Skip to content
This repository has been archived by the owner on Nov 8, 2022. It is now read-only.

kmott/vault-helper

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
bin
bin
 
 
habitat
habitat
 
 
pkg
pkg
 
 
src
src
 
 
test/smoke/vault-helper
test/smoke/vault-helper
 
 
.gitignore
.gitignore
 
 
.kitchen.yml
.kitchen.yml
 
 
Jenkinsfile
Jenkinsfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.go
main.go
 
 

Repository files navigation

vault-helper

Summary

This is the vault-helper repo built using golang and Habitat.

Building

To build the repo, check it out from GitHub, and enter a local studio. Run build, the resulting binaries are output to bin/vault-helper-*, and packaged in to the Habitat .hart file.

You can specify DO_INSTALL=false if you want a quick build command that lets you iterate on the build + test + change cycle without Habitat getting in the way.

Unit Test

The only package that has unit tests right now is the vault package, specifically the Client{} object. This is mostly to cover cases where we may get invalid input from a user.

Unit tests are run with every build in the studio.

Integration Test

There are some InSpec tests that can be invoked to perform a basic set of integration tests. Perform the following steps on your system to run the tests:

me@mybox ~/vault-helper $ rm -rf results && hab studio build -D
me@mybox ~/vault-helper $ kitchen converge "vault" --concurrency=1
me@mybox ~/vault-helper $ kitchen verify vault-helper
me@mybox ~/vault-helper $ kitchen destroy "vault"

Note that the Test Kitchen environment does not use the kitchen-habitat plugin, as we need to bootstrap a very minimal environment to run our vault-helper InSpec tests against. vault-helper tests do not require a running hab service, but do require a valid Vault instance to perform tests against (see .kitchen.yml for more info).

Invocation

You can specify the following environment variables to help mask secret information from the system vault-helper is running on.

VAULT_ADDR - Vault URL VAULT_SKIP_VERIFY - Set to true to disable SSL cert checking VAULT_ROLE_ID - The vault approle role id VAULT_SECRET_ID - The vault approle secret id VAULT_TOKEN - The vault token

To avoid conflicts with habitat double-curly-braces replacements in files, use double-parens instead: ((.username))

See --help for more information and detailed invocation examples.

Caveats

Below are a list of known caveats with vault-helper. If you find other limitations with it, please update this section.

Vault Keys with Hyphens

Vault keys can have a hyphen, as long as it's double-quoted. Due to how the GO template engine works, when specifying a substitution like: (( ".user-name" )), that key user-name must be double-quoted.

Secret Replacement

vault-helper assumes that all secrets at a given path like secret/data/jenkins/admin are to be parsed on a single file at a time. This is in part due to how vault-helper parses and re-writes the file to disk, as well as to simplify management of secrets.

Vault helper supports either kv-v1 or kv-v2 secret stores, make sure to pass the correct --path in at invocation time.

A good rule-of-thumb is to make sure you invoke vault-helper once on a single file at a given time. Do not put secrets at different paths in the same file to be parsed by vault-helper.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • Go 52.6%
  • Shell 45.0%
  • Ruby 2.2%
  • Groovy 0.2%