - RUNDECK_EXEC_CMD=script/configure.sh
+    - RUNDECK_GRAILS_URL=http://localhost:4442
+    - RUNDECK_DATABASE_DRIVER=org.mariadb.jdbc.Driver
+    - RUNDECK_DATABASE_USERNAME=rundeck
+    - RUNDECK_DATABASE_PASSWORD=rundeck
+    - RUNDECK_DATABASE_URL=jdbc:mariadb://mysql/rundeck?autoReconnect=true&useSSL=false
+    - RUNDECK_STORAGE_PROVIDER_1_TYPE=vault-storage
+    - RUNDECK_STORAGE_PROVIDER_1_PATH=keys
+    - RUNDECK_STORAGE_PROVIDER_1_REMOVEPATHPREFIX=true
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_SECRETBACKEND=secret
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_PREFIX=app
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_ADDRESS=http://vault:8200
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_BEHAVIOUR=vault
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_ENGINEVERSION=2
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_MAXRETRIES=10
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_RETRYINTERVAL=10
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_OPENTIMEOUT=30
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_READTIMEOUT=30
+    # auth approle
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_AUTHBACKEND=approle
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_AUTHNAMESPACE=rundeck
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_APPROLEID=${VAULT_APPROLE_ID}
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_APPROLESECRETID=${VAULT_APPROLE_SECRET_ID}
+    - RUNDECK_STORAGE_PROVIDER_1_CONFIG_NAMESPACE=rundeck/demo
+    ports:
+    - "4442:4440"
+    volumes:
+      - ./data/:/home/rundeck/vault-envs/
+  mysql:
+    image: mysql:5.7
+    ports:
+      - "3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=root
+      - MYSQL_DATABASE=rundeck
+      - MYSQL_USER=rundeck
+      - MYSQL_PASSWORD=rundeck

docker/rundeck/Dockerfile

@@ -8,9 +8,7 @@ RUN apt-get update && \
     apt-get -y install jq
 
 # add cli tool debian repo
-RUN echo "deb https://dl.bintray.com/rundeck/rundeck-deb /" | sudo tee -a /etc/apt/sources.list
-RUN curl "https://bintray.com/user/downloadSubjectPublicKey?username=bintray" > /tmp/bintray.gpg.key
-RUN apt-key add - < /tmp/bintray.gpg.key
+RUN curl -s https://packagecloud.io/install/repositories/pagerduty/rundeck/script.deb.sh | os=any dist=any bash
 RUN apt-get -y update
 RUN apt-get -y install rundeck-cli
 
@@ -27,6 +25,9 @@ ENV USERNAME=rundeck \
 WORKDIR $HOME
 USER rundeck
 
+COPY --chown=rundeck:root script/ /home/rundeck/script/
+RUN chmod +x /home/rundeck/script/*
+
 COPY --chown=rundeck:root remco /etc/remco
 COPY --chown=rundeck:root logback.groovy /home/rundeck/server/config
 

docker/rundeck/remco/templates/rundeck-config-storage.properties

@@ -8,7 +8,6 @@ rundeck.storage.provider.{{index}}.removePathPrefix={% set removepathprefix = pr
 
 rundeck.storage.provider.{{index}}.config.prefix={% set prefix = printf("%s/config/prefix", provider) %}{{ getv(prefix, "")}}
 rundeck.storage.provider.{{index}}.config.address={% set address = printf("%s/config/address", provider) %}{{ getv(address, "")}}
-rundeck.storage.provider.{{index}}.config.token={% set token = printf("%s/config/token", provider) %}{{ getv(token, "")}}
 rundeck.storage.provider.{{index}}.config.storageBehaviour={% set behaviour = printf("%s/config/behaviour", provider) %}{{ getv(behaviour, "rundeck")}}
 rundeck.storage.provider.{{index}}.config.secretBackend={% set secretbackend = printf("%s/config/secretbackend", provider) %}{{ getv(secretbackend, "secret")}}
 
@@ -19,6 +18,33 @@ rundeck.storage.provider.{{index}}.config.readTimeout={% set readtimeout = print
 
 rundeck.storage.provider.{{index}}.config.engineVersion={% set engineversion = printf("%s/config/engineversion", provider) %}{{ getv(engineversion, "1")}}
 
+{%- set auth = getv(printf("%s/config/authbackend", provider), "token") %}
+{%- set namespace = getv(printf("%s/config/namespace", provider)) %}
+{%- set authnamespace = getv(printf("%s/config/authnamespace", provider)) %}
+
+
+{% if namespace %}
+rundeck.storage.provider.{{index}}.config.namespace={% set namespace = printf("%s/config/namespace", provider) %}{{ getv(namespace)}}
+{% endif %}
+
+{% if auth == 'token' %}
+rundeck.storage.provider.{{index}}.config.token={% set token = printf("%s/config/token", provider) %}{{ getv(token, "")}}
+
+{% endif %}
+
+
+{% if auth == 'approle' %}
+rundeck.storage.provider.{{index}}.config.approleId={% set approleid = printf("%s/config/approleid", provider) %}{{ getv(approleid)}}
+rundeck.storage.provider.{{index}}.config.approleSecretId={% set approlesecretid = printf("%s/config/approlesecretid", provider) %}{{ getv(approlesecretid)}}
+rundeck.storage.provider.{{index}}.config.approleAuthMount={% set approleauthmount = printf("%s/config/approleauthmount", provider) %}{{ getv(approleauthmount,"approle")}}
+rundeck.storage.provider.{{index}}.config.authBackend=approle
+
+{% endif %}
+
+{% if authnamespace %}
+rundeck.storage.provider.{{index}}.config.authNamespace={% set authnamespace = printf("%s/config/authnamespace", provider) %}{{ getv(authnamespace)}}
+{% endif %}
+
 {% endmacro %}
 
 

docker/rundeck/script/configure.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+ls -lrt /home/rundeck/script
+
+bash /home/rundeck/script/waitforfile.sh /home/rundeck/vault-envs/envs.txt 30 10
+
+export $(xargs < /home/rundeck/vault-envs/envs.txt)
+
+env | grep VAULT
+
+sed -i "s/^\(rundeck\.storage\.provider\.1\.config\.approleId\s*=\s*\).*\$/\1$VAULT_ROLE_ID/" server/config/rundeck-config.properties
+sed -i "s/^\(rundeck\.storage\.provider\.1\.config\.approleSecretId\s*=\s*\).*\$/\1$VAULT_SECRET_ID/" server/config/rundeck-config.properties
+
+
+cat server/config/rundeck-config.properties
+
+exec java \
+    -XX:+UnlockExperimentalVMOptions \
+    -Dlog4j.configurationFile="${HOME}/server/config/log4j2.properties" \
+    -Dlogging.config="file:${HOME}/server/config/log4j2.properties" \
+    -Dloginmodule.conf.name=jaas-loginmodule.conf \
+    -Dloginmodule.name=rundeck \
+    -Drundeck.jaaslogin=true \
+    "${@}" \
+    -jar rundeck.war

docker/rundeck/script/waitforfile.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+syntax_error() { echo >&2 "SYNTAX: $*"; exit 2; }
+
+(( $# != 3 )) && {
+   syntax_error "$0 <file> <interval> <maxtry>"
+}
+
+declare -r FILE=$1 INTERVAL=$2 MAXTRY=$3
+
+echo "waiting for ${FILE}"
+
+progress_tic() { if [[ -t 1 ]]; then printf -- "%s" "$@"; else printf -- "%s\n" "$@" ;  fi ; }
+
+echo "Running as user: $(whoami)"
+
+declare -i attempts=0
+while (( attempts <= MAXTRY ))
+do
+    if ! test -f "$FILE"
+    then  progress_tic "."; # output a progress string.
+    else  break; # file exists
+    fi
+    (( attempts += 1 ))  ; # increment attempts attemptser.
+    (( attempts == MAXTRY )) && {
+        echo "FAIL: Reached max try file exists: $FILE. Exiting."
+        exit 1
+    }
+    sleep "$INTERVAL"; # wait before trying again.
+done

docker/vault-enterprise/Dockerfile

@@ -0,0 +1,9 @@
+ARG IMAGE
+FROM ${IMAGE}
+
+EXPOSE 8200
+COPY run.sh /usr/local/bin/run.sh
+RUN apk --no-cache add curl
+RUN apk --no-cache add jq
+
+CMD ["run.sh"]