vaultctl

module
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 16, 2016 License: Apache-2.0

README

Vaultctl


Vaultctl is a command line utilty for provisioning a Hashicorp's Vault from configuration files. Essentially it was written so we could source control our users, policies, backends and secrets, synchronize the vault against them and rebuild on-demand if required.

Build

There is a Makefile in the root directory, so a simply make will build the project. Alternatively you can run the build inside a docker via make docker-build

Usage

[jest@starfury vaultctl]$ bin/vaultctl --help
NAME:
   vaultctl - is a utility for provisioning a hashicorp's vault service

USAGE:
   vaultctl [global options] command [command options] [arguments...]
   
VERSION:
   v0.0.1
   
AUTHOR(S):
   Rohith <gambol99@gmail.com> 
   
COMMANDS:
   synchronize, sync	synchonrize the users, policies, secrets and backends
   transit, tr, trans	Encrypts / decrypts files using the Vault transit backend
   help, h		Shows a list of commands or help for one command
   
GLOBAL OPTIONS:
   -A, --vault-addr "http://127.0.0.1:8200"	the url address of the vault service [$VAULT_ADDR]
   -u, --vault-username 			the vault username to use to authenticate to vault service [$VAULT_USERNAME]
   -p, --vault-password 			the vault password to use to authenticate to vault service [$VAULT_PASSWORD]
   -c, --credentials 				the path to a file (json|yaml) containing the username and password for userpass authenticaion [$VAULT_CRENDENTIALS]
   --verbose					switch on verbose logging for debug purposed
   --kube-populate				whether or not to populate the vault crendentials into the namespaces
   --help, -h					show help
   --version, -v				print the version
Configuration

The configuration files for vaultctl can be written in json or yml format (note, it check the file extension to determine the format). You can specify multiple configuration files and or multiple directories containing config files.

- Authentication

Authentication backends can be created using the following

auths:
- path: userpass
  type: userpass
- path: some/path/users
  type: userpass
- path: github
  type: github
  attributes:
  - uri: config
    organization: SomeOrganization
- Users

Users are place in a users: [] collection, the vault authentication type (at present only userpass is supported, though it would be trivial to add more) followed by the policies associated to the user

users:
- userpass:
    username: rohithj
    password: password1
  policies:
    - common
    - platform_tls
- Backends

The backends are defined under the 'backends[]' collection, each backend must have a path (i.e. a mount point), a type which is the Vault backend type, a description (which is enforced) and an optional collection of config items. Keeping it simple the config[] is essentially a series of PUT requests. You can grab the configuration options and the uri from the Vault documentation. Note. an extra option 'oneshot' been added, it simply means the config option will ONLY is run the first time the backend is created, which is useful for some backends like PKI, transit etc.

backends:
- type: transit
  path: platform/encode
  description: A transit backend used to encrypt configuration files
  attributes:
  - uri: keys/default
    oneshot: true
- type: generic
  path: platform/secrets
  description: platform secrets
- path: platform/platform_tls
  description: platform tls
  type: generic
- path: platform/pki
  type: pki
  description: Platform PKI backend
  attributes:
  - uri: root/generate/internal
    common_name: example.com
    ttl: 3h
    oneshot: true
  - uri: roles/example-dot-com
    allowed_domains: example.com
    allow_subdomains: true
    max_ttl: 1h 
# one of the annoying things about the mysql backend is it attempts to connect to the db when
# adding the config/connection config??
- path: platform/db
  type: mysql
  description: Platform Database
  attributes:
  - uri: config/connection
    value: root:root@tcp(127.0.0.1:3306)/
    oneshot: true
  - uri: roles/readonly
    sql: CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%'
- Secrets
secrets:
  - path: platform/secrets/platform_tls
    values:
      hello: world
      rohith: yes
  - path: platform/secrets/se1
    values:
      hello: world
      rohith: yes
- Example Output
[jest@starfury vaultctl]$ bin/vaultctl -u admin -p password  sync -p tests/policies -c platform.yml
INFO[0000] -> synchronizing the vault policies, 3 files 
INFO[0001] [policy: common.hcl] successfully applied the policy, filename: tests/policies/common.hcl 
INFO[0001] [policy: platform.hcl] successfully applied the policy, filename: tests/policies/platform.hcl 
INFO[0001] [policy: platform_tls.hcl] successfully applied the policy, filename: tests/policies/platform_tls.hcl 
INFO[0001] -> synchronizing the vault users, users: 1 
INFO[0001] [user: rohithj] ensuring user, policies: root 
INFO[0001] -> synchronizing the backends, backend: 2 
INFO[0001] [backend: platform/encode]: already exist, moving to configuration 
INFO[0001] [backend:platform/encode/keys/default] skipping the config, as it's a oneshot setting 
INFO[0001] [backend: platform/secrets]: already exist, moving to configuration 
INFO[0001] -> synchronizing the secrets with vault, secrets: 0 
INFO[0001] synchronization complete, time took: 1.733908869s 

Transit Encryption


The sub-command 'transit' permits you to encrypt and decrypt the file contents using a Vault transit backend. The current use case being we hand off management to others to manage their our namespaces, secret, backends etc and behold a generic endpoint for encryption.

TODO

  • Need to finish off the Kubernetes intregetion to place the vault credentials in k8s secrets.

Directories

Path Synopsis
Godeps
_workspace/src/github.com/Sirupsen/logrus
Package logrus is a structured logger for Go, completely API compatible with the standard library logger.
Package logrus is a structured logger for Go, completely API compatible with the standard library logger.
_workspace/src/github.com/beorn7/perks/quantile
Package quantile computes approximate quantiles over an unbounded data stream within low memory and CPU bounds.
Package quantile computes approximate quantiles over an unbounded data stream within low memory and CPU bounds.
_workspace/src/github.com/codegangsta/cli
Package cli provides a minimal framework for creating and organizing command line Go applications.
Package cli provides a minimal framework for creating and organizing command line Go applications.
_workspace/src/github.com/davecgh/go-spew/spew
Package spew implements a deep pretty printer for Go data structures to aid in debugging.
Package spew implements a deep pretty printer for Go data structures to aid in debugging.
_workspace/src/github.com/emicklei/go-restful
Package restful, a lean package for creating REST-style WebServices without magic.
Package restful, a lean package for creating REST-style WebServices without magic.
_workspace/src/github.com/emicklei/go-restful/swagger
Package swagger implements the structures of the Swagger https://github.com/wordnik/swagger-spec/blob/master/versions/1.2.md
Package swagger implements the structures of the Swagger https://github.com/wordnik/swagger-spec/blob/master/versions/1.2.md
_workspace/src/github.com/fatih/color
Package color is an ANSI color package to output colorized or SGR defined output to the standard output.
Package color is an ANSI color package to output colorized or SGR defined output to the standard output.
_workspace/src/github.com/fatih/structs
Package structs contains various utilities functions to work with structs.
Package structs contains various utilities functions to work with structs.
_workspace/src/github.com/golang/glog
Package glog implements logging analogous to the Google-internal C++ INFO/ERROR/V setup.
Package glog implements logging analogous to the Google-internal C++ INFO/ERROR/V setup.
_workspace/src/github.com/golang/protobuf/proto
Package proto converts data structures to and from the wire format of protocol buffers.
Package proto converts data structures to and from the wire format of protocol buffers.
_workspace/src/github.com/golang/protobuf/proto/proto3_proto
Package proto3_proto is a generated protocol buffer package.
Package proto3_proto is a generated protocol buffer package.
_workspace/src/github.com/google/gofuzz
Package fuzz is a library for populating go objects with random values.
Package fuzz is a library for populating go objects with random values.
_workspace/src/github.com/hashicorp/hcl
Package hcl decodes HCL into usable Go structures.
Package hcl decodes HCL into usable Go structures.
_workspace/src/github.com/hashicorp/hcl/hcl/ast
Package ast declares the types used to represent syntax trees for HCL (HashiCorp Configuration Language)
Package ast declares the types used to represent syntax trees for HCL (HashiCorp Configuration Language)
_workspace/src/github.com/hashicorp/hcl/hcl/parser
Package parser implements a parser for HCL (HashiCorp Configuration Language)
Package parser implements a parser for HCL (HashiCorp Configuration Language)
_workspace/src/github.com/hashicorp/hcl/hcl/printer
Package printer implements printing of AST nodes to HCL format.
Package printer implements printing of AST nodes to HCL format.
_workspace/src/github.com/hashicorp/hcl/hcl/scanner
Package scanner implements a scanner for HCL (HashiCorp Configuration Language) source text.
Package scanner implements a scanner for HCL (HashiCorp Configuration Language) source text.
_workspace/src/github.com/hashicorp/hcl/hcl/token
Package token defines constants representing the lexical tokens for HCL (HashiCorp Configuration Language)
Package token defines constants representing the lexical tokens for HCL (HashiCorp Configuration Language)
_workspace/src/github.com/imdario/mergo
Package mergo merges same-type structs and maps by setting default values in zero-value fields.
Package mergo merges same-type structs and maps by setting default values in zero-value fields.
_workspace/src/github.com/juju/ratelimit
The ratelimit package provides an efficient token bucket implementation that can be used to limit the rate of arbitrary things.
The ratelimit package provides an efficient token bucket implementation that can be used to limit the rate of arbitrary things.
_workspace/src/github.com/mattn/go-isatty
Package isatty implements interface to isatty
Package isatty implements interface to isatty
_workspace/src/github.com/matttproud/golang_protobuf_extensions/pbutil
Package pbutil provides record length-delimited Protocol Buffer streaming.
Package pbutil provides record length-delimited Protocol Buffer streaming.
_workspace/src/github.com/mitchellh/mapstructure
The mapstructure package exposes functionality to convert an abitrary map[string]interface{} into a native Go structure.
The mapstructure package exposes functionality to convert an abitrary map[string]interface{} into a native Go structure.
_workspace/src/github.com/pborman/uuid
The uuid package generates and inspects UUIDs.
The uuid package generates and inspects UUIDs.
_workspace/src/github.com/pmezard/go-difflib/difflib
Package difflib is a partial port of Python difflib module.
Package difflib is a partial port of Python difflib module.
_workspace/src/github.com/prometheus/client_golang/prometheus
Package prometheus provides embeddable metric primitives for servers and standardized exposition of telemetry through a web services interface.
Package prometheus provides embeddable metric primitives for servers and standardized exposition of telemetry through a web services interface.
_workspace/src/github.com/prometheus/client_model/go
Package io_prometheus_client is a generated protocol buffer package.
Package io_prometheus_client is a generated protocol buffer package.
_workspace/src/github.com/prometheus/common/expfmt
A package for reading and writing Prometheus metrics.
A package for reading and writing Prometheus metrics.
HTTP Content-Type Autonegotiation.
_workspace/src/github.com/prometheus/common/model
Package model contains common data structures that are shared across Prometheus componenets and libraries.
Package model contains common data structures that are shared across Prometheus componenets and libraries.
_workspace/src/github.com/prometheus/procfs
Package procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
Package procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
_workspace/src/github.com/spf13/pflag
Package pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.
Package pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.
_workspace/src/github.com/stretchr/testify/assert
Package assert provides a set of comprehensive testing tools for use with the normal Go testing system.
Package assert provides a set of comprehensive testing tools for use with the normal Go testing system.
_workspace/src/golang.org/x/crypto/ssh
Package ssh implements an SSH client and server.
Package ssh implements an SSH client and server.
_workspace/src/golang.org/x/crypto/ssh/agent
Package agent implements a client to an ssh-agent daemon.
Package agent implements a client to an ssh-agent daemon.
_workspace/src/golang.org/x/crypto/ssh/terminal
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
_workspace/src/golang.org/x/crypto/ssh/test
This package contains integration tests for the golang.org/x/crypto/ssh package.
This package contains integration tests for the golang.org/x/crypto/ssh package.
_workspace/src/golang.org/x/net/context
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
_workspace/src/golang.org/x/net/context/ctxhttp
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
_workspace/src/gopkg.in/yaml.v2
Package yaml implements YAML support for the Go language.
Package yaml implements YAML support for the Go language.
_workspace/src/k8s.io/kubernetes/pkg/api
Package api contains the latest (or "internal") version of the Kubernetes API objects.
Package api contains the latest (or "internal") version of the Kubernetes API objects.
_workspace/src/k8s.io/kubernetes/pkg/api/errors
Package errors provides detailed error types for api field validation.
Package errors provides detailed error types for api field validation.
_workspace/src/k8s.io/kubernetes/pkg/api/errors/etcd
Package etcd provides conversion of etcd errors to API errors.
Package etcd provides conversion of etcd errors to API errors.
_workspace/src/k8s.io/kubernetes/pkg/api/install
Package install installs the v1 monolithic api, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the v1 monolithic api, making it available as an option to all of the API encoding/decoding machinery.
_workspace/src/k8s.io/kubernetes/pkg/api/latest
Package latest defines the default output serializations that code should use and imports the required schemas.
Package latest defines the default output serializations that code should use and imports the required schemas.
_workspace/src/k8s.io/kubernetes/pkg/api/meta
Package meta provides functions for retrieving API metadata from objects belonging to the Kubernetes API
Package meta provides functions for retrieving API metadata from objects belonging to the Kubernetes API
_workspace/src/k8s.io/kubernetes/pkg/api/registered
Package to keep track of API Versions that should be registered in api.Scheme.
Package to keep track of API Versions that should be registered in api.Scheme.
_workspace/src/k8s.io/kubernetes/pkg/api/rest
Package rest defines common logic around changes to Kubernetes resources.
Package rest defines common logic around changes to Kubernetes resources.
_workspace/src/k8s.io/kubernetes/pkg/api/testapi
Package testapi provides a helper for retrieving the KUBE_TEST_API environment variable.
Package testapi provides a helper for retrieving the KUBE_TEST_API environment variable.
_workspace/src/k8s.io/kubernetes/pkg/api/unversioned
Package unversioned contains API types that are common to all versions.
Package unversioned contains API types that are common to all versions.
_workspace/src/k8s.io/kubernetes/pkg/api/util
TODO: This GetVersion/GetGroup arrangement is temporary and will be replaced with a GroupAndVersion type.
TODO: This GetVersion/GetGroup arrangement is temporary and will be replaced with a GroupAndVersion type.
_workspace/src/k8s.io/kubernetes/pkg/api/v1
Package v1 is the v1 version of the API.
Package v1 is the v1 version of the API.
_workspace/src/k8s.io/kubernetes/pkg/api/validation
Package validation has functions for validating the correctness of api objects and explaining what is wrong with them when they aren't valid.
Package validation has functions for validating the correctness of api objects and explaining what is wrong with them when they aren't valid.
_workspace/src/k8s.io/kubernetes/pkg/apis/extensions/install
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
_workspace/src/k8s.io/kubernetes/pkg/auth/user
Package user contains utilities for dealing with simple user exchange in the auth packages.
Package user contains utilities for dealing with simple user exchange in the auth packages.
_workspace/src/k8s.io/kubernetes/pkg/capabilities
package capbabilities manages system level capabilities
package capbabilities manages system level capabilities
_workspace/src/k8s.io/kubernetes/pkg/client/metrics
Package metrics provides utilities for registering client metrics to Prometheus.
Package metrics provides utilities for registering client metrics to Prometheus.
_workspace/src/k8s.io/kubernetes/pkg/client/unversioned
Package client contains the implementation of the client side communication with the Kubernetes master.
Package client contains the implementation of the client side communication with the Kubernetes master.
_workspace/src/k8s.io/kubernetes/pkg/client/unversioned/auth
Package auth defines a file format for holding authentication information needed by clients of Kubernetes.
Package auth defines a file format for holding authentication information needed by clients of Kubernetes.
_workspace/src/k8s.io/kubernetes/pkg/client/unversioned/clientcmd
Package clientcmd provides one stop shopping for building a working client from a fixed config, from a .kubeconfig file, from command line flags, or from any merged combination.
Package clientcmd provides one stop shopping for building a working client from a fixed config, from a .kubeconfig file, from command line flags, or from any merged combination.
_workspace/src/k8s.io/kubernetes/pkg/client/unversioned/fake
This is made a separate package and should only be imported by tests, because it imports testapi
This is made a separate package and should only be imported by tests, because it imports testapi
_workspace/src/k8s.io/kubernetes/pkg/client/unversioned/portforward
Package portforward adds support for SSH-like port forwarding from the client's local host to remote containers.
Package portforward adds support for SSH-like port forwarding from the client's local host to remote containers.
_workspace/src/k8s.io/kubernetes/pkg/client/unversioned/remotecommand
Package remotecommand adds support for executing commands in containers, with support for separate stdin, stdout, and stderr streams, as well as TTY.
Package remotecommand adds support for executing commands in containers, with support for separate stdin, stdout, and stderr streams, as well as TTY.
_workspace/src/k8s.io/kubernetes/pkg/conversion
Package conversion provides go object versioning and encoding/decoding mechanisms.
Package conversion provides go object versioning and encoding/decoding mechanisms.
_workspace/src/k8s.io/kubernetes/pkg/conversion/queryparams
Package queryparams provides conversion from versioned runtime objects to URL query values
Package queryparams provides conversion from versioned runtime objects to URL query values
_workspace/src/k8s.io/kubernetes/pkg/fields
Package fields implements a simple field system, parsing and matching selectors with sets of fields.
Package fields implements a simple field system, parsing and matching selectors with sets of fields.
_workspace/src/k8s.io/kubernetes/pkg/labels
Package labels implements a simple label system, parsing and matching selectors with sets of labels.
Package labels implements a simple label system, parsing and matching selectors with sets of labels.
_workspace/src/k8s.io/kubernetes/pkg/runtime
Defines conversions between generic types and structs to map query strings to struct objects.
Defines conversions between generic types and structs to map query strings to struct objects.
_workspace/src/k8s.io/kubernetes/pkg/types
Package types implements various generic types used throughout kubernetes.
Package types implements various generic types used throughout kubernetes.
_workspace/src/k8s.io/kubernetes/pkg/util
Package util implements various utility functions used in both testing and implementation of Kubernetes.
Package util implements various utility functions used in both testing and implementation of Kubernetes.
_workspace/src/k8s.io/kubernetes/pkg/util/bandwidth
Package bandwidth provides utilities for bandwidth shaping
Package bandwidth provides utilities for bandwidth shaping
_workspace/src/k8s.io/kubernetes/pkg/util/config
Package config provides utility objects for decoupling sources of configuration and the actual configuration state.
Package config provides utility objects for decoupling sources of configuration and the actual configuration state.
_workspace/src/k8s.io/kubernetes/pkg/util/dbus
Package dbus provides an injectable interface and implementations for D-Bus communication
Package dbus provides an injectable interface and implementations for D-Bus communication
_workspace/src/k8s.io/kubernetes/pkg/util/errors
Package errors implements various utility functions and types around errors.
Package errors implements various utility functions and types around errors.
_workspace/src/k8s.io/kubernetes/pkg/util/exec
Package exec provides an injectable interface and implementations for running commands.
Package exec provides an injectable interface and implementations for running commands.
_workspace/src/k8s.io/kubernetes/pkg/util/flushwriter
Package flushwriter implements a wrapper for a writer that flushes on every write if that writer implements the io.Flusher interface
Package flushwriter implements a wrapper for a writer that flushes on every write if that writer implements the io.Flusher interface
_workspace/src/k8s.io/kubernetes/pkg/util/httpstream
Package httpstream adds multiplexed streaming support to HTTP requests and responses via connection upgrades.
Package httpstream adds multiplexed streaming support to HTTP requests and responses via connection upgrades.
_workspace/src/k8s.io/kubernetes/pkg/util/iptables
Package iptables provides an interface and implementations for running iptables commands.
Package iptables provides an interface and implementations for running iptables commands.
_workspace/src/k8s.io/kubernetes/pkg/util/jsonpath
package jsonpath is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/.
package jsonpath is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/.
_workspace/src/k8s.io/kubernetes/pkg/util/limitwriter
Package limitwriter provides a writer that only allows a certain number of bytes to be written.
Package limitwriter provides a writer that only allows a certain number of bytes to be written.
_workspace/src/k8s.io/kubernetes/pkg/util/mount
Package mount defines an interface to mounting filesystems.
Package mount defines an interface to mounting filesystems.
_workspace/src/k8s.io/kubernetes/pkg/util/oom
Package oom implements utility functions relating to out of memory management.
Package oom implements utility functions relating to out of memory management.
_workspace/src/k8s.io/kubernetes/pkg/util/procfs
Package procfs implements utility functions relating to the /proc mount.
Package procfs implements utility functions relating to the /proc mount.
_workspace/src/k8s.io/kubernetes/pkg/util/proxy
Package proxy provides transport and upgrade support for proxies
Package proxy provides transport and upgrade support for proxies
_workspace/src/k8s.io/kubernetes/pkg/util/rand
Package rand provides utilities related to randomization.
Package rand provides utilities related to randomization.
_workspace/src/k8s.io/kubernetes/pkg/util/slice
Package slice provides utility methods for common operations on slices.
Package slice provides utility methods for common operations on slices.
_workspace/src/k8s.io/kubernetes/pkg/util/wait
Package wait provides tools for polling or listening for changes to a condition.
Package wait provides tools for polling or listening for changes to a condition.
_workspace/src/k8s.io/kubernetes/pkg/util/workqueue
Package workqueue provides a simple queue that supports the following features:
Package workqueue provides a simple queue that supports the following features:
_workspace/src/k8s.io/kubernetes/pkg/version
Package version supplies version information collected at build time to kubernetes components.
Package version supplies version information collected at build time to kubernetes components.
_workspace/src/k8s.io/kubernetes/pkg/version/verflag
Package verflag defines utility functions to handle command line flags related to version of Kubernetes.
Package verflag defines utility functions to handle command line flags related to version of Kubernetes.
_workspace/src/k8s.io/kubernetes/pkg/watch
Package watch contains a generic watchable interface, and a fake for testing code that uses the watch interface.
Package watch contains a generic watchable interface, and a fake for testing code that uses the watch interface.
_workspace/src/k8s.io/kubernetes/pkg/watch/json
Package json implements a simple encoder and decoder for streams of watch events over io.Writer/Readers
Package json implements a simple encoder and decoder for streams of watch events over io.Writer/Readers
_workspace/src/k8s.io/kubernetes/third_party/forked/reflect
Package reflect is a fork of go's standard library reflection package, which allows for deep equal with equality functions defined.
Package reflect is a fork of go's standard library reflection package, which allows for deep equal with equality functions defined.
_workspace/src/speter.net/go/exp/math/dec/inf
Package inf (type inf.Dec) implements "infinite-precision" decimal arithmetic.
Package inf (type inf.Dec) implements "infinite-precision" decimal arithmetic.
cmd
pkg
api

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL