Get --auth-credentials from a VAULT instance (#432)

* Get --auth-credentials from a VAULT instance * removed jq dependency
d2iq-archive · Mar 31, 2017 · 8811443 · 8811443
1 parent 022bf01
commit 8811443
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -108,6 +108,10 @@ It is possible to pass `--auth-credentials=` option if your Marathon requires au
 $ ./marathon_lb.py --marathon http://localhost:8080 --auth-credentials=admin:password
 ```
 
+It is possible to get the auth credentials (user & password) from VAULT if you define the following 
+environment variables before running marathon-lb: VAULT_TOKEN, VAULT_HOST, VAULT_PORT, VAULT_PATH 
+where VAULT_PATH is the root path where your user and password are located.
+
 This will refresh `haproxy.cfg`, and if there were any changes, then it will
 automatically reload HAProxy. Only apps with the label `HAPROXY_GROUP=external`
 will be exposed on this LB.

diff --git a/run b/run
@@ -88,6 +88,13 @@ case "$MODE" in
     ;;
 esac
 
+if [ -n "${VAULT_TOKEN-}" ] && [ -n "${VAULT_HOST-}" ] && [ -n "${VAULT_PORT-}" ] && [ -n "${VAULT_PATH-}" ]; then 
+  MARATHON_LB_PASSWORD=$(curl -k -L -H "X-Vault-Token:$VAULT_TOKEN" "$VAULT_URL" -s| python -m json.tool | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["data"]["pass"]')
+  MARATHON_LB_USER=$(curl -k -L -H "X-Vault-Token:$VAULT_TOKEN" "$VAULT_URL" -s | python -m json.tool | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["data"]["user"]')
+  CREDENTIALS="$MARATHON_LB_USER:$MARATHON_LB_PASSWORD"
+  ARGS="$ARGS --auth-credentials $CREDENTIALS"
+fi
+
 for arg in "$@"; do
     escaped=$(printf %q "$arg")
     ARGS="$ARGS $escaped"