Skip to content

Commit 5ae76db

Browse files
cipherboycipherboy
committed
Add secrets profile to set up a KVv2 mount
This mirrors a dev mode server, but allows us to apply it for production/durable servers. Signed-off-by: Alexander Scheel <[email protected]>
1 parent 0475848 commit 5ae76db

File tree

1 file changed

+30
-0
lines changed

1 file changed

+30
-0
lines changed

pkg/bao/profile.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,15 @@ const (
1212
PKIProfile string = "pki"
1313
TransitProfile string = "transit"
1414
UserpassProfile string = "userpass"
15+
SecretProfile string = "secret"
1516
)
1617

1718
func ListProfiles() []string {
1819
return []string{
1920
PKIProfile,
2021
TransitProfile,
2122
UserpassProfile,
23+
SecretProfile,
2224
}
2325
}
2426

@@ -30,6 +32,8 @@ func ProfileDescription(name string) string {
3032
return "enable transit for auto-unseal of another cluster"
3133
case UserpassProfile:
3234
return "enable userpass authentication and sample policy"
35+
case SecretProfile:
36+
return "enable a KVv2 static secret engine"
3337
}
3438

3539
return ""
@@ -43,6 +47,8 @@ func ProfileSetup(client *api.Client, profile string) ([]string, error) {
4347
return ProfileTransitSealMountSetup(client)
4448
case UserpassProfile:
4549
return ProfileUserpassMountSetup(client)
50+
case SecretProfile:
51+
return ProfileSecretMountSetup(client)
4652
default:
4753
return nil, fmt.Errorf("unknown profile to apply: %v", profile)
4854
}
@@ -56,6 +62,8 @@ func ProfileRemove(client *api.Client, profile string) ([]string, error) {
5662
return ProfileTransitSealMountRemove(client)
5763
case UserpassProfile:
5864
return ProfileUserpassMountRemove(client)
65+
case SecretProfile:
66+
return ProfileSecretMountRemove(client)
5967
default:
6068
return nil, fmt.Errorf("unknown profile to apply: %v", profile)
6169
}
@@ -392,6 +400,10 @@ path "transit/random" {
392400
path "transit/random/*" {
393401
capabilities = ["create", "update"]
394402
}
403+
404+
path "secret/+/scratch/*" {
405+
capabilities = ["create", "read", "update", "patch", "list", "scan"]
406+
}
395407
`
396408

397409
func ProfileUserpassMountSetup(client *api.Client) ([]string, error) {
@@ -438,3 +450,21 @@ func ProfileUserpassMountRemove(client *api.Client) ([]string, error) {
438450

439451
return nil, nil
440452
}
453+
454+
func ProfileSecretMountSetup(client *api.Client) ([]string, error) {
455+
if err := client.Sys().Mount("secret", &api.MountInput{
456+
Type: "kv-v2",
457+
}); err != nil {
458+
return nil, fmt.Errorf("failed to mount transit instance: %w", err)
459+
}
460+
461+
return nil, nil
462+
}
463+
464+
func ProfileSecretMountRemove(client *api.Client) ([]string, error) {
465+
if err := client.Sys().Unmount("secret"); err != nil {
466+
return nil, fmt.Errorf("failed to remove secret mount: %w", err)
467+
}
468+
469+
return nil, nil
470+
}

0 commit comments

Comments
 (0)