New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor the Vault plugin to work in 'flex_mode', with documentation #52

Merged
merged 4 commits into from Apr 18, 2017

Conversation

Projects
None yet
2 participants
@schuylr
Copy link
Contributor

schuylr commented Mar 22, 2017

As I chatted on Gitter about, I have a different way that I'd like to use Vault, specifically being able to take a single path and reuse it between different environments instead of having to replicate the value into template-specific namespaces.

Here is my Pull Request for such a "mode" to do this. I added test cases, documentation, and kept it backwards compatible with the existing plugin implementation. I was trying to go for a very unbiased approach. Here's a sample config:

data_sources: [ "vault" , "file", "environment" ]
template_sources: [ "file" ]

dynamic_values: true
vault:
  url: 'http://127.0.0.1:8200'
  flex_mode: true
  values:
    foo: 'secret/custom/foo'
    custom: 'secret/custom'
    global_dev_foo: 'secret/%e/foo'

environments:
  development:
    test.erb:
      target: test.txt
      vault:
        dev_foo: 'secret/<%= environment %>/foo'

test.erb:
  vault:
    all_foo: 'secret/<%= environment %>/foo'

Given a Vault with:

Vault.logical.write('/secret/custom/foo', value: 'bar')
Vault.logical.write('/secret/development/foo', value: 'devbar')

You can create a test.erb file with various usages:

foo_value: <%= foo[:value] %>
custom_foo_value: <%= custom[:foo][:value] %>
global_dev_foo_value: <%= global_dev_foo[:value] %>
local_dev_foo_value: <%= dev_foo[:value] %>
all_foo_value: <%= all_foo[:value] %>

Note I also made it possible to use dynamic values in a Vault template path, since I would like to be able to use environment variables to dictate what Vault paths to access. For example, I run different localized versions of my application, so I want to set a SITE_COUNTRY environment variable to access a secret/country/<%= env_site_country %> list of values.

I'm not fully aware of the design philosophy of Tiller so I'm sure you'll have some feedback. The way I've designed the plugin here is exactly how I would like Tiller to work for me, but this may not be the same for everyone else.

@schuylr schuylr force-pushed the schuylr:master branch from 95aa986 to 1260600 Mar 22, 2017

@markround

This comment has been minimized.

Copy link
Owner

markround commented Mar 23, 2017

This looks great! Thanks so much for this. I'm on holiday for a couple of weeks now but will pick this up when I'm back.

@markround
Copy link
Owner

markround left a comment

Amazing work, thank you so much for this!

@markround markround changed the base branch from master to develop Apr 18, 2017

@markround markround merged commit 295d83f into markround:develop Apr 18, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment