-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathindex.js
212 lines (173 loc) · 7.28 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
const vault = require('node-vault');
const fs = require('fs');
const path = require('path');
// Load environment variables from a .env file if needed
require('dotenv').config();
// File path to store the last known secret values
const cacheFilePath = path.resolve(__dirname, '.last.cache.json');
const secretsFilePath = process.env.SECRETS_FILE_PATH || path.resolve('/secrets', 'secrets.env');
// Create a Vault client
const vaultClient = vault({
apiVersion: 'v1',
endpoint: process.env.VAULT_ENDPOINT,
token: process.env.VAULT_TOKEN,
});
// Utility function to parse time duration (s, m, h, d) and convert to seconds
function parseDuration(duration) {
const unit = duration.slice(-1);
const value = parseInt(duration.slice(0, -1), 10);
if (!isNaN(value)) {
switch (unit) {
case 's':
return value; // Seconds
case 'm':
return value * 60; // Minutes to seconds
case 'h':
return value * 60 * 60; // Hours to seconds
case 'd':
return value * 60 * 60 * 24; // Days to seconds
default:
throw new Error(`Invalid time unit in duration: ${unit}`);
}
}
// If no time format (e.g., `s`, `m`, `h`, `d`) is provided, treat the value as seconds
const numericValue = parseInt(duration, 10);
if (isNaN(numericValue)) {
throw new Error(`Invalid time duration: ${duration}`);
}
return numericValue; // Default to seconds if no unit is provided
}
// Function to read the secret from Vault
async function readSecret() {
const kvStore = process.env.VAULT_KV_STORE;
const secretPath = process.env.VAULT_SECRET_PATH;
try {
// Read the secret from the specified path
const secret = await vaultClient.read(`${kvStore}/data/${secretPath}`);
const secretData = secret.data.data;
// Cache the latest known secret values
fs.writeFileSync(cacheFilePath, JSON.stringify(secretData, null, 2));
console.log('Secrets cached successfully.');
// Output the values in the specified format
for (const [key, value] of Object.entries(secretData)) {
console.log(`${key}=${value}`);
}
// Write the secrets to the .env file
writeSecretsToFile(secretData);
} catch (err) {
if (err.message.includes('permission denied') || err.message.includes('invalid token')) {
console.error('Authentication Failure');
// Check if there is a cached secret available
if (fs.existsSync(cacheFilePath)) {
const cachedData = JSON.parse(fs.readFileSync(cacheFilePath, 'utf-8'));
// Output the cached values in the specified format
for (const [key, value] of Object.entries(cachedData)) {
console.log(`${key}=${value}`);
}
// Write the cached secrets to the .env file
writeSecretsToFile(cachedData);
} else {
console.error('No cached secret values available');
}
} else {
console.error('Error reading secret:', err.message);
}
}
}
// Function to write secrets to a .env file
function writeSecretsToFile(secretData) {
const secretLines = Object.entries(secretData).map(([key, value]) => `${key}=${value}`).join('\n');
// Create the .env file if it doesn't exist and log the action
if (!fs.existsSync(secretsFilePath)) {
fs.writeFileSync(secretsFilePath, '');
console.log(`Created new secrets file at ${secretsFilePath}`);
}
// Write to the .env file and log the action
fs.writeFileSync(secretsFilePath, secretLines);
console.log(`Secrets written to ${secretsFilePath}`);
}
// Function to check and renew the Vault token if it is close to expiration
async function checkToken() {
const thresholdString = process.env.TOKEN_RENEW_THRESHOLD || '60s'; // Default threshold as string
const threshold = parseDuration(thresholdString); // Convert to seconds
try {
// Lookup the current token's TTL (Time to Live)
const tokenInfo = await vaultClient.tokenLookupSelf();
const ttl = tokenInfo.data.ttl; // TTL is in seconds
console.log(`Token TTL: ${ttl} seconds`);
// Check if the TTL is below the threshold
if (ttl <= threshold) {
console.log(`Token TTL is below the threshold of ${thresholdString}. Renewing the token...`);
// Renew the token
const renewedToken = await vaultClient.tokenRenewSelf();
console.log(`Token renewed successfully. New TTL: ${renewedToken.auth.lease_duration} seconds`);
// Update the token in the Vault client
vaultClient.token = renewedToken.auth.client_token;
} else {
console.log(`Token is still valid. TTL (${ttl} seconds) is above the renewal threshold (${thresholdString}).`);
}
} catch (err) {
console.error('Error checking token:', err.message);
}
}
// Function to periodically check for secret updates
async function checkForUpdates() {
const kvStore = process.env.VAULT_KV_STORE;
const secretPath = process.env.VAULT_SECRET_PATH;
try {
// Read the secret from the specified path
const secret = await vaultClient.read(`${kvStore}/data/${secretPath}`);
const secretData = secret.data.data;
// Check if there are changes in the secret values
if (fs.existsSync(cacheFilePath)) {
const cachedData = JSON.parse(fs.readFileSync(cacheFilePath, 'utf-8'));
if (JSON.stringify(cachedData) !== JSON.stringify(secretData)) {
console.log('Secret values have changed.');
// Update the cache with the latest known secret values
fs.writeFileSync(cacheFilePath, JSON.stringify(secretData, null, 2));
console.log('Secrets cache updated.');
// Output the updated values in the specified format
for (const [key, value] of Object.entries(secretData)) {
console.log(`${key}=${value}`);
}
// Write the updated secrets to the .env file
writeSecretsToFile(secretData);
} else {
console.log('No changes detected in secret values.');
}
} else {
// Cache the latest known secret values if not already cached
fs.writeFileSync(cacheFilePath, JSON.stringify(secretData, null, 2));
console.log('Secrets cached for the first time.');
// Output the values in the specified format
for (const [key, value] of Object.entries(secretData)) {
console.log(`${key}=${value}`);
}
// Write the secrets to the .env file
writeSecretsToFile(secretData);
}
} catch (err) {
console.error('Error checking for updates:', err.message);
}
}
// Function to periodically check the token and secrets
function keepAlive() {
const secretsCheckIntervalString = process.env.SECRETS_CHECK_INTERVAL || '5s'; // Default as string
const tokenCheckIntervalString = process.env.TOKEN_CHECK_INTERVAL || '60s'; // Default as string
const secretsCheckInterval = parseDuration(secretsCheckIntervalString); // Convert to seconds
const tokenCheckInterval = parseDuration(tokenCheckIntervalString); // Convert to seconds
console.log(`Secrets will be checked every ${secretsCheckIntervalString}.`);
console.log(`Token will be checked every ${tokenCheckIntervalString}.`);
// Set interval to check for secrets updates
setInterval(() => {
checkForUpdates();
}, secretsCheckInterval * 1000);
// Set interval to check and renew the token
setInterval(() => {
checkToken();
}, tokenCheckInterval * 1000);
}
// Execute the readSecret function initially
readSecret().then(() => {
keepAlive();
});