Skip to content

Commit

Permalink
Add TLS and mTLS support
Browse files Browse the repository at this point in the history
  • Loading branch information
jasonodonnell committed Aug 5, 2020
1 parent cd01494 commit e59c94a
Show file tree
Hide file tree
Showing 19 changed files with 6,710 additions and 4,157 deletions.
1 change: 0 additions & 1 deletion .github/FUNDING.yml

This file was deleted.

248 changes: 180 additions & 68 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,144 +3,256 @@ on:
branches:
- master
pull_request:
branches:
- master

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1

- uses: actions/setup-node@v1
with:
node-version: ''
- name: setup npm cache

- name: Setup NPM Cache
uses: actions/cache@v1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: npm install
- name: NPM Install
run: npm ci
- name: npm build

- name: NPM Build
run: npm run build
- name: npm run test

- name: NPM Run Test
run: npm run test

integration:
integrationOSS:
runs-on: ubuntu-latest

services:
vaultBasic:
image: vault:1.2.3
ports:
- 8200/tcp
env:
VAULT_DEV_ROOT_TOKEN_ID: testtoken
options: --cap-add=IPC_LOCK
vaultEnterprise:
image: hashicorp/vault-enterprise:1.3.0_ent
ports:
- 8200/tcp
env:
VAULT_DEV_ROOT_TOKEN_ID: testtoken
options: --cap-add=IPC_LOCK
steps:
- uses: actions/checkout@v1

- name: Run docker-compose
run: docker-compose up -d vault

- uses: actions/setup-node@v1
with:
node-version: ''

- name: Setup NPM Cache
uses: actions/cache@v1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci

- name: NPM Build
run: npm run build

- name: NPM Run test;integration:basic
run: npm run test:integration:basic
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true

integrationEnterprise:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
with:
node-version: ''
- name: setup npm cache
uses: actions/cache@v1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: npm install
run: npm ci
- name: npm build
run: npm run build
- name: npm run test:integration:basic
run: npm run test:integration:basic
env:
VAULT_HOST: localhost
VAULT_PORT: ${{ job.services.vaultBasic.ports[8200] }}
CI: true
- name: npm run test:integration:enterprise
run: npm run test:integration:enterprise
env:
VAULT_HOST: localhost
VAULT_PORT: ${{ job.services.vaultEnterprise.ports[8200] }}
CI: true
- uses: actions/checkout@v1

- name: Run docker-compose
run: docker-compose up -d vault-enterprise

- uses: actions/setup-node@v1
with:
node-version: ''

- name: Setup NPM Cache
uses: actions/cache@v1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci

- name: NPM Build
run: npm run build

- name: NPM Run test:intergration:enterprise
run: npm run test:integration:enterprise
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true

e2e:
runs-on: ubuntu-latest

services:
vault:
image: vault:1.3.0
ports:
- 8200/tcp
env:
VAULT_DEV_ROOT_TOKEN_ID: testtoken
options: --cap-add=IPC_LOCK

steps:
- uses: actions/checkout@v1

- name: Run docker-compose
run: docker-compose up -d vault

- uses: actions/setup-node@v1
with:
node-version: ''
- name: setup npm cache

- name: Setup NPM Cache
uses: actions/cache@v1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: npm install
- name: NPM Install
run: npm ci
- name: npm build

- name: NPM Build
run: npm run build
- name: setup vault

- name: Setup Vault
run: node ./integrationTests/e2e/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: ${{ job.services.vault.ports[8200] }}
- name: use vault action (default K/V version 2)
VAULT_PORT: 8200

- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets
with:
url: http://localhost:${{ job.services.vault.ports[8200] }}
url: http://localhost:8200
token: testtoken
secrets: |
test secret ;
test secret | NAMED_SECRET ;
nested/test otherSecret ;
- name: use vault action (custom K/V version 1)
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: http://localhost:${{ job.services.vault.ports[8200] }}
url: http://localhost:8200
token: testtoken
path: my-secret
kv-version: 1
secrets: |
test altSecret ;
test altSecret | NAMED_ALTSECRET ;
nested/test otherAltSecret ;
- name: use vault action (using cubbyhole engine)
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: http://localhost:${{ job.services.vault.ports[8200] }}
url: http://localhost:8200
token: testtoken
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
- name: verify
- name: Verify Vault Action Outputs
run: npm run test:e2e
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}

e2e-tls:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1

- name: Run docker-compose
run: docker-compose up -d vault-tls

- uses: actions/setup-node@v1
with:
node-version: ''

- name: Setup NPM Cache
uses: actions/cache@v1
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci

- name: NPM Build
run: npm run build

- name: Setup Vault
run: node ./integrationTests/e2e-tls/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
VAULTCA: ${{ secrets.VAULTCA }}
VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}

- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
test secret ;
test secret | NAMED_SECRET ;
nested/test otherSecret ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
path: my-secret
kv-version: 1
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
test altSecret ;
test altSecret | NAMED_ALTSECRET ;
nested/test otherAltSecret ;
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}

- name: Verify Vault Action Outputs
run: npm run test:e2e-tls
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}

# Removing publish step for now.
# publish:
# if: github.event_name == 'push' && contains(github.ref, 'master')
Expand Down
13 changes: 13 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,19 @@ inputs:
description: 'Whether or not export secrets as environment variables.'
default: 'true'
required: false
caCertificate:
description: 'Base64 encoded CA certificate to verify the Vault server certificate.'
required: false
clientCertificate:
description: 'Base64 encoded client certificate for mTLS communication with the Vault server.'
required: false
clientKey:
description: 'Base64 encoded client key for mTLS communication with the Vault server.'
required: false
tlsSkipVerify:
description: 'When set to true, disables verification of the Vault server certificate. Setting this to true in production is not recommended.'
required: false
default: "false"
runs:
using: 'node12'
main: 'dist/index.js'
Expand Down
Loading

0 comments on commit e59c94a

Please sign in to comment.