From 881144370133262933261bfeae7f16f997a8fd3a Mon Sep 17 00:00:00 2001 From: Alberto Rodriguez Date: Fri, 31 Mar 2017 15:56:22 +0200 Subject: [PATCH] Get --auth-credentials from a VAULT instance (#432) * Get --auth-credentials from a VAULT instance * removed jq dependency --- README.md | 4 ++++ run | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/README.md b/README.md index 01797135..b93ac1cc 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,10 @@ It is possible to pass `--auth-credentials=` option if your Marathon requires au $ ./marathon_lb.py --marathon http://localhost:8080 --auth-credentials=admin:password ``` +It is possible to get the auth credentials (user & password) from VAULT if you define the following +environment variables before running marathon-lb: VAULT_TOKEN, VAULT_HOST, VAULT_PORT, VAULT_PATH +where VAULT_PATH is the root path where your user and password are located. + This will refresh `haproxy.cfg`, and if there were any changes, then it will automatically reload HAProxy. Only apps with the label `HAPROXY_GROUP=external` will be exposed on this LB. diff --git a/run b/run index b5730c11..8501f821 100755 --- a/run +++ b/run @@ -88,6 +88,13 @@ case "$MODE" in ;; esac +if [ -n "${VAULT_TOKEN-}" ] && [ -n "${VAULT_HOST-}" ] && [ -n "${VAULT_PORT-}" ] && [ -n "${VAULT_PATH-}" ]; then + MARATHON_LB_PASSWORD=$(curl -k -L -H "X-Vault-Token:$VAULT_TOKEN" "$VAULT_URL" -s| python -m json.tool | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["data"]["pass"]') + MARATHON_LB_USER=$(curl -k -L -H "X-Vault-Token:$VAULT_TOKEN" "$VAULT_URL" -s | python -m json.tool | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["data"]["user"]') + CREDENTIALS="$MARATHON_LB_USER:$MARATHON_LB_PASSWORD" + ARGS="$ARGS --auth-credentials $CREDENTIALS" +fi + for arg in "$@"; do escaped=$(printf %q "$arg") ARGS="$ARGS $escaped"