vault-setup-github

command module
v0.0.0-...-b8af3ba Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2020 License: Apache-2.0 Imports: 19 Imported by: 0

README

vault-setup-github

The vault-setup-github service automates the process of configuring github authentication on HashiCorp Vault instances running on Google Cloud Platform.

It uses a root token stored in a Google Cloud Storage](https://cloud.google.com/storage) bucket, named root-token.enc and encrypted using Google Cloud KMS. Want that to just happen? Use sethvargo/vault-init.

Can be used as an companion service for sethvargo/vault-init.

Usage

The vault-setup-github service is designed to be run alongside a Vault server and communicate over local host.

You can download the code and compile the binary with Go. Alternatively, a Docker container is available via the Docker Hub:

$ docker pull cobraz/vault-setup-github

To use this as part of a Kubernetes Vault Deployment:

containers:
- name: vault-setup-github
  image: registry.hub.docker.com/cobraz/vault-setup-github:0.0.2
  imagePullPolicy: Always
  env:
  - name: GCS_BUCKET_NAME
    value: my-gcs-bucket
  - name: KMS_KEY_ID
    value: projects/my-project/locations/my-location/cryptoKeys/my-key

Configuration

The vault-setup-github service supports the following environment variables for configuration:

  • GCS_BUCKET_NAME - The Google Cloud Storage Bucket where the vault master key and root token is stored.

  • KMS_KEY_ID - The Google Cloud KMS key ID used to encrypt and decrypt the vault master key and root token.

  • VAULT_SKIP_VERIFY (false) - Disable TLS validation when connecting. Setting to true is highly discouraged.

  • GITHUB_ORGANIZATION - Your Github organization (eg. tabetalt)

  • GITHUB_ADMIN_USER - If applied, a user is added with root policy with the given name.

Example Values
GCS_BUCKET_NAME="vault-storage"
KMS_KEY_ID="projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/key"
GITHUB_ORGANIZATION="tabetalt"
GITHUB_ADMIN_USER="cobraz"
IAM & Permissions

The vault-setup-github service uses the official Google Cloud Golang SDK. This means it supports the common ways of providing credentials to GCP.

To use this service, the service account must have the following minimum scope(s):

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/devstorage.read_write

Additionally, the service account must have the following minimum role(s):

roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/storage.objectAdmin OR roles/storage.legacyBucketWriter

For more information on service accounts, please see the Google Cloud Service Accounts documentation.

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL