fix: Change some logic to avoid yaml issues (#41)

* fix: Change some logic to avoid yaml issues

* fix: Do not print errs to stdout

* docs: Formatting

Co-authored-by: Josh Kayani <[email protected]>

Makefile

@@ -1,5 +1,5 @@
 BINARY=argocd-vault-plugin
-VERSION=0.1
+VERSION=0.2.2
 OS_ARCH=darwin_amd64
 
 default: build

README.md

@@ -95,7 +95,7 @@ AVP_TYPE=vault # corresponds to TYPE key
 Make sure that these environment variables are available to the plugin when running it, whether that is in Argo CD or as a CLI tool. Note that any _set_
 environment variables take precedence over configuration pulled from a Kubernetes Secret or a file.
 
-### As a Vault Plugin
+### As an ArgoCD Plugin
 This plugin is meant to be used with Argo CD. In order to use the plugin you can add it to your Argo CD instance as a volume mount or build your own Argo CD image.
 The Argo CD docs provide information on how to get started https://argoproj.github.io/argo-cd/operator-manual/custom_tools/.
 
@@ -152,7 +152,7 @@ to the `argocd-cm` configMap.
 
 Once that is done, the plugin has been registered with Argo CD and can be used by Applications.
 
-To tell you Argo Cd Application to use the plugin you would specify it in the Application CRD
+To tell your ArgoCD Application to use the plugin you would specify it in the Application CR:
 ```
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -184,6 +184,8 @@ The plugin can be used as just a cli tool if you are using a CI/CD system other
 
 And it will output the generated yaml files to standard out.
 
-## Contributing
+## Notes
+- The plugin tries to cache the Vault token obtained from logging into Vault on the `argocd-repo-server`'s container's disk, at `/home/.avp/config.json` for the duration of the token's lifetime. This of course requires that the container user is able to write to that path. Some environments, like Openshift 4, will force a random user for containers to run with; therefore this feature will not work, and the plugin will attempt to login to Vault on every run. This can be fixed by ensuring the `argocd-repo-server`'s container runs with the user `argocd`. 
 
+## Contributing
 You can view the documentation on contibuting [here](./Contributing.md)

cmd/generate.go

@@ -52,9 +52,12 @@ func NewGenerateCommand() *cobra.Command {
 
 			vaultClient := vaultConfig.Type
 
-			err = vault.Login(vaultClient, vaultConfig)
+			err = vault.CheckExistingToken(vaultClient, vaultConfig)
 			if err != nil {
-				return err
+				err = vaultClient.Login()
+				if err != nil {
+					return err
+				}
 			}
 
 			for _, manifest := range manifests {

pkg/vault/approle.go

@@ -19,7 +19,12 @@ func (a *AppRole) Login() error {
 		return err
 	}
 
-	SetToken(a.Client, data.Auth.ClientToken)
+	// If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping.
+	err = SetToken(a.Client, data.Auth.ClientToken)
+	if err != nil {
+		print(err)
+	}
+
 	return nil
 }
 

pkg/vault/github.go

@@ -17,7 +17,12 @@ func (g *Github) Login() error {
 		return err
 	}
 
-	SetToken(g.Client, data.Auth.ClientToken)
+	// If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping.
+	err = SetToken(g.Client, data.Auth.ClientToken)
+	if err != nil {
+		print(err)
+	}
+
 	return nil
 }
 

pkg/vault/secretmanager.go

@@ -32,7 +32,12 @@ func (s *SecretManager) Login() error {
 		return err
 	}
 
-	SetToken(s.Client, data.Auth.ClientToken)
+	// If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping.
+	err = SetToken(s.Client, data.Auth.ClientToken)
+	if err != nil {
+		print(err)
+	}
+
 	return nil
 }
 

pkg/vault/util.go

@@ -8,42 +8,40 @@ import (
 	"path/filepath"
 )
 
-// Login takes a VaultType interface and logs in, while writting the config file
+// CheckExistingToken takes a VaultType interface and logs in, while writting the config file
 // And setting the token in the client
-func Login(vaultClient VaultType, vaultConfig *Config) error {
+func CheckExistingToken(vaultClient VaultType, vaultConfig *Config) error {
 	home, err := os.UserHomeDir()
 	if err != nil {
 		return err
 	}
 
 	avpConfigPath := filepath.Join(home, ".avp", "config.json")
-	if _, err := os.Stat(avpConfigPath); err == nil {
-		// Open our jsonFile
-		jsonFile, err := os.Open(avpConfigPath)
-		if err != nil {
-			return err
-		}
-		// defer the closing of our jsonFile so that we can parse it later on
-		defer jsonFile.Close()
-
-		byteValue, _ := ioutil.ReadAll(jsonFile)
+	if _, err := os.Stat(avpConfigPath); err != nil {
+		return err
+	}
 
-		var result map[string]interface{}
-		json.Unmarshal([]byte(byteValue), &result)
+	// Open our jsonFile
+	jsonFile, err := os.Open(avpConfigPath)
+	if err != nil {
+		return err
+	}
+	// defer the closing of our jsonFile so that we can parse it later on
+	defer jsonFile.Close()
 
-		vaultConfig.VaultAPIClient.SetToken(result["vault_token"].(string))
-		_, err = vaultConfig.VaultAPIClient.Auth().Token().LookupSelf()
-		if err != nil {
-			err = vaultClient.Login()
-			if err != nil {
-				return err
-			}
-		}
+	byteValue, err := ioutil.ReadAll(jsonFile)
+	if err != nil {
+		return err
+	}
 
-		return nil
+	var result map[string]interface{}
+	err = json.Unmarshal([]byte(byteValue), &result)
+	if err != nil {
+		return err
 	}
 
-	err = vaultClient.Login()
+	vaultConfig.VaultAPIClient.SetToken(result["vault_token"].(string))
+	_, err = vaultConfig.VaultAPIClient.Auth().Token().LookupSelf()
 	if err != nil {
 		return err
 	}
@@ -52,26 +50,34 @@ func Login(vaultClient VaultType, vaultConfig *Config) error {
 }
 
 // SetToken TODO
-func SetToken(client *Client, token string) {
+func SetToken(client *Client, token string) error {
 	// We want to set the token first
 	client.VaultAPIClient.SetToken(token)
 
 	home, err := os.UserHomeDir()
 	if err != nil {
-		fmt.Printf("Could not access home directory, will need to login to Vault on subsequent runs: %s", err.Error())
+		return fmt.Errorf("Could not access home directory: %s", err.Error())
 	}
 
 	path := filepath.Join(home, ".avp")
 	if _, err := os.Stat(path); os.IsNotExist(err) {
-		os.Mkdir(path, 0755)
+		err := os.Mkdir(path, 0755)
+		if err != nil {
+			return fmt.Errorf("Could not create avp directory: %s", err.Error())
+		}
 	}
 
 	data := map[string]interface{}{
 		"vault_token": token,
 	}
-	file, _ := json.MarshalIndent(data, "", " ")
+	file, err := json.MarshalIndent(data, "", " ")
+	if err != nil {
+		return fmt.Errorf("Could not marshal token data: %s", err.Error())
+	}
 	err = ioutil.WriteFile(filepath.Join(path, "config.json"), file, 0644)
 	if err != nil {
-		fmt.Printf("Could not write token to file, will need to login to Vault on subsequent runs: %s", err.Error())
+		return fmt.Errorf("Could not write token to file, will need to login to Vault on subsequent runs: %s", err.Error())
 	}
+
+	return nil
 }

pkg/vault/utils_test.go

@@ -63,83 +63,3 @@ func TestSetToken(t *testing.T) {
 		t.Fatal(err)
 	}
 }
-
-func TestLoginWithNoToken(t *testing.T) {
-	cluster, role, secret := helpers.CreateTestAppRoleVault(t)
-	defer cluster.Cleanup()
-
-	vc := &vault.Client{
-		VaultAPIClient: cluster.Cores[0].Client,
-	}
-
-	cf := &vault.Config{
-		Address:    "address",
-		PathPrefix: "prefix",
-		Type: &vault.AppRole{
-			RoleID:   role,
-			SecretID: secret,
-			Client:   vc,
-		},
-		Client: vc,
-	}
-
-	err := removeToken()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = vault.Login(cf.Type, cf)
-	if err != nil {
-		t.Errorf("expected: %s, got: %s.", "", err)
-	}
-
-	token := readToken()
-	if token == "" {
-		t.Errorf("expected a vault token, got: %s.", token.(string))
-	}
-
-	err = removeToken()
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
-func TestLoginWithOldToken(t *testing.T) {
-	cluster, role, secret := helpers.CreateTestAppRoleVault(t)
-	defer cluster.Cleanup()
-
-	vc := &vault.Client{
-		VaultAPIClient: cluster.Cores[0].Client,
-	}
-
-	cf := &vault.Config{
-		Address:    "address",
-		PathPrefix: "prefix",
-		Type: &vault.AppRole{
-			RoleID:   role,
-			SecretID: secret,
-			Client:   vc,
-		},
-		Client: vc,
-	}
-
-	err := writeToken("token")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = vault.Login(cf.Type, cf)
-	if err != nil {
-		t.Errorf("expected: %s, got: %s.", "", err)
-	}
-
-	token := readToken()
-	if token == "" {
-		t.Errorf("expected a vault token, got: %s.", token.(string))
-	}
-
-	err = removeToken()
-	if err != nil {
-		t.Fatal(err)
-	}
-}

version/version.go

@@ -2,5 +2,5 @@ package version
 
 var (
 	// Version is the argocd-vault-plugin version.
-	Version = "v0.2.1"
+	Version = "v0.2.2"
 )