README
¶
Vaultier: CI/CD Vault helper
Vaultier will be simple helper for Container native CI/CD pipelines. The main goal is to parse specs file, obtain secrets from the Vault instance and create basic (one level deep) JSON file for the further processing by backend applications or Helm.
Please note that using of this tool can be potentially dangerous - in the certain phase of CI/CD process, there are secrets stored as a plain text. Hence always use Vaultier in the environment you trust.
Supported output formats
Output formats are controlled via VAULTIER_OUTPUT_FORMAT environment variable
in following manner:
Helm
helm produces key:value pairs nested to secrets property. The last property is
always cfg.json which contains the whole JSON with all provided keys. This is useful
when you want to provide the whole configuration file to your application.
{
"secrets": {
"VAR1": "aGVzbG9KZVZlc2xvCg==",
"VAR2": "bmVjb0tsZXNsbwo=",
"cfg.json": "ewogICJWQVIxIjogImhlc2xvSmVWZXNsbyIsCiAgIlZBUjIiOiAibmVjb0tsZXNsbyIKfQo="
}
}
Then, you can just refer these values in Helm templates
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
{{- range $k, $v := .Values.secrets }}
{{ $k }}: {{ $v }}
{{- end }}
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: app-cfg-volume
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: app-cfg-volume
secret:
secretName: mysecret
and use them with Helm CLI
helm install -n release01 -f /tmp/secrets.json /path/to/chart
.env (JSON)
dotenv produces top-level key:value structure which is meant to be
used with tools like env2 or
dotenv-json.
{
"VAR1": "VALUE1",
"VAR2": "VALUE2"
}
Configuration options
VAULTIER_VAULT_ADDR
url of your Vault instance. Typically it's something
like http://yourvault.yourdomain.co.uk
VAULTIER_VAULT_TOKEN
vault token, follow official Vault documentation to get one
VAULTIER_ENVIRONMENT
An environment you want to retrieve secrets for. Same environemtn has to be specified in the specs file.
VAULTIER_OUTPUT_FORMAT
As mentioned, this option influences the output format.
Currently supported options are helm or dotenv.
VAULTIER_SECRET_SPECS_PATH
Path to the specs file. If not set, it defaults to secrets.yaml.
VAULTIER_SECRET_OUTPUT_PATH
Path to the output file. Absolute or relative.
Secrets specification file
---
# will be used only when 'delivery' is selected
environments:
# secrets will be selected based on VAULTIER_BRANCH env. variable
- name: production
secrets:
- path: secret/data/blah/production/config1
# each Vault path can have more secrets you
# waint to obtain so so can specify more
# keyMap entries
keyMap:
- vaultKey: vaultVariableName1
localKey: VAR1
- path: secret/data/blah/production/config2
keyMap:
- vaultKey: vaultVariableName2
localKey: VAR2
- name: test
secrets:
- path: secret/data/blah/test/config1
# each Vault path can have more secrets you
# waint to obtain so so can specify more
# keyMap entries
keyMap:
- vaultKey: vaultVariableName1
localKey: VAR1
- path: secret/data/blah/test/config2
keyMap:
- vaultKey: vaultVariableName2
localKey: VAR2
Example use in CD pipeline
in progress.
Documentation
¶
There is no documentation for this package.
Source Files
Directories