Using custom variables in Vault Lookup Templates? #8522
Replies: 1 comment 1 reply
-
I am not familiar with Vault lookup templates, but if I understand correctly what you want to achieve, the following simple alternative should work, exploiting the fact that Concourse vars interpolation can be nested. Granted, if you also need secrets compartmentalisation between environments, then my solution is too simple, although maybe it is possible to do tricks using different teams. The details are in new section Two level vars interpolation for parametric secrets of my concourse-in-a-box (all-in-one Concourse based on Docker Compose, with Minio S3-compatible storage and HashiCorp Vault secret manager). The task - task: interpolation
file: concourse-in-a-box/ci/pipelines/05-two-level-interpolation/task.yml
params:
ENV: ((env))
COLOR: ((color))
SECRET_1: ((secret-1-((env))-((color))))
SECRET_2: ((secret-2-((env))-((color)))) Uses a two level vars interpolation. For example if we do
We get:
Once we inject the secrets into Vault:
Running the job:
|
Beta Was this translation helpful? Give feedback.
-
Hi there,
We have recently set up Vault for secrets management, and we have successfully configured Concourse to be able to pull secrets from it. Works great!
We're now trying to understand how to configure Vault Lookup Templates to be environment aware. For example, in a pipeline for "Service X", we might have a "Deploy Development Blue" task and a "Deploy Development Green" task. We configure these by passing a set of parameters to the task:
Is it possible to write the lookup template to use these params? An example would be
/{{.Pipeline}}/{{.DEPLOYMENT_ENVIRONMENT}}/{{.DEPLOYMENT_COLOR}}/{{.Secret}}
.Or is it only possible to use
Pipeline
,Team
andSecret
in templates?If so, how is it generally recommended to handle environments when dealing with secret lookups?
Beta Was this translation helpful? Give feedback.
All reactions