Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/indellient/vault-helper


https://github.com/indellient/vault-helper

Last synced: 5 months ago
JSON representation

Awesome Lists containing this project

README 

          
# vault-helper



## Summary



This is the vault-helper repo built using golang and Habitat.



## Building



To build the repo, check it out from GitHub, and enter a local studio. Run `build`, the resulting binaries are output

to `bin/vault-helper-*`, and packaged in to the Habitat .hart file.



You can specify `DO_INSTALL=false` if you want a quick `build` command that lets you iterate on the build + test + change 

cycle without Habitat getting in the way.



## Unit Test



The only package that has unit tests right now is the `vault` package, specifically the `Client{}` object. This is 

mostly to cover cases where we may get invalid input from a user.



Unit tests are run with every `build` in the studio.



## Integration Test



There are some InSpec tests that can be invoked to perform a basic set of integration tests. Perform the following steps

on your system to run the tests:



```

me@mybox ~/vault-helper $ rm -rf results && hab studio build -D

me@mybox ~/vault-helper $ kitchen converge "vault" --concurrency=1

me@mybox ~/vault-helper $ kitchen verify vault-helper

me@mybox ~/vault-helper $ kitchen destroy "vault"

```



Note that the Test Kitchen environment does not use the `kitchen-habitat` plugin, as we need to bootstrap a very minimal

environment to run our `vault-helper` InSpec tests against.  `vault-helper` tests do not require a running hab service,

but do require a valid Vault instance to perform tests against (see `.kitchen.yml` for more info).



## Invocation



You can specify the following environment variables to help mask secret information from the system `vault-helper` is

running on.



`VAULT_ADDR`        - Vault URL

`VAULT_SKIP_VERIFY` - Set to `true` to disable SSL cert checking

`VAULT_ROLE_ID`     - The vault approle role id

`VAULT_SECRET_ID `  - The vault approle secret id

`VAULT_TOKEN`       - The vault token



To avoid conflicts with habitat double-curly-braces replacements in files, use double-parens instead: `((.username))`



See --help for more information and detailed invocation examples.



## Caveats



Below are a list of known caveats with `vault-helper`.  If you find other limitations with it, please update this section.



### Vault Keys with Hyphens



Vault keys can have a hyphen, as long as it's double-quoted.  Due to how the GO template engine works, when specifying

a substitution like: `(( ".user-name" ))`, that key `user-name` must be double-quoted.



### Secret Replacement



`vault-helper` assumes that all secrets at a given path like `secret/data/jenkins/admin` are to be parsed on a single

file at a time.  This is in part due to how `vault-helper` parses and re-writes the file to disk, as well as to simplify

management of secrets.



Vault helper supports either kv-v1 or kv-v2 secret stores, make sure to pass the correct `--path` in at invocation time.



A good rule-of-thumb is to make sure you invoke `vault-helper` once on a single file at a given time.  Do not put secrets

at different paths in the same file to be parsed by `vault-helper`.