-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMakefile
More file actions
executable file
·131 lines (102 loc) · 3.94 KB
/
Makefile
File metadata and controls
executable file
·131 lines (102 loc) · 3.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
UNAME = $(shell uname -s)
PLUGIN_NAME = vault-plugin-database-cmd
DOCKER_IMAGE = $(PLUGIN_NAME)
DOCKER_IMAGE_TAG = 1.0.0
# To allow the commands to target the local Vault server
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root
# This is necessary for Vault to know where to find the Docker socket when runnign in rootless mode
export DOCKER_HOST=unix:///run/user/1000/docker.sock
ifndef OS
ifeq ($(UNAME), Linux)
OS = linux
else ifeq ($(UNAME), Darwin)
OS = darwin
endif
endif
.DEFAULT_GOAL := all
all: fmt lint build start
build: fmt cmd/$(PLUGIN_NAME)/main.go $(wildcard *.go)
GOOS=$(OS) CGO_ENABLED=0 go build -o vault/plugins/$(PLUGIN_NAME) cmd/$(PLUGIN_NAME)/main.go
start:
@if lsof -Pi :8200 -sTCP:LISTEN -t >/dev/null ; then \
echo "Vault server is already running"; exit 0;\
else \
vault server -dev -dev-root-token-id=root -log-level=trace \
-dev-listen-address=0.0.0.0:8200 > ./vault/debug.log 2>&1 & \
fi
clean:
rm -f ./vault/plugins/$(PLUGIN_NAME)
docker image rm -f $(DOCKER_IMAGE)
fmt:
go fmt $$(go list ./...)
lint:
@echo "Running static code analysis with golangci-lint..."
@golangci-lint run ./...
@echo "Running static analysis with staticcheck..."
@staticcheck ./...
@echo "Running security check with gosec..."
@gosec ./...
@echo "Running vulnerability check with govulncheck..."
@govulncheck ./...
build-container: build
tar --exclude='./vagrant' -czh . | docker build -t $(DOCKER_IMAGE):$(DOCKER_IMAGE_TAG) -f Dockerfile -
SHA256:=$$(docker images --no-trunc --format="{{ .ID }}" $(DOCKER_IMAGE) | cut -d: -f2 | head -n 1)
register-plugin: start
vault plugin runtime register -type=container -rootless=true -oci_runtime=runsc runsc
vault plugin register \
-sha256=$(SHA256) \
-oci_image=$(DOCKER_IMAGE) \
-runtime=runsc \
-version=$(DOCKER_IMAGE_TAG) \
database $(PLUGIN_NAME)
vault plugin reload -type=database -plugin $(PLUGIN_NAME)
unit-test:
@echo "Running unit tests..."
go test -v -race -coverprofile=coverage.out ./...
@echo "Coverage report:"
go tool cover -func=coverage.out
integration-test: register-plugin
-vault secrets enable -path=database-cmd database
vault write database-cmd/config/my-database \
plugin_name="$(PLUGIN_NAME)" \
plugin_version="$(DOCKER_IMAGE_TAG)" \
allowed_roles="*" \
username="mandatory" \
password="mandatory" \
custom_field="optional" \
root_rotation_statements="echo 'Root rotation statements'" \
root_rotation_statements="echo 'Second line {{root_custom_field}}'"
vault write -force database-cmd/reload/vault-plugin-database-cmd
vault list database-cmd/config
vault read database-cmd/config/my-database
vault write -force database-cmd/rotate-root/my-database
# repeating parameters adds more lines to the script.
# This is useful for testing the plugin's ability to handle multiple statements
vault write database-cmd/roles/dynamic-role \
db_name=my-database \
creation_statements="echo 'Dynamic creation statements'" \
creation_statements="ping -c3 www.google.com" \
revocation_statements="echo 'Dynamic revocation statements'" \
rollback_statements="echo 'Dynamic rollback statements'" \
renew_statements="echo 'Dynamic renew statements'" \
rotation_period="15s" \
default_ttl="30s" \
max_ttl="1m"
vault write database-cmd/static-roles/static-role \
db_name=my-database \
credential_type="password" \
username="static-username" \
rotation_window="1h" \
self_managed_password="true" \
rotation_schedule="0 * * * SAT" \
rotation_statements="echo 'Rotate static'"
vault read database-cmd/creds/dynamic-role
vault read database-cmd/static-creds/static-role
vault read database-cmd/static-creds/static-role
stop:
killall vault
release: build-container
@echo "Release"
docker image save $(DOCKER_IMAGE):$(DOCKER_IMAGE_TAG) | gzip > $(DOCKER_IMAGE)_$(DOCKER_IMAGE_TAG)_$(shell date +%Y%m%d).tar.gz
.PHONY: all build clean fmt build-container register-plugin unit-test integration-test stop release lint