changes from review

- remove shellcheck - pass `key` to `ProcessEnvSecrets` - remove unneccesary lines in auth function - fix vault_token declaration - update plugin yaml
buildkite-plugins · Sep 20, 2022 · a033607 · a033607
1 parent 3af6bb7
commit a033607
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 19 deletions.
diff --git a/Makefile b/Makefile
@@ -5,8 +5,8 @@ BUILDKITE_PIPELINE_SLUG=my_pipeline
 DUMP_ENV ?= true
 VAULT_DEV_ROOT_TOKEN_ID ?= 88F4384B-98E9-4AE3-B00C-F55678F89080
 
-TESTER_VAULT_VERSION ?= 0.9.1
-SVC_VAULT_VERSION ?= 0.9.1
+TESTER_VAULT_VERSION ?= 1.11.2
+SVC_VAULT_VERSION ?= 1.11.2
 
 all:;: '$(VAULT_ADDR)' \
 	'$(TESTER_VAULT_VERSION)' \

diff --git a/hooks/environment b/hooks/environment
@@ -24,7 +24,7 @@ processSshSecrets() {
 
 processEnvSecrets() {
   local vaultServer="$1"
-  local envKey="$2"
+  local key="$2"
   local envscript=''
   echo "Downloading env secret from ${key}" >&2;
     if ! envscript=$(echo "${envscript:-}" && secret_download "${vaultServer}" "${key}") ; then
@@ -87,7 +87,6 @@ if [[ -n "$vault_server" ]] ; then
     "${VAULT_BASE_PATH}"
   )
   secrets=''
-  # shellcheck disable=SC2048
   for key in ${secret_paths[*]} ; do
     echo "Checking vault secrets ${key}" >&2
     secrets=$(echo "${secrets:-}" && list_secrets "$vault_server" "$key")

diff --git a/lib/shared.bash b/lib/shared.bash
@@ -25,16 +25,17 @@ vault_auth() {
 
    # approle authentication
   if [ "${BUILDKITE_PLUGIN_VAULT_SECRETS_AUTH_METHOD:-}" = "approle" ]; then
-    [ -n "${BUILDKITE_PLUGIN_VAULT_SECRETS_ROLE_ID:-}" ]
-    [ -n "${BUILDKITE_PLUGIN_VAULT_SECRETS_SECRET_ID:-}" ]
 
-    # export the vault token to be used for this session
-    # shellcheck disable=SC2155
-    export VAULT_TOKEN=$(vault write -field=token -address="$server" auth/approle/login \
-     role_id="$BUILDKITE_PLUGIN_VAULT_SECRETS_ROLE_ID" \
-     secret_id="$BUILDKITE_PLUGIN_VAULT_SECRETS_SECRET_ID")
-
-    echo "Successfully authenticated with RoleID ${BUILDKITE_PLUGIN_VAULT_SECRETS_ROLE_ID}"
+    # export the vault token to be used for this job - this command writes to the auth/approle/login endpoint
+    # on success, vault will return the token which we export as VAULT_TOKEN for this shell
+    export VAULT_TOKEN
+    if ! VAULT_TOKEN=$(vault write -field=token -address="$server" auth/approle/login \
+     role_id="$BUILDKITE_PLUGIN_VAULT_SECRETS_AUTH_ROLE_ID" \
+     secret_id="$BUILDKITE_PLUGIN_VAULT_SECRETS_SECRET_ID"); then
+      echo "Failed to get vault token"
+    fi
+
+    echo "Successfully authenticated with RoleID ${BUILDKITE_PLUGIN_VAULT_SECRETS_AUTH_ROLE_ID} and updated vault token"
 
     return "${PIPESTATUS[0]}"
   fi

diff --git a/plugin.yml b/plugin.yml
@@ -10,13 +10,19 @@ configuration:
   properties:
     server:
       type: string
-    auth-method:
-      type: string
-    role-id:
-      type: string
-    secret-id:
-      type: string
+    auth:
+      type: object
+      properties:
+        method:
+          enum:
+            - 'approle'
+            - ''
+        role-id:
+          type: string
   required:
     - server
+    - auth
   additionalProperties: false
+  dependencies:
+    auth: [ method ]