cf plugin to push cf app with vault
How to install
$ cf install-plugin -r CF-Community "push-with-vault"
Download tar.gz file from release page.
$ tar -zxvf cf-push-with-vault_*.tar.gz $ cf install-plugin -f ./cf-push-with-vault
How to use
$ cf push-with-vault -h NAME: push-with-vault - This enable to use (( )) place holders in manifest files. (( )) are evaluated by vault USAGE: $ cf push-with-vault [APP_NAME] OPTIONS: --domain, -d Specify a custom domain (e.g. private-domain.example.com, apps.internal.com) to use instead of the default domain --file, -f Path to manifest (default: ./manifest.yml) --hostname, -n Hostname (e.g. my-subdomain) --path-prefix, -pp Path under which to namespace credential lookup --vault-addr, -va Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/. (default: "VAULT_ADDR" env) --vault-token, -vt Vault authentication token. (default: "VAULT_TOKEN" env)
If you want to push cf app has follow manifest with vault.
--- applications: - name: APP-ONE path: ./APP-ONE-DIRECTORY env: bar: ((/foo/bar))
You must set
/foo/bar to vault with
value field. (inspired by Credential lookup rules)
$ vault write /foo/bar value="cred"
This plugin can only KV Secrets Engine - Version 1
$ export VAULT_ADDR=https://your.vault.address $ export VAULT_TOKEN=xxxxxxxxxxxx $ cf push-with-vault --path-prefix=/foo -f manifest.yml
This command has same effect as below.
$ export VAULT_ADDR=https://your.vault.address $ export VAULT_TOKEN=xxxxxxxxxxxx $ cf push -f manifest -v foo/bar = `vault read -field=value /foo/bar`
If your cloudfoundry server version is old, this command is unavailable.
But this plugin is available because this parses manifest file and set credentials from vault.