Merge pull request jetstack#7 from tomwilkie/6-logging

Make kv.NewNotFoundError format a string.
innovia · Jan 21, 2018 · 58a3288 · 58a3288
2 parents 69b055c + b6db265
commit 58a3288
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -36,3 +36,122 @@ Flags:
 
 Use "vault-unsealer [command] --help" for more information about a command.
 ```
+
+## Setup AWS
+1. Create or use a KMS key in the region you want:
+https://console.aws.amazon.com/iam/home?region=us-east-1#/encryptionKeys/us-east-1
+
+2.note the alias name of the key for example:
+`alias/vault`
+
+3.note the ARN for the key.
+
+3. Add the following IAM permissions to the identity where the vault-unsealer will run 
+for example if running on kubernetes via KOPS run `kops edit cluster` and add the permissions under additional node policies
+
+```yaml
+spec:
+  additionalPolicies:
+  node: |
+  {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "ssm:GetParameters"
+            ],
+            "Resource": [
+                "arn:aws:ssm:<region>:<aws-account-id>:parameter/*"
+            ]
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "ssm:PutParameter",
+                "ssm:DeleteParameter"
+            ],
+            "Resource": [
+                "arn:aws:ssm:<region>:<aws-account-id>:parameter/kubernetes-*"
+            ]
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "kms:Get*",
+                "kms:ListKeys",
+                "kms:ListAliases"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "kms:DescribeKey",
+                "kms:Encrypt",
+                "kms:Decrypt"
+            ],
+            "Resource": [
+                "arn:aws:kms:<region>:<aws-account-id>:key/4f43307f-bc31-4c32-9333-76cab2eb6cc7"
+            ]
+        },
+```
+
+### Setting up an existing vault (already initialized)
+WIP
+
+### Initializing a vault.
+if your vault is not yet initialized you can initialized it using the parameter store as follow:
+2. export AWS_REGION=<region> 
+3.run the command `aws kms list-aliases` to get a list of the kms keys you need, you must use the alias name
+```
+{
+    "Aliases": [
+        {
+            "AliasName": "alias/MyKmsKey",
+            "AliasArn": "arn:aws:kms:us-west-2:1234567812:alias/myKMSKey",
+            "TargetKeyId": "4e4ad8a2-20cf-4ffe-a55f-edd96ca41bef"
+        },
+```
+
+```
+$ vault-unsealer init --mode aws-kms-ssm --aws-kms-key-id alias/vault --aws-ssm-key-prefix kubernetes- --secret-shares 5 --secret-threshold 3
+```
+
+INFO[0015] root token stored in key store                key=vault-root
+
+this will create 6 keys in the AWS SSM:
+
+<your-prefix>-vault-root
+<your-prefix>-vault-unsealer-0
+<your-prefix>-vault-unsealer-1
+<your-prefix>-vault-unsealer-2
+<your-prefix>-vault-unsealer-3
+<your-prefix>-vault-unsealer-4
+
+
+## Building from source
+
+```
+$ git clone https://github.com/jetstack/vault-unsealer.git
+```
+
+```
+$ cd vault-unsealer
+```
+
+```
+$ export GOPATH=`pwd`
+$ go get github.com/jetstack/vault-unsealer/cmd
+$ export CI_COMMIT_TAG=<version>
+$ export CI_COMMIT_SHA=$(git rev-parse HEAD)
+$ make build
+
+make Docker image:
+```
+$ docker build -t vault-unsealer:<version> .
+```
+
diff --git a/pkg/kv/aws_kms/aws_kms_test.go b/pkg/kv/aws_kms/aws_kms_test.go
@@ -1,7 +1,6 @@
 package aws_kms
 
 import (
-	"fmt"
 	"os"
 	"testing"
 
@@ -30,7 +29,7 @@ func (f *fakeKV) Set(key string, data []byte) error {
 func (f *fakeKV) Get(key string) ([]byte, error) {
 	out, ok := f.Values[key]
 	if !ok {
-		return []byte{}, kv.NewNotFoundError(fmt.Sprintf("key '%s' not found", key))
+		return []byte{}, kv.NewNotFoundError("key '%s' not found", key)
 	}
 	return *out, nil
 }

diff --git a/pkg/kv/aws_ssm/aws_ssm.go b/pkg/kv/aws_ssm/aws_ssm.go
@@ -46,7 +46,7 @@ func (a *awsSSM) Get(key string) ([]byte, error) {
 	}
 
 	if len(out.Parameters) < 1 {
-		return []byte{}, kv.NewNotFoundError("key '%s' not found")
+		return []byte{}, kv.NewNotFoundError("key '%s' not found", key)
 	}
 
 	return base64.StdEncoding.DecodeString(*out.Parameters[0].Value)

diff --git a/pkg/kv/gcs/gcs.go b/pkg/kv/gcs/gcs.go
@@ -45,7 +45,7 @@ func (g *gcsStorage) Get(key string) ([]byte, error) {
 
 	if err != nil {
 		if err == storage.ErrObjectNotExist {
-			return nil, kv.NewNotFoundError(fmt.Sprintf("error getting object for key '%s': %s", n, err.Error()))
+			return nil, kv.NewNotFoundError("error getting object for key '%s': %s", n, err.Error())
 		}
 		return nil, fmt.Errorf("error getting object for key '%s': %s", n, err.Error())
 	}

diff --git a/pkg/kv/storage.go b/pkg/kv/storage.go
@@ -1,14 +1,16 @@
 package kv
 
+import "fmt"
+
 type NotFoundError struct {
 	msg string // description of error
 }
 
 func (e *NotFoundError) Error() string { return e.msg }
 
-func NewNotFoundError(msg string) *NotFoundError {
+func NewNotFoundError(msg string, args ...interface{}) *NotFoundError {
 	return &NotFoundError{
-		msg: msg,
+		msg: fmt.Sprintf(msg, args...),
 	}
 }