Added feature to get password from Vault

I realize that project is dead. Still there are users which love it. This patch can be useful for them. To use the feature we need to set the following options in config file: use_vault = true vault_address = http://<IP_ADDRESS:<IP_PORT> vault_role_id = <ROLE_ID> vault_secret_id = <SECRET_ID> vault_secret_path = <deployments/unit/dev/user/passwords_yml> vault_secret_mount_path = <secret_v2> credential_name_in_vault_secret = <rabbitmq_monitoring_password> kbudde#410
Dmitry-Eremeev · Oct 16, 2024 · 597aeca · 597aeca
1 parent 4dcae04
commit 597aeca
Show file tree

Hide file tree

Showing 3 changed files with 119 additions and 39 deletions.
diff --git a/config.go b/config.go
@@ -1,13 +1,16 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"regexp"
 	"strconv"
 	"strings"
 
+	"github.com/hashicorp/vault-client-go"
+	"github.com/hashicorp/vault-client-go/schema"
 	"github.com/tkanos/gonfig"
 )
 
@@ -37,6 +40,13 @@ var (
 		EnabledExporters:   []string{"exchange", "node", "overview", "queue"},
 		Timeout:            30,
 		MaxQueues:          0,
+		UseVault:           false,
+		VaultAddress:       "http://127.0.0.1:8200",
+		VaultRoleID:        "test",
+		VaultSecretID:      "test",
+		VaultSecretPath:    "deployments/unit/dev/user/passwords_yml",
+		VaultSecretMountPath: "secret_v2",
+		CredentialNameInVaultSecret: "rabbitmq_monitoring_password",
 	}
 )
 
@@ -71,6 +81,13 @@ type rabbitExporterConfig struct {
 	EnabledExporters         []string            `json:"enabled_exporters"`
 	Timeout                  int                 `json:"timeout"`
 	MaxQueues                int                 `json:"max_queues"`
+	UseVault                 bool                `json:"use_vault"`
+	VaultAddress             string              `json:"vault_address"`
+	VaultRoleID              string              `json:"vault_role_id"`
+	VaultSecretID            string              `json:"vault_secret_id"`
+	VaultSecretPath          string              `json:"vault_secret_path"`
+	VaultSecretMountPath     string              `json:"vault_secret_mount_path"`
+	CredentialNameInVaultSecret string           `json:"credential_name_in_vault_secret"`
 }
 
 type rabbitCapability string
@@ -106,6 +123,9 @@ func initConfigFromFile(configFile string) error {
 	config.SkipVHost = regexp.MustCompile(config.SkipVHostString)
 	config.IncludeVHost = regexp.MustCompile(config.IncludeVHostString)
 	config.RabbitCapabilities = parseCapabilities(config.RabbitCapabilitiesString)
+
+	SetPasswordIfVaultIsUsed()
+
 	return nil
 }
 
@@ -271,3 +291,37 @@ func selfLabel(config rabbitExporterConfig, isSelf bool) string {
 		return "0"
 	}
 }
+
+func SetPasswordIfVaultIsUsed() {
+	if !config.UseVault {
+		return
+	}
+	client, err := vault.New(vault.WithAddress(config.VaultAddress),)
+	if err != nil {
+		panic(fmt.Errorf("failed to create vault client: %v", err))
+	}
+	ctx := context.Background()
+	resp, err := client.Auth.AppRoleLogin(
+		ctx,
+		schema.AppRoleLoginRequest{
+			RoleId:   config.VaultRoleID,
+			SecretId: config.VaultSecretID,
+		},
+	)
+	if err != nil {
+		panic(fmt.Errorf("failed to login to vault: %v", err))
+	}
+	if err := client.SetToken(resp.Auth.ClientToken); err != nil {
+		panic(fmt.Errorf("failed to set vault token: %v", err))
+	}
+	data, err := client.Secrets.KvV2Read(
+		ctx,
+		config.VaultSecretPath,
+		vault.WithMountPath(config.VaultSecretMountPath),
+	)
+	if err != nil {
+		panic(fmt.Errorf("failed to get Vault secret: %v", err))
+	}
+
+	config.RabbitPassword = data.Data.Data[config.CredentialNameInVaultSecret].(string)
+}
diff --git a/go.mod b/go.mod
@@ -1,14 +1,15 @@
 module github.com/kbudde/rabbitmq_exporter
 
 require (
+	github.com/hashicorp/vault-client-go v0.4.3
 	github.com/kbudde/gobert v0.0.0-20220512191144-9767639f5c50
 	github.com/kylelemons/godebug v1.1.0
 	github.com/ory/dockertest/v3 v3.11.0
 	github.com/prometheus/client_golang v1.19.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/streadway/amqp v1.1.0
 	github.com/tkanos/gonfig v0.0.0-20210106201359-53e13348de2f
-	golang.org/x/sys v0.21.0
+	golang.org/x/sys v0.23.0
 )
 
 require (
@@ -24,11 +25,19 @@ require (
 	github.com/docker/docker v27.1.1+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.2.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lib/pq v1.10.9 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
@@ -39,15 +48,15 @@ require (
 	github.com/prometheus/client_model v0.6.0 // indirect
 	github.com/prometheus/common v0.50.0 // indirect
 	github.com/prometheus/procfs v0.13.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
-go 1.22
+go 1.22.0
 
-toolchain go1.22.6
+toolchain go1.22.8