resolve #24

main.go

@@ -49,6 +49,7 @@ this repository has new commits, Pico will automatically reconfigure.`,
 				cli.StringFlag{Name: "vault-token", EnvVar: "VAULT_TOKEN"},
 				cli.StringFlag{Name: "vault-path", EnvVar: "VAULT_PATH", Value: "/secret"},
 				cli.DurationFlag{Name: "vault-renew-interval", EnvVar: "VAULT_RENEW_INTERVAL", Value: time.Hour * 24},
+				cli.StringFlag{Name: "vault-config-path", EnvVar: "VAULT_CONFIG_PATH", Value: "pico"},
 			},
 			Action: func(c *cli.Context) (err error) {
 				if !c.Args().Present() {
@@ -84,6 +85,7 @@ this repository has new commits, Pico will automatically reconfigure.`,
 					VaultToken:    c.String("vault-token"),
 					VaultPath:     c.String("vault-path"),
 					VaultRenewal:  c.Duration("vault-renew-interval"),
+					VaultConfig:   c.String("vault-config-path"),
 				})
 				if err != nil {
 					return errors.Wrap(err, "failed to initialise")

service/service.go

@@ -35,6 +35,7 @@ type Config struct {
 	VaultToken    string
 	VaultPath     string
 	VaultRenewal  time.Duration
+	VaultConfig   string
 }
 
 // App stores application state
@@ -52,19 +53,6 @@ func Initialise(c Config) (app *App, err error) {
 
 	app.config = c
 
-	var authMethod transport.AuthMethod
-	if c.SSH {
-		authMethod, err = ssh.NewSSHAgentAuth("git")
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to set up SSH authentication")
-		}
-	} else if c.Target.User != "" {
-		authMethod = &http.BasicAuth{
-			Username: c.Target.User,
-			Password: c.Target.Pass,
-		}
-	}
-
 	var secretStore secret.Store
 	if c.VaultAddress != "" {
 		zap.L().Debug("connecting to vault",
@@ -83,6 +71,18 @@ func Initialise(c Config) (app *App, err error) {
 		}
 	}
 
+	secretConfig, err := secretStore.GetSecretsForTarget(c.VaultConfig)
+	if err != nil {
+		zap.L().Info("could not read additional config from vault", zap.String("path", c.VaultConfig))
+		err = nil
+	}
+	zap.L().Debug("read configuration secrets from secret store", zap.Strings("keys", getKeys(secretConfig)))
+
+	authMethod, err := getAuthMethod(c, secretConfig)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create an authentication method from the given config")
+	}
+
 	app.secrets = secretStore
 
 	app.bus = make(chan task.ExecutionTask, 100)
@@ -143,3 +143,39 @@ func (app *App) Start(ctx context.Context) error {
 
 	return g.Wait()
 }
+
+func getAuthMethod(c Config, secretConfig map[string]string) (transport.AuthMethod, error) {
+	if c.SSH {
+		authMethod, err := ssh.NewSSHAgentAuth("git")
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to set up SSH authentication")
+		}
+		return authMethod, nil
+	}
+
+	if c.Target.User != "" && c.Target.Pass != "" {
+		return &http.BasicAuth{
+			Username: c.Target.User,
+			Password: c.Target.Pass,
+		}, nil
+	}
+
+	user, userok := secretConfig["GIT_USERNAME"]
+	pass, passok := secretConfig["GIT_PASSWORD"]
+	if userok && passok {
+		return &http.BasicAuth{
+			Username: user,
+			Password: pass,
+		}, nil
+	}
+
+	return nil, nil
+}
+
+func getKeys(m map[string]string) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	return keys
+}