Address many more instances of env reading

Signed-off-by: Alexander Scheel <[email protected]>

api/auth/approle/approle_test.go

@@ -36,6 +36,7 @@ func testHTTPServer(
 }
 
 func init() {
+ os.Setenv("BAO_TOKEN", "")
  os.Setenv("VAULT_TOKEN", "")
 }
 

api/auth/ldap/ldap_test.go

@@ -36,6 +36,7 @@ func testHTTPServer(
 }
 
 func init() {
+ os.Setenv("BAO_TOKEN", "")
  os.Setenv("VAULT_TOKEN", "")
 }
 

api/auth/userpass/userpass_test.go

@@ -36,6 +36,7 @@ func testHTTPServer(
 }
 
 func init() {
+ os.Setenv("BAO_TOKEN", "")
  os.Setenv("VAULT_TOKEN", "")
 }
 

api/plugin_helpers.go

@@ -11,7 +11,6 @@ import (
  "errors"
  "flag"
  "net/url"
- "os"
  "regexp"
 
  "github.com/go-jose/go-jose/v3/jwt"
@@ -130,12 +129,12 @@ func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)
 // VaultPluginTLSProviderContext is run inside a plugin and retrieves the response
 // wrapped TLS certificate from vault. It returns a configured TLS Config.
 func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
- if os.Getenv(PluginAutoMTLSEnv) == "true" || os.Getenv(PluginMetadataModeEnv) == "true" {
+ if ReadBaoVariable(PluginAutoMTLSEnv) == "true" || ReadBaoVariable(PluginMetadataModeEnv) == "true" {
  return nil
  }
 
  return func() (*tls.Config, error) {
- unwrapToken := os.Getenv(PluginUnwrapTokenEnv)
+ unwrapToken := ReadBaoVariable(PluginUnwrapTokenEnv)
 
  parsedJWT, err := jwt.ParseSigned(unwrapToken)
  if err != nil {

builtin/credential/kerberos/cmd/login-kerb/main.go

@@ -18,6 +18,7 @@ import (
 
  "github.com/hashicorp/go-cleanhttp"
  "github.com/jcmturner/gokrb5/v8/spnego"
+ "github.com/openbao/openbao/api"
  kerberos "github.com/openbao/openbao/builtin/credential/kerberos"
 )
 
@@ -77,7 +78,7 @@ func main() {
  os.Exit(1)
  }
  if vaultAddr == "" {
- vaultAddr = os.Getenv("VAULT_ADDR")
+ vaultAddr = api.ReadBaoVariable("BAO_ADDR")
  if vaultAddr == "" {
  fmt.Println(`"vault_addr" is required`)
  os.Exit(1)

builtin/credential/kubernetes/integrationtest/integration_test.go

@@ -51,8 +51,8 @@ func run(m *testing.M) int {
  }
  defer close()
 
- os.Setenv("VAULT_ADDR", fmt.Sprintf("http:https://127.0.0.1:%d", localPort))
- os.Setenv("VAULT_TOKEN", "root")
+ os.Setenv("BAO_ADDR", fmt.Sprintf("http:https://127.0.0.1:%d", localPort))
+ os.Setenv("BAO_TOKEN", "root")
 
  return m.Run()
 }

builtin/credential/ldap/cli.go

@@ -98,5 +98,5 @@ func usernameFromEnv() string {
 }
 
 func passwordFromEnv() string {
- return os.Getenv("VAULT_LDAP_PASSWORD")
+ return api.ReadBaoVariable("BAO_LDAP_PASSWORD")
 }

builtin/logical/database/backend_test.go

@@ -19,6 +19,7 @@ import (
  "github.com/hashicorp/go-hclog"
  _ "github.com/jackc/pgx/v4"
  "github.com/mitchellh/mapstructure"
+ "github.com/openbao/openbao/api"
  "github.com/openbao/openbao/helper/builtinplugins"
  "github.com/openbao/openbao/helper/namespace"
  postgreshelper "github.com/openbao/openbao/helper/testhelpers/postgresql"
@@ -59,7 +60,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
 }
 
 func TestBackend_PluginMain_Postgres(t *testing.T) {
- if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
+ if api.ReadBaoVariable(pluginutil.PluginVaultVersionEnv) == "" {
  return
  }
 
@@ -72,7 +73,7 @@ func TestBackend_PluginMain_Postgres(t *testing.T) {
 }
 
 func TestBackend_PluginMain_PostgresMultiplexed(t *testing.T) {
- if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
+ if api.ReadBaoVariable(pluginutil.PluginVaultVersionEnv) == "" {
  return
  }
 
@@ -1455,7 +1456,7 @@ func (h hangingPlugin) Close() error {
 var _ v5.Database = (*hangingPlugin)(nil)
 
 func TestBackend_PluginMain_Hanging(t *testing.T) {
- if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
+ if api.ReadBaoVariable(pluginutil.PluginVaultVersionEnv) == "" {
  return
  }
  v5.Serve(&hangingPlugin{})

builtin/logical/database/dbplugin/plugin_test.go

@@ -6,7 +6,6 @@ package dbplugin_test
 import (
  "context"
  "errors"
- "os"
  "testing"
  "time"
 
@@ -121,7 +120,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
 // This is not an actual test case, it's a helper function that will be executed
 // by the go-plugin client via an exec call.
 func TestPlugin_GRPC_Main(t *testing.T) {
- if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" && os.Getenv(pluginutil.PluginMetadataModeEnv) != "true" {
+ if api.ReadBaoVariable(pluginutil.PluginUnwrapTokenEnv) == "" && api.ReadBaoVariable(pluginutil.PluginMetadataModeEnv) != "true" {
  return
  }
 

builtin/logical/database/rotation_test.go

@@ -15,6 +15,7 @@ import (
  "time"
 
  _ "github.com/jackc/pgx/v4/stdlib"
+ "github.com/openbao/openbao/api"
  "github.com/openbao/openbao/helper/namespace"
  postgreshelper "github.com/openbao/openbao/helper/testhelpers/postgresql"
  v5 "github.com/openbao/openbao/sdk/database/dbplugin/v5"
@@ -705,7 +706,7 @@ func TestBackend_StaticRole_Rotations_PostgreSQL(t *testing.T) {
 
 func testBackend_StaticRole_Rotations(t *testing.T, createUser userCreator, opts map[string]interface{}) {
  // We need to set this value for the plugin to run, but it doesn't matter what we set it to.
- oldToken := os.Getenv(pluginutil.PluginUnwrapTokenEnv)
+ oldToken := api.ReadBaoVariable(pluginutil.PluginUnwrapTokenEnv)
  os.Setenv(pluginutil.PluginUnwrapTokenEnv, "...")
  defer func() {
  if oldToken != "" {

builtin/logical/database/versioning_large_test.go

@@ -8,7 +8,6 @@ package database
 import (
  "context"
  "fmt"
- "os"
  "regexp"
  "strings"
  "testing"
@@ -449,11 +448,11 @@ func cleanup(t *testing.T, b *databaseBackend, reqs []*logical.Request) {
 }
 
 func TestBackend_PluginMain_MockV4(t *testing.T) {
- if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" {
+ if api.ReadBaoVariable(pluginutil.PluginUnwrapTokenEnv) == "" {
  return
  }
 
- caPEM := os.Getenv(pluginutil.PluginCACertPEMEnv)
+ caPEM := api.ReadBaoVariable(pluginutil.PluginCACertPEMEnv)
  if caPEM == "" {
  t.Fatal("CA cert not passed in")
  }
@@ -468,15 +467,15 @@ func TestBackend_PluginMain_MockV4(t *testing.T) {
 }
 
 func TestBackend_PluginMain_MockV5(t *testing.T) {
- if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
+ if api.ReadBaoVariable(pluginutil.PluginVaultVersionEnv) == "" {
  return
  }
 
  RunV5()
 }
 
 func TestBackend_PluginMain_MockV6Multiplexed(t *testing.T) {
- if os.Getenv(pluginutil.PluginVaultVersionEnv) == "" {
+ if api.ReadBaoVariable(pluginutil.PluginVaultVersionEnv) == "" {
  return
  }
 

builtin/logical/kubernetes/integrationtest/integration_test.go

@@ -30,8 +30,8 @@ import (
 func TestMain(m *testing.M) {
  if os.Getenv("INTEGRATION_TESTS") != "" {
  checkKubectlVersion()
- os.Setenv("VAULT_ADDR", "http:https://127.0.0.1:38300")
- os.Setenv("VAULT_TOKEN", "root")
+ os.Setenv("BAO_ADDR", "http:https://127.0.0.1:38300")
+ os.Setenv("BAO_TOKEN", "root")
  os.Setenv("KUBERNETES_CA", getK8sCA())
  os.Setenv("KUBE_HOST", getKubeHost(os.Getenv("KIND_CLUSTER_NAME")))
  os.Setenv("SUPER_JWT", getSuperJWT())

builtin/logical/pki/backend_test.go

@@ -24,7 +24,6 @@ import (
  mathrand "math/rand"
  "net"
  "net/url"
- "os"
  "reflect"
  "sort"
  "strconv"
@@ -350,7 +349,7 @@ func TestBackend_Roles(t *testing.T) {
  }
 
  testCase.Steps = append(testCase.Steps, generateRoleSteps(t, tc.useCSR)...)
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  for i, v := range testCase.Steps {
  data := map[string]interface{}{}
  var keys []string
@@ -925,7 +924,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
  // testing we use a randomized time for maximum fuzziness.
  */
  var seed int64 = 1
- fixedSeed := os.Getenv("VAULT_PKITESTS_FIXED_SEED")
+ fixedSeed := api.ReadBaoVariable("BAO_PKITESTS_FIXED_SEED")
  if len(fixedSeed) == 0 {
  seed = time.Now().UnixNano()
  } else {
@@ -1290,7 +1289,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
  default:
  panic("invalid key type: " + keyType)
  }
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  t.Logf("roleKeyBits=%d testBitSize=%d errorOk=%v", plan.roleKeyBits, testBitSize, plan.errorOk)
  }
 
@@ -1427,7 +1426,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
  getOrganizationCheck, getOuCheck, getPostalCodeCheck, getRandCsr, getStreetAddressCheck,
  getProvinceCheck,
  }
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  t.Logf("funcs=%d", len(funcs))
  }
 
@@ -3102,7 +3101,7 @@ func TestBackend_OID_SANs(t *testing.T) {
  cert.DNSNames[2] != "bar.foobar.com" {
  t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
  }
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  t.Logf("certificate 1 to check:\n%s", certStr)
  }
 
@@ -3132,7 +3131,7 @@ func TestBackend_OID_SANs(t *testing.T) {
  cert.DNSNames[2] != "bar.foobar.com" {
  t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
  }
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  t.Logf("certificate 2 to check:\n%s", certStr)
  }
 
@@ -3176,7 +3175,7 @@ func TestBackend_OID_SANs(t *testing.T) {
  if diff := deep.Equal(expectedOtherNames, foundOtherNames); len(diff) != 0 {
  t.Errorf("unexpected otherNames: %v", diff)
  }
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  t.Logf("certificate 3 to check:\n%s", certStr)
  }
 }
@@ -3262,7 +3261,7 @@ func TestBackend_AllowedSerialNumbers(t *testing.T) {
  if cert.Subject.SerialNumber != "f00bar" {
  t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
  }
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  t.Logf("certificate 1 to check:\n%s", certStr)
  }
 
@@ -3283,7 +3282,7 @@ func TestBackend_AllowedSerialNumbers(t *testing.T) {
  if cert.Subject.SerialNumber != "b4rf00" {
  t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
  }
- if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
+ if len(api.ReadBaoVariable("BAO_VERBOSE_PKITESTS")) > 0 {
  t.Logf("certificate 2 to check:\n%s", certStr)
  }
 }

builtin/logical/pkiext/pkiext_binary/pki_cluster.go

@@ -6,7 +6,6 @@ package pkiext_binary
 import (
  "context"
  "fmt"
- "os"
  "testing"
  "time"
 
@@ -23,9 +22,9 @@ type VaultPkiCluster struct {
 }
 
 func NewVaultPkiCluster(t *testing.T) *VaultPkiCluster {
- binary := os.Getenv("VAULT_BINARY")
+ binary := api.ReadBaoVariable("BAO_BINARY")
  if binary == "" {
- t.Skip("only running docker test when $VAULT_BINARY present")
+ t.Skip("only running docker test when $BAO_BINARY present")
  }
 
  opts := &docker.DockerClusterOptions{

builtin/plugin/backend_test.go

@@ -60,11 +60,11 @@ func TestBackend_Factory(t *testing.T) {
 
 func TestBackend_PluginMain(t *testing.T) {
  args := []string{}
- if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" && os.Getenv(pluginutil.PluginMetadataModeEnv) != "true" {
+ if api.ReadBaoVariable(pluginutil.PluginUnwrapTokenEnv) == "" && api.ReadBaoVariable(pluginutil.PluginMetadataModeEnv) != "true" {
  return
  }
 
- caPEM := os.Getenv(pluginutil.PluginCACertPEMEnv)
+ caPEM := api.ReadBaoVariable(pluginutil.PluginCACertPEMEnv)
  if caPEM == "" {
  t.Fatal("CA cert not passed in")
  }
@@ -88,11 +88,11 @@ func TestBackend_PluginMain(t *testing.T) {
 
 func TestBackend_PluginMain_Multiplexed(t *testing.T) {
  args := []string{}
- if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" && os.Getenv(pluginutil.PluginMetadataModeEnv) != "true" {
+ if api.ReadBaoVariable(pluginutil.PluginUnwrapTokenEnv) == "" && api.ReadBaoVariable(pluginutil.PluginMetadataModeEnv) != "true" {
  return
  }
 
- caPEM := os.Getenv(pluginutil.PluginCACertPEMEnv)
+ caPEM := api.ReadBaoVariable(pluginutil.PluginCACertPEMEnv)
  if caPEM == "" {
  t.Fatal("CA cert not passed in")
  }

command/agent.go

@@ -249,7 +249,7 @@ func (c *AgentCommand) Run(args []string) int {
  // Tests might not want to start a vault server and just want to verify
  // the configuration.
  if c.flagTestVerifyOnly {
- if os.Getenv("VAULT_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
+ if api.ReadBaoVariable("BAO_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
  c.UI.Output(fmt.Sprintf(
  "\nConfiguration:\n%s\n",
  pretty.Sprint(*c.config)))
@@ -374,7 +374,7 @@ func (c *AgentCommand) Run(args []string) int {
  // We do this after auto-auth has been configured, because we don't want to
  // confuse the issue of retries for auth failures which have their own
  // config and are handled a bit differently.
- if os.Getenv(api.EnvVaultMaxRetries) == "" {
+ if api.ReadBaoVariable(api.EnvVaultMaxRetries) == "" {
  client.SetMaxRetries(ctconfig.DefaultRetryAttempts)
  if config.Vault != nil {
  if config.Vault.Retry != nil {

command/agent/config/config.go

@@ -24,6 +24,7 @@ import (
  "github.com/mitchellh/mapstructure"
  "k8s.io/utils/strings/slices"
 
+ "github.com/openbao/openbao/api"
  "github.com/openbao/openbao/command/agentproxyshared"
  "github.com/openbao/openbao/helper/namespace"
  "github.com/openbao/openbao/internalshared/configutil"
@@ -54,8 +55,8 @@ type Config struct {
 }
 
 const (
- DisableIdleConnsEnv = "VAULT_AGENT_DISABLE_IDLE_CONNECTIONS"
- DisableKeepAlivesEnv = "VAULT_AGENT_DISABLE_KEEP_ALIVES"
+ DisableIdleConnsEnv = "BAO_AGENT_DISABLE_IDLE_CONNECTIONS"
+ DisableKeepAlivesEnv = "BAO_AGENT_DISABLE_KEEP_ALIVES"
 )
 
 func (c *Config) Prune() {
@@ -671,7 +672,7 @@ func LoadConfigFile(path string) (*Config, error) {
  }
  }
 
- if disableIdleConnsEnv := os.Getenv(DisableIdleConnsEnv); disableIdleConnsEnv != "" {
+ if disableIdleConnsEnv := api.ReadBaoVariable(DisableIdleConnsEnv); disableIdleConnsEnv != "" {
  result.DisableIdleConns, err = parseutil.ParseCommaStringSlice(strings.ToLower(disableIdleConnsEnv))
  if err != nil {
  return nil, fmt.Errorf("error parsing environment variable %s: %v", DisableIdleConnsEnv, err)
@@ -693,7 +694,7 @@ func LoadConfigFile(path string) (*Config, error) {
  }
  }
 
- if disableKeepAlivesEnv := os.Getenv(DisableKeepAlivesEnv); disableKeepAlivesEnv != "" {
+ if disableKeepAlivesEnv := api.ReadBaoVariable(DisableKeepAlivesEnv); disableKeepAlivesEnv != "" {
  result.DisableKeepAlives, err = parseutil.ParseCommaStringSlice(strings.ToLower(disableKeepAlivesEnv))
  if err != nil {
  return nil, fmt.Errorf("error parsing environment variable %s: %v", DisableKeepAlivesEnv, err)