Responsible: #DevOps Render templated config files with secrets from HashiCorp Vault. Inspired by vaultenv.
- Define a template for your config file which contains secrets at development time.
- Use
vault-template
to render your config file template by fetching secrets from Vault at runtime.
Usage of ./vault-template:
-o, --output string The output file.
Also configurable via OUTPUT_FILE.
-t, --template string The template file to render.
Also configurable via TEMPLATE_FILE.
-v, --vault string Vault API endpoint.
Also configurable via VAULT_ADDR.
(default "http://127.0.0.1:8200")
-f, --vault-token-file string The file which contains the vault token.
Also configurable via VAULT_TOKEN_FILE.
A docker image is availabe on Dockerhub.
First of all, suppose that the secret was created with vault write secret/mySecret name=john password=secret
.
The templates will be rendered using the Go template mechanism.
Currently vault-template can render two functions:
vault
vaultMap
Also it is possible to use environment variables like {{ .STAGE }}
.
The vault
function takes two string parameters which specify the path to the secret and the field inside to return.
mySecretName = {{ vault "secret/mySecret" "name" }}
mySecretPassword = {{ vault "secret/mySecret" "password" }}
mySecretName = john
mySecretPassword = secret
The vaultMap
function takes one string parameter which specify the path to the secret to return.
{{ range $name, $secret := vaultMap "secret/mySecret"}}
{{ $name }}: {{ $secret }}
{{- end }}
name: john
password: secret
More real example:
---
# Common vars
{{- $customer := .CUSTOMER }}
{{- $stage := .STAGE }}
{{- $project := .PROJECT }}
{{- $postgres := print "kv/data/" $customer "/" $stage "/" $project "/postgres" }}
{{- $postgresMap := vaultMap $postgres }}
postgresql:
postgresqlUsername: {{ $postgresMap.data.user }}
postgresqlPassword: {{ $postgresMap.data.password }}
postgresqlDatabase: {{ $postgresMap.data.db }}
app:
postgres:
{{ range $name, $secret := $postgresMap }}
{{ $name }}: {{ $secret }}
{{- end }}
And command that use this template in kubernetes:
CUSTOMER=internal STAGE=test PROJECT=myprj vault-template -o values.yaml -t values.tmpl -v "http://vault.default.svc.cluster.local:8200" -f token