Added feature to get password from Vault

To use the feature we need to set the following options in config file: use_vault = true vault_address = http://<IP_ADDRESS:<IP_PORT> vault_role_id = <ROLE_ID> vault_secret_id = <SECRET_ID> vault_secret_path = <deployments/unit/dev/user/passwords_yml> vault_secret_mount_path = <secret_v2> credential_name_in_vault_secret = <rabbitmq_monitoring_password> kbudde#410
Dmitry-Eremeev · Oct 16, 2024 · 387f70d · 387f70d
1 parent 4dcae04
commit 387f70d
Show file tree

Hide file tree

Showing 3 changed files with 119 additions and 39 deletions.
diff --git a/config.go b/config.go
@@ -1,13 +1,16 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"regexp"
 	"strconv"
 	"strings"
 
+	"github.com/hashicorp/vault-client-go"
+	"github.com/hashicorp/vault-client-go/schema"
 	"github.com/tkanos/gonfig"
 )
 
@@ -37,6 +40,13 @@ var (
 		EnabledExporters:   []string{"exchange", "node", "overview", "queue"},
 		Timeout:            30,
 		MaxQueues:          0,
+		UseVault:           false,
+		VaultAddress:       "http://127.0.0.1:8200",
+		VaultRoleID:        "test",
+		VaultSecretID:      "test",
+		VaultSecretPath:    "deployments/unit/dev/user/passwords_yml",
+		VaultSecretMountPath: "secret_v2",
+		CredentialNameInVaultSecret: "rabbitmq_monitoring_password",
 	}
 )
 
@@ -71,6 +81,13 @@ type rabbitExporterConfig struct {
 	EnabledExporters         []string            `json:"enabled_exporters"`
 	Timeout                  int                 `json:"timeout"`
 	MaxQueues                int                 `json:"max_queues"`
+	UseVault                 bool                `json:"use_vault"`
+	VaultAddress             string              `json:"vault_address"`
+	VaultRoleID              string              `json:"vault_role_id"`
+	VaultSecretID            string              `json:"vault_secret_id"`
+	VaultSecretPath          string              `json:"vault_secret_path"`
+	VaultSecretMountPath     string              `json:"vault_secret_mount_path"`
+	CredentialNameInVaultSecret string           `json:"credential_name_in_vault_secret"`
 }
 
 type rabbitCapability string
@@ -106,6 +123,9 @@ func initConfigFromFile(configFile string) error {
 	config.SkipVHost = regexp.MustCompile(config.SkipVHostString)
 	config.IncludeVHost = regexp.MustCompile(config.IncludeVHostString)
 	config.RabbitCapabilities = parseCapabilities(config.RabbitCapabilitiesString)
+
+	SetPasswordIfVaultIsUsed()
+
 	return nil
 }
 
@@ -271,3 +291,37 @@ func selfLabel(config rabbitExporterConfig, isSelf bool) string {
 		return "0"
 	}
 }
+
+func SetPasswordIfVaultIsUsed() {
+	if !config.UseVault {
+		return
+	}
+	client, err := vault.New(vault.WithAddress(config.VaultAddress),)
+	if err != nil {
+		panic(fmt.Errorf("failed to create vault client: %v", err))
+	}
+	ctx := context.Background()
+	resp, err := client.Auth.AppRoleLogin(
+		ctx,
+		schema.AppRoleLoginRequest{
+			RoleId:   config.VaultRoleID,
+			SecretId: config.VaultSecretID,
+		},
+	)
+	if err != nil {
+		panic(fmt.Errorf("failed to login to vault: %v", err))
+	}
+	if err := client.SetToken(resp.Auth.ClientToken); err != nil {
+		panic(fmt.Errorf("failed to set vault token: %v", err))
+	}
+	data, err := client.Secrets.KvV2Read(
+		ctx,
+		config.VaultSecretPath,
+		vault.WithMountPath(config.VaultSecretMountPath),
+	)
+	if err != nil {
+		panic(fmt.Errorf("failed to get Vault secret: %v", err))
+	}
+
+	config.RabbitPassword = data.Data.Data[config.CredentialNameInVaultSecret].(string)
+}
diff --git a/go.mod b/go.mod
@@ -1,14 +1,15 @@
 module github.com/kbudde/rabbitmq_exporter
 
 require (
+	github.com/hashicorp/vault-client-go v0.4.3
 	github.com/kbudde/gobert v0.0.0-20220512191144-9767639f5c50
 	github.com/kylelemons/godebug v1.1.0
 	github.com/ory/dockertest/v3 v3.11.0
 	github.com/prometheus/client_golang v1.19.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/streadway/amqp v1.1.0
 	github.com/tkanos/gonfig v0.0.0-20210106201359-53e13348de2f
-	golang.org/x/sys v0.21.0
+	golang.org/x/sys v0.23.0
 )
 
 require (
@@ -24,11 +25,19 @@ require (
 	github.com/docker/docker v27.1.1+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.2.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lib/pq v1.10.9 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
@@ -39,15 +48,15 @@ require (
 	github.com/prometheus/client_model v0.6.0 // indirect
 	github.com/prometheus/common v0.50.0 // indirect
 	github.com/prometheus/procfs v0.13.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
-go 1.22
+go 1.22.0
 
-toolchain go1.22.6
+toolchain go1.22.8