Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Elao - App] Vault cli support #60

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions elao.app/.manala/Makefile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,25 @@ docker:

endif

#########
# Vault #
#########

include $(_ROOT_DIR)/.manala/make/vault.mk

ifdef VAULT_ADDR
HELP += $(call help_section, Vault)

HELP += $(call help,vault.login,Vault login)
vault.login:
$(call vault_login)

else
vault.login:
$(call message_warning, \"VAULT_ADDR\" environment variable has not been set)

endif

{{ if .Vars.releases -}}
############
# Releases #
Expand Down
3 changes: 3 additions & 0 deletions elao.app/.manala/ansible/inventories/system.yaml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -496,4 +496,7 @@ system:
{{- .docker.containers | toYaml | nindent 10 }}
{{- end }}

# Vault Cli
manala_vault_cli_enabled: true

{{- end }}
1 change: 1 addition & 0 deletions elao.app/.manala/ansible/roles/system/defaults/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,4 @@ manala_elasticsearch_enabled: false
manala_influxdb_enabled: false
manala_docker_enabled: false
manala_gomplate_enabled: false
manala_vault_cli_enabled: false
6 changes: 6 additions & 0 deletions elao.app/.manala/ansible/roles/system/tasks/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -179,3 +179,9 @@
name: gomplate
when: manala_gomplate_enabled
tags: [gomplate]

# Vault Cli
- import_role:
name: vault_cli
when: manala_vault_cli_enabled
tags: [vault]
9 changes: 9 additions & 0 deletions elao.app/.manala/make/vault.mk
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#########
# Vault #
#########

define vault_login
$(call message, Vault login)
read -p "Username: " USERNAME; \
vault login -method=userpass username=$${USERNAME}
endef
28 changes: 15 additions & 13 deletions elao.app/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -537,16 +537,20 @@ test.phpunit@integration:
In order to deploy secrets, you can use [Gomplate](https://docs.gomplate.ca), called by a make task.
Gomplate takes a template, queries its values from a Vault server and renders a file.

Add the following task in the `Makefile`:
Add the following tasks in the `Makefile`:

```
###########
# Secrets #
###########

secrets/%: _secrets
gomplate --config=secrets/$(*)
_secrets:
secrets@production:
gomplate --config=secrets/env.production.yml
gomplate --config=secrets/parameters.production.yml

secrets@staging:
gomplate --config=secrets/env.staging.yml
gomplate --config=secrets/parameters.staging.yml
```

Put templates in a `secrets` directory at the root of the project.
Expand All @@ -557,32 +561,30 @@ Here is an example of template:
%YAML 1.1
---

datasources:
vault:
url: vault+https://my-vault-server.com

outputFiles:
- /path/to/rendered/file

in: |
Loop on all values of the secret:
{{ range $key, $value := (datasource "vault" "MyApp/data/env").data -}}
{{ range $key, $value := (datasource "vault:///MyApp/data/env").data -}}
{{ $key }} = {{ $value | quote }}
{{ end -}}

Query only one value of the secret:
{{ (datasource "vault" "MyApp/data/env").data.value1 -}}
{{ (datasource "vault:///MyApp/data/env").data.value1 -}}
```

/!\ Note that the path to the secret will slightly differ from what the Vault server will display \
/!\ If the path is `MyApp/production/env` on the Vault server, it will become `MyApp/data/production/env` in the template

Gomplate uses [Go Template syntax](https://docs.gomplate.ca/syntax/)

To render the file, call the template with the `make secrets/%` task, where `%` is the name of the template.
In order to use secrets in development or integration environment, a `VAULT_ADDR` environment variable must be set,
defining the Vault server address expressed as an URL, for example: `https://127.0.0.1:8200`
Login to the vaut server using:

```shell
make secrets/.env.prod
```
$ make vault.login
```

## Tips, Tricks, and Tweaks
Expand Down