actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-14 18:13:45 +00:00
Code Activity Actions

allow for retries

Browse source
This commit is contained in:
PepijnSenders 2022-06-20 18:59:53 -04:00
parent 6ee4dd3797
commit 87ed03469e
5 changed files with 67 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
README.md
View file

@ -385,31 +385,32 @@ steps:
Here are all the inputs available through `with`: Here are all the inputs available through `with`:
| Input | Description | Default | Required | | Input | Description | Default | Required |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | -------- |
| `url` | The URL for the vault endpoint | | ✔ | | `url` | The URL for the vault endpoint | | ✔ |
| `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | | | `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | |
| `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | | | `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | |
| `method` | The method to use to authenticate with Vault. | `token` | | | `method` | The method to use to authenticate with Vault. | `token` | |
| `role` | Vault role for specified auth method | | | | `role` | Vault role for specified auth method | | |
| `path` | Custom vault path, if the auth method was enabled at a different path | | | | `path` | Custom vault path, if the auth method was enabled at a different path | | |
| `token` | The Vault Token to be used to authenticate with Vault | | | | `token` | The Vault Token to be used to authenticate with Vault | | |
| `roleId` | The Role Id for App Role authentication | | | | `roleId` | The Role Id for App Role authentication | | |
| `secretId` | The Secret Id for App Role authentication | | | | `secretId` | The Secret Id for App Role authentication | | |
| `githubToken` | The Github Token to be used to authenticate with Vault | | | | `githubToken` | The Github Token to be used to authenticate with Vault | | |
| `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | | | `jwtPrivateKey` | Base64 encoded Private key to sign JWT | | |
| `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | | | `jwtKeyPassword` | Password for key stored in jwtPrivateKey (if needed) | | |
| `jwtGithubAudience` | Identifies the recipient ("aud" claim) that the JWT is intended for |`sigstore`| | | `jwtGithubAudience` | Identifies the recipient ("aud" claim) that the JWT is intended for | `sigstore` | |
| `jwtTtl` | Time in seconds, after which token expires | | 3600 | | `jwtTtl` | Time in seconds, after which token expires | | 3600 |
| `kubernetesTokenPath` | The path to the service-account secret with the jwt token for kubernetes based authentication |`/var/run/secrets/kubernetes.io/serviceaccount/token` | | | `kubernetesTokenPath` | The path to the service-account secret with the jwt token for kubernetes based authentication | `/var/run/secrets/kubernetes.io/serviceaccount/token` | |
| `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | | | `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | |
| `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `extraHeaders` | A string of newline separated extra headers to include on every request. | | |
| `exportEnv` | Whether or not export secrets as environment variables. | `true` | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | |
| `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | | | `exportToken` | Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | `false` | |
| `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | | | `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | |
| `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | |
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | | | `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | | | `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
| `retries` | Amount of times we'll retry the request to get the secrets from Vault | `1` | |
## Masking - Hiding Secrets from Logs ## Masking - Hiding Secrets from Logs

32
package-lock.json generated
View file

@ -9,6 +9,7 @@
"version": "0.1.0", "version": "0.1.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"async-retry": "^1.3.3",
"got": "^11.5.1", "got": "^11.5.1",
"jsonata": "^1.8.6", "jsonata": "^1.8.6",
"jsrsasign": "^10.5.24" "jsrsasign": "^10.5.24"
@ -3723,6 +3724,22 @@
"node": ">=0.10.0" "node": ">=0.10.0"
} }
}, },
"node_modules/async-retry": {
"version": "1.3.3",
"resolved": "https://registry.npmjs.org/async-retry/-/async-retry-1.3.3.tgz",
"integrity": "sha512-wfr/jstw9xNi/0teMHrRW7dsz3Lt5ARhYNZ2ewpadnhaIp5mbALhOAP+EAdsC7t4Z6wqsDVv9+W6gm1Dk9mEyw==",
"dependencies": {
"retry": "0.13.1"
}
},
"node_modules/async-retry/node_modules/retry": {
"version": "0.13.1",
"resolved": "https://registry.npmjs.org/retry/-/retry-0.13.1.tgz",
"integrity": "sha512-XQBQ3I8W1Cge0Seh+6gjj03LbmRFWuoszgK9ooCpwYIrhhoO80pfq4cUkU5DkknwfOfFteRwlZ56PYOGYyFWdg==",
"engines": {
"node": ">= 4"
}
},
"node_modules/asynckit": { "node_modules/asynckit": {
"version": "0.4.0", "version": "0.4.0",
"resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
@ -22197,6 +22214,21 @@
"integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=", "integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=",
"dev": true "dev": true
}, },
"async-retry": {
"version": "1.3.3",
"resolved": "https://registry.npmjs.org/async-retry/-/async-retry-1.3.3.tgz",
"integrity": "sha512-wfr/jstw9xNi/0teMHrRW7dsz3Lt5ARhYNZ2ewpadnhaIp5mbALhOAP+EAdsC7t4Z6wqsDVv9+W6gm1Dk9mEyw==",
"requires": {
"retry": "0.13.1"
},
"dependencies": {
"retry": {
"version": "0.13.1",
"resolved": "https://registry.npmjs.org/retry/-/retry-0.13.1.tgz",
"integrity": "sha512-XQBQ3I8W1Cge0Seh+6gjj03LbmRFWuoszgK9ooCpwYIrhhoO80pfq4cUkU5DkknwfOfFteRwlZ56PYOGYyFWdg=="
}
}
},
"asynckit": { "asynckit": {
"version": "0.4.0", "version": "0.4.0",
"resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",

1
package.json
View file

@ -44,6 +44,7 @@
}, },
"homepage": "https://github.com/hashicorp/vault-action#readme", "homepage": "https://github.com/hashicorp/vault-action#readme",
"dependencies": { "dependencies": {
"async-retry": "^1.3.3",
"got": "^11.5.1", "got": "^11.5.1",
"jsonata": "^1.8.6", "jsonata": "^1.8.6",
"jsrsasign": "^10.5.24" "jsrsasign": "^10.5.24"

4
src/action.js
View file

@ -71,7 +71,9 @@ async function exportSecrets() {
return request; return request;
}); });
const results = await getSecrets(requests, client); const results = await getSecrets(requests, client, {
retries: core.getInput('retries') || 1
});
for (const result of results) { for (const result of results) {
const { value, request, cachedResponse } = result; const { value, request, cachedResponse } = result;

7
src/secrets.js
View file

@ -1,4 +1,5 @@
const jsonata = require("jsonata"); const jsonata = require("jsonata");
const asyncRetry = require('async-retry');
/** /**
@ -21,7 +22,7 @@ const jsonata = require("jsonata");
* @param {import('got').Got} client * @param {import('got').Got} client
* @return {Promise<SecretResponse<TRequest>[]>} * @return {Promise<SecretResponse<TRequest>[]>}
*/ */
async function getSecrets(secretRequests, client) { async function getSecrets(secretRequests, client, { retries }) {
const responseCache = new Map(); const responseCache = new Map();
const results = []; const results = [];
for (const secretRequest of secretRequests) { for (const secretRequest of secretRequests) {
@ -35,7 +36,9 @@ async function getSecrets(secretRequests, client) {
cachedResponse = true; cachedResponse = true;
} else { } else {
try { try {
const result = await client.get(requestPath); const result = await asyncRetry(() => client.get(requestPath), {
retries
});
body = result.body; body = result.body;
responseCache.set(requestPath, body); responseCache.set(requestPath, body);
} catch (error) { } catch (error) {