Initial revision

2022-10-05 23:22:10 +02:00
commit 61bbe17e1e
8 changed files with 105 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+plugins
+*.env
--- a/18
+++ b/18
@@ -0,0 +1,18 @@
+.PHONY: up
+up: plugins/vault-plugin-secrets-grafanacloud
+	docker-compose up
+
+plugins/vault-plugin-secrets-grafanacloud:
+	scripts/download_plugin.sh
+
+.PHONY: init
+init: plugins/vault-plugin-secrets-grafanacloud
+	scripts/write_grafana_config.sh
+
+.PHONY: revoke-all
+revoke-all: plugins/vault-plugin-secrets-grafanacloud
+	scripts/revoke_all_leases.sh
+
+.PHONY: clean
+clean:
+	rm plugins/vault-plugin-secrets-grafanacloud
--- a/README.md
+++ b/README.md
@@ -0,0 +1,26 @@
+# Using the Form3 Grafana cloud Vault secrets backend 
+
+This project demonstrate the usage of the custom plugin, to issue short lived API tokens
+that applications can use to access the [Grafana Cloud API](https://grafana.com/docs/grafana-cloud/reference/cloud-api/).
+
+The `vault` server is launched in `dev` mode, so it starts unsealed and automatically
+registers the [`vault-plugin-secrets-grafanacloud`](https://github.com/form3tech-oss/vault-plugin-secrets-grafanacloud) plugin.
+
+## Demo script
+
+Run the `make` command with no arguments to launch vault and initialize the 
+plugin.
+
+In another terminal, run the `make init` to create an example `Viewer` role.
+
+To fetch a new short lived token, launch: `scripts/read_sole_cred.sh`.
+
+To revoke all the credentials issued during the demo, run the `make revoke-all` command.
+
+## Use case: pushing metrics to a Grafana Cloud prometheus instance
+
+TODO
+
+## Use case: pushing traces to a Grafana Cloud Tempo instance
+
+TODO
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  vault-server:
+    image: vault:latest
+    ports:
+      - "8200:8200"
+    environment:
+      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
+      VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"
+    cap_add:
+      - IPC_LOCK
+    volumes:
+      - ./plugins:/vault/plugins
+    command: vault server -dev -dev-plugin-dir=/vault/plugins
--- a/scripts/download_plugin.sh
+++ b/scripts/download_plugin.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -ue
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+RELEASE_URL=$(curl -s https://api.github.com/repos/form3tech-oss/vault-plugin-secrets-grafanacloud/releases/latest | \
+    jq --raw-output '.assets[] | select(.content_type=="application/octet-stream") | .browser_download_url')
+
+PLUGIN=$SCRIPT_DIR/../plugins/vault-plugin-secrets-grafanacloud
+curl -L -o $PLUGIN $RELEASE_URL
+chmod +x $PLUGIN
--- a/scripts/read_role_cred.sh
+++ b/scripts/read_role_cred.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -ue
+
+vault write grafanacloud/roles/examplerole \
+    gc_role="Viewer" \
+    ttl="60s"       \
+    max_ttl="600s"   
+
+vault read grafanacloud/creds/examplerole
--- a/scripts/revoke_all_leases.sh
+++ b/scripts/revoke_all_leases.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -ue
+
+vault lease revoke -prefix grafanacloud/creds
--- a/scripts/write_grafana_config.sh
+++ b/scripts/write_grafana_config.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+if [[ -z "$GRAFANA_ORG" ]]; then
+    echo "Must provide GRAFANA_ORG in environment" 1>&2
+    exit 1
+fi
+
+if [[ -z "$GRAFANA_ADMIN_TOKEN" ]]; then
+    echo "Must provide GRAFANA_ADMIN_TOKEN in environment" 1>&2
+    exit 1
+fi
+
+vault secrets enable -path=grafanacloud vault-plugin-secrets-grafanacloud
+
+vault write grafanacloud/config \
+    organisation=$GRAFANA_ORG \
+    key=$GRAFANA_ADMIN_TOKEN \
+    ttl=300 \
+    max_ttl=3600 \
+    url=https://grafana.com/api/