vault_env_secrets 1.0.0 → 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a239afd0a1d9d133166b8c3f88f15162d9b4537437b5eee5ac602f99246ba196
4
- data.tar.gz: 07ad320f88de1b735c9f5be34a95be6b6897fe71ae8943e5e36cd8e141c685ee
3
+ metadata.gz: a342ebc246007f7a1157b228efb4b7f10f711ee425e08e951596f7490b608661
4
+ data.tar.gz: 7846c31b5eb2c8feaddb213e7e2c8ebb66f66343d34169cbe496d322ae9cd798
5
5
  SHA512:
6
- metadata.gz: 10feaf9ceffbb1892c20702623cbcec3c07b62bfbdcef60e216d4b1b9063ce3e68e70afbe1ec28710d0640be1f412b59ab9025322c841fd149c4c625770916dc
7
- data.tar.gz: 475a66ab45ef7e558a1c7c09f919af52207695ec1d9691918df9087b4efb3388d0c35e1e45b0a4d47fc52488bae233f45c4425b6a71d33afac1e9088f7ff7aa1
6
+ metadata.gz: 2d4b22ad4bb0828eaed9224e87f451026e8949504951f5ba08f1251eef4c871042f37c541c83b4559a1123eae7fad65c57c0c7da4f1cc27147bcb0bbb582a2eb
7
+ data.tar.gz: 8bfb66cbe3dba8f773b23c7ff21cdd5831928257faf0f3e9292c3eb855c4f8b5ad6bb4dfd2763ca29d1cb6d89aff3ea91fe88fd298f30f3b43793b9fb8fb6bcc
data/CHANGELOG.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # VaultEnvSecrets Change Log
2
2
 
3
+ ## [2.0.0] - 2024-07-19
4
+
5
+ ### Changed
6
+
7
+ - Switch from `consul-template` to `gomplate` for template rendering via Vault. This eliminates the need for writing to a temp file in plain text.
8
+
3
9
  ## [1.0.0] - 2023-08-19
4
10
 
5
11
  - Initial release
data/Gemfile.lock CHANGED
@@ -1,57 +1,57 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault_env_secrets (1.0.0)
4
+ vault_env_secrets (2.0.0)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
8
8
  specs:
9
9
  ast (2.4.2)
10
- base64 (0.1.1)
11
- json (2.6.3)
10
+ json (2.7.2)
12
11
  language_server-protocol (3.17.0.3)
13
12
  lint_roller (1.1.0)
14
- minitest (5.19.0)
15
- parallel (1.23.0)
16
- parser (3.2.2.3)
13
+ minitest (5.24.1)
14
+ parallel (1.25.1)
15
+ parser (3.3.4.0)
17
16
  ast (~> 2.4.1)
18
17
  racc
19
- racc (1.7.1)
18
+ racc (1.8.0)
20
19
  rainbow (3.1.1)
21
- rake (13.0.6)
22
- regexp_parser (2.8.1)
23
- rexml (3.2.6)
24
- rubocop (1.56.0)
25
- base64 (~> 0.1.1)
20
+ rake (13.2.1)
21
+ regexp_parser (2.9.2)
22
+ rexml (3.3.2)
23
+ strscan
24
+ rubocop (1.64.1)
26
25
  json (~> 2.3)
27
26
  language_server-protocol (>= 3.17.0)
28
27
  parallel (~> 1.10)
29
- parser (>= 3.2.2.3)
28
+ parser (>= 3.3.0.2)
30
29
  rainbow (>= 2.2.2, < 4.0)
31
30
  regexp_parser (>= 1.8, < 3.0)
32
31
  rexml (>= 3.2.5, < 4.0)
33
- rubocop-ast (>= 1.28.1, < 2.0)
32
+ rubocop-ast (>= 1.31.1, < 2.0)
34
33
  ruby-progressbar (~> 1.7)
35
34
  unicode-display_width (>= 2.4.0, < 3.0)
36
- rubocop-ast (1.29.0)
37
- parser (>= 3.2.1.0)
38
- rubocop-performance (1.19.0)
39
- rubocop (>= 1.7.0, < 2.0)
40
- rubocop-ast (>= 0.4.0)
35
+ rubocop-ast (1.31.3)
36
+ parser (>= 3.3.1.0)
37
+ rubocop-performance (1.21.1)
38
+ rubocop (>= 1.48.1, < 2.0)
39
+ rubocop-ast (>= 1.31.1, < 2.0)
41
40
  ruby-progressbar (1.13.0)
42
- standard (1.31.0)
41
+ standard (1.39.2)
43
42
  language_server-protocol (~> 3.17.0.2)
44
43
  lint_roller (~> 1.0)
45
- rubocop (~> 1.56.0)
44
+ rubocop (~> 1.64.0)
46
45
  standard-custom (~> 1.0.0)
47
- standard-performance (~> 1.2)
46
+ standard-performance (~> 1.4)
48
47
  standard-custom (1.0.2)
49
48
  lint_roller (~> 1.0)
50
49
  rubocop (~> 1.50)
51
- standard-performance (1.2.0)
50
+ standard-performance (1.4.0)
52
51
  lint_roller (~> 1.1)
53
- rubocop-performance (~> 1.19.0)
54
- unicode-display_width (2.4.2)
52
+ rubocop-performance (~> 1.21.0)
53
+ strscan (3.1.0)
54
+ unicode-display_width (2.5.0)
55
55
 
56
56
  PLATFORMS
57
57
  arm64-darwin-21
data/README.md CHANGED
@@ -1,10 +1,10 @@
1
1
  # VaultEnvSecrets
2
2
 
3
- A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [consul-template](https://github.com/hashicorp/consul-template) YAML template. Automatic integration with Rails is supported.
3
+ A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [gomplate](https://gomplate.ca) JSON template. Automatic integration with Rails is supported.
4
4
 
5
5
  ## Requirements/Assumptions
6
6
 
7
- - By default, a `consul-template` config file needs to be present in `config/vault.hcl` that defines a `template` that will render secrets in a YAML output file to `tmp/vault/secrets.yml`.
7
+ - By default, a `gomplate` template needs to be present in `config/vault_secrets.json.tmpl` that defines a template that will render secrets to JSON output.
8
8
  - You must be authenticate to Vault in some fashion outside of this library (eg, `vault login` is used before startup and `~/.vault-token` is present, or `VAULT_TOKEN` is set, etc).
9
9
  - For Rails integration, secrets will only be read once on application startup (so to pick up changes in development, you must restart the Rails server).
10
10
 
@@ -24,7 +24,7 @@ gem install vault_env_secrets
24
24
 
25
25
  ## Example Usage
26
26
 
27
- This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/consul-template), with the assumption that there will be a YAML output file that can be read in. There are a variety of ways to use this, but as an example:
27
+ This gem mostly defers to to [`gomplate`](https://gomplate.ca), with the assumption that there will be a JSON output file that can be read in. There are a variety of ways to use this, but as an example:
28
28
 
29
29
  1. Authenticate against Vault:
30
30
 
@@ -32,43 +32,34 @@ This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/co
32
32
  vault login
33
33
  ```
34
34
 
35
- 2. Define a `consul-template` [configuration file](https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file) in the default `config/vault.hcl` location:
35
+ 2. Define a `gomplate` [configuration file](https://docs.gomplate.ca/config/) in `.gomplate.yaml` to declare your Vault datasource:
36
36
 
37
37
  ```hcl
38
- vault {
39
- address = "https://vault.example.com/"
40
- renew_token = true
41
-
42
- retry {
43
- enabled = false
44
- }
45
- }
46
-
47
- template {
48
- source = "./config/vault/secrets.yml.ctmpl"
49
- destination = "./tmp/vault/secrets.yml"
50
- error_on_missing_key = true
51
- perms = 0600
52
- }
38
+ datasources:
39
+ vault:
40
+ url: "vault://vault.example.com/secret/data"
53
41
  ```
54
42
 
55
- 3. Define the template that the `config/vault.hcl` config file references (which should be configured to output to `tmp/vault/secrets.yml` by default). In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
43
+ 3. Define the template in the default `config/vault_secrets.json.tmpl` location. In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
56
44
 
57
45
  ```ctmpl
58
- {{ $rails_env := (envOrDefault "RAILS_ENV" "development") }}
59
-
60
- {{ with secret (printf "secret/my-app/%s/web" $deploy_env) }}
61
- {{ scratch.MapSet "secrets" "SECRET_KEY_BASE" .Data.data.secret_key_base }}
62
- {{ scratch.MapSet "secrets" "SECRET_DB_HOST" .Data.data.db_host }}
63
- {{ scratch.MapSet "secrets" "SECRET_DB_NAME" .Data.data.db_name }}
64
- {{ scratch.MapSet "secrets" "SECRET_DB_USERNAME" .Data.data.db_username }}
65
- {{ scratch.MapSet "secrets" "SECRET_DB_PASSWORD" .Data.data.db_password }}
46
+ {{ $rails_env := (env.Getenv "RAILS_ENV" "development") }}
47
+ {{ $secrets := coll.Dict }}
48
+
49
+ {{ with (datasource "vault" (printf "my-app/%s/web" $rails_env)).data }}
50
+ {{ $secrets = coll.Merge $secrets (coll.Dict
51
+ "SECRET_KEY_BASE" .secret_key_base
52
+ "SECRET_DB_HOST" .db_host
53
+ "SECRET_DB_NAME" .db_name
54
+ "SECRET_DB_USERNAME" .db_username
55
+ "SECRET_DB_PASSWORD" .db_password
56
+ )}}
66
57
  {{ end }}
67
58
 
68
- {{ scratch.Get "secrets" | toYAML }}
59
+ {{ $secrets | data.ToJSON }}
69
60
  ```
70
61
 
71
- 4. With the gem installed, any variables defined in the output YAML from the `consul-template` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the YAML output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
62
+ 4. With the gem installed, any variables defined in the output JSON from the `gomplate` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the JSON output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
72
63
 
73
64
  ## Configuration
74
65
 
@@ -82,20 +73,12 @@ Optionally disable loading VaultEnvSecrets (for example, if this gem only needs
82
73
  VaultEnvSecrets.enabled = false # Defaults to `true`
83
74
  ```
84
75
 
85
- #### `VaultEnvSecrets.consul_template_config`
76
+ #### `VaultEnvSecrets.template_path`
86
77
 
87
- Set a custom path to the `consul-template` config file.
78
+ Set a custom path to the `gomplate` JSON template file.
88
79
 
89
80
  ```ruby
90
- VaultEnvSecrets.consul_template_config = "config/my_config.hcl" # Defaults to `config/vault.hcl`
91
- ```
92
-
93
- #### `VaultEnvSecrets.consul_template_output`
94
-
95
- Set a custom path to the YAML output file generated from the `consul-template` template.
96
-
97
- ```ruby
98
- VaultEnvSecrets.consul_template_output = "tmp/my_secrets.yml" # Defaults to `tmp/vault/secrets.yml`
81
+ VaultEnvSecrets.template_path = "config/my_secrets.json.tmpl" # Defaults to `config/vault_secrets.json.tmpl`
99
82
  ```
100
83
 
101
84
  ## Development
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module VaultEnvSecrets
4
- VERSION = "1.0.0"
4
+ VERSION = "2.0.0"
5
5
  end
@@ -1,58 +1,51 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "json"
4
+ require "open3"
3
5
  require "pathname"
4
- require "yaml"
5
6
 
6
7
  require_relative "vault_env_secrets/errors"
7
8
  require_relative "vault_env_secrets/version"
8
9
 
9
10
  module VaultEnvSecrets
10
11
  @enabled = true
11
- @consul_template_config = "config/vault.hcl"
12
- @consul_template_output = "tmp/vault/secrets.yml"
12
+ @template_path = "config/vault_secrets.json.tmpl"
13
13
 
14
14
  class << self
15
15
  attr_accessor :enabled
16
- attr_accessor :consul_template_config
17
- attr_accessor :consul_template_output
16
+ attr_accessor :template_path
18
17
 
19
18
  def load(env: {})
20
19
  if enabled
21
- # Check that the expected consul-template config file exists.
22
- config_path = Pathname.new(consul_template_config)
23
- if defined?(::Rails) && config_path.relative?
24
- config_path = Rails.root.join(consul_template_config)
20
+ # Check that the expected template file exists.
21
+ path = Pathname.new(template_path)
22
+ if defined?(::Rails) && path.relative?
23
+ path = Rails.root.join(template_path)
25
24
  end
26
- unless config_path.exist?
27
- raise Error.new("consul-template config path (#{config_path.to_s.inspect}) does not exist")
25
+ unless path.exist?
26
+ raise Error.new("vault template path (#{path.to_s.inspect}) does not exist")
28
27
  end
29
28
 
30
- # Run consul-template to render any template files.
31
- system(env, "consul-template", "-config", config_path.to_s, "-once", exception: true)
32
-
33
- # Check that the expected output file exists.
34
- output_path = Pathname.new(consul_template_output)
35
- if defined?(::Rails) && output_path.relative?
36
- output_path = Rails.root.join(consul_template_output)
37
- end
38
- unless output_path.exist?
39
- raise Error.new("consul-template rendered output path (#{output_path.to_s.inspect}) does not exist")
29
+ # Run gomplate to render any template files.
30
+ output, status = Open3.capture2(env, "gomplate", "--file", path.to_s)
31
+ unless status.success?
32
+ raise Error.new("vault template gomplate render failed: #{status}")
40
33
  end
41
34
 
42
- # Read the output YAML file and set any of the variables as environment
35
+ # Read the output JSON and set any of the variables as environment
43
36
  # variables.
44
- secrets = YAML.safe_load_file(output_path)
37
+ secrets = JSON.parse(output)
45
38
  if secrets
46
- # Make sure the YAML output is an expected hash.
39
+ # Make sure the JSON output is an expected hash.
47
40
  unless secrets.is_a?(Hash)
48
- raise Error.new("YAML in consul-template output file does not of expected Hash type (#{output_path.to_s.inspect})")
41
+ raise Error.new("JSON in vault template output does not of expected Hash type (#{path.to_s.inspect})")
49
42
  end
50
43
 
51
44
  secrets.each do |key, value|
52
45
  # Reject nested values that can't be set as simple string values
53
46
  # for environment variable purposes.
54
47
  if value.is_a?(Array) || value.is_a?(Hash)
55
- raise Error.new("YAML in consul-template output file has nested data that cannot be set as environment variables (#{output_path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
48
+ raise Error.new("JSON in vault template output has nested data that cannot be set as environment variables (#{path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
56
49
  end
57
50
 
58
51
  ENV[key] = value.to_s
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault_env_secrets
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 2.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nick Muerdter
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-08-19 00:00:00.000000000 Z
11
+ date: 2024-07-19 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description:
14
14
  email:
@@ -34,8 +34,8 @@ licenses:
34
34
  - MIT
35
35
  metadata:
36
36
  homepage_uri: https://github.com/GUI/vault_env_secrets
37
- source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v1.0.0
38
- changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v1.0.0/CHANGELOG.md
37
+ source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v2.0.0
38
+ changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v2.0.0/CHANGELOG.md
39
39
  post_install_message:
40
40
  rdoc_options: []
41
41
  require_paths:
@@ -51,7 +51,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
51
51
  - !ruby/object:Gem::Version
52
52
  version: '0'
53
53
  requirements: []
54
- rubygems_version: 3.4.10
54
+ rubygems_version: 3.5.14
55
55
  signing_key:
56
56
  specification_version: 4
57
57
  summary: Load secrets from Vault into environment variables (via consul-template config