vault_env_secrets 1.0.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/Gemfile.lock +25 -25
- data/README.md +24 -41
- data/lib/vault_env_secrets/version.rb +1 -1
- data/lib/vault_env_secrets.rb +19 -26
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a342ebc246007f7a1157b228efb4b7f10f711ee425e08e951596f7490b608661
|
4
|
+
data.tar.gz: 7846c31b5eb2c8feaddb213e7e2c8ebb66f66343d34169cbe496d322ae9cd798
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2d4b22ad4bb0828eaed9224e87f451026e8949504951f5ba08f1251eef4c871042f37c541c83b4559a1123eae7fad65c57c0c7da4f1cc27147bcb0bbb582a2eb
|
7
|
+
data.tar.gz: 8bfb66cbe3dba8f773b23c7ff21cdd5831928257faf0f3e9292c3eb855c4f8b5ad6bb4dfd2763ca29d1cb6d89aff3ea91fe88fd298f30f3b43793b9fb8fb6bcc
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,11 @@
|
|
1
1
|
# VaultEnvSecrets Change Log
|
2
2
|
|
3
|
+
## [2.0.0] - 2024-07-19
|
4
|
+
|
5
|
+
### Changed
|
6
|
+
|
7
|
+
- Switch from `consul-template` to `gomplate` for template rendering via Vault. This eliminates the need for writing to a temp file in plain text.
|
8
|
+
|
3
9
|
## [1.0.0] - 2023-08-19
|
4
10
|
|
5
11
|
- Initial release
|
data/Gemfile.lock
CHANGED
@@ -1,57 +1,57 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
vault_env_secrets (
|
4
|
+
vault_env_secrets (2.0.0)
|
5
5
|
|
6
6
|
GEM
|
7
7
|
remote: https://rubygems.org/
|
8
8
|
specs:
|
9
9
|
ast (2.4.2)
|
10
|
-
|
11
|
-
json (2.6.3)
|
10
|
+
json (2.7.2)
|
12
11
|
language_server-protocol (3.17.0.3)
|
13
12
|
lint_roller (1.1.0)
|
14
|
-
minitest (5.
|
15
|
-
parallel (1.
|
16
|
-
parser (3.
|
13
|
+
minitest (5.24.1)
|
14
|
+
parallel (1.25.1)
|
15
|
+
parser (3.3.4.0)
|
17
16
|
ast (~> 2.4.1)
|
18
17
|
racc
|
19
|
-
racc (1.
|
18
|
+
racc (1.8.0)
|
20
19
|
rainbow (3.1.1)
|
21
|
-
rake (13.
|
22
|
-
regexp_parser (2.
|
23
|
-
rexml (3.2
|
24
|
-
|
25
|
-
|
20
|
+
rake (13.2.1)
|
21
|
+
regexp_parser (2.9.2)
|
22
|
+
rexml (3.3.2)
|
23
|
+
strscan
|
24
|
+
rubocop (1.64.1)
|
26
25
|
json (~> 2.3)
|
27
26
|
language_server-protocol (>= 3.17.0)
|
28
27
|
parallel (~> 1.10)
|
29
|
-
parser (>= 3.
|
28
|
+
parser (>= 3.3.0.2)
|
30
29
|
rainbow (>= 2.2.2, < 4.0)
|
31
30
|
regexp_parser (>= 1.8, < 3.0)
|
32
31
|
rexml (>= 3.2.5, < 4.0)
|
33
|
-
rubocop-ast (>= 1.
|
32
|
+
rubocop-ast (>= 1.31.1, < 2.0)
|
34
33
|
ruby-progressbar (~> 1.7)
|
35
34
|
unicode-display_width (>= 2.4.0, < 3.0)
|
36
|
-
rubocop-ast (1.
|
37
|
-
parser (>= 3.
|
38
|
-
rubocop-performance (1.
|
39
|
-
rubocop (>= 1.
|
40
|
-
rubocop-ast (>=
|
35
|
+
rubocop-ast (1.31.3)
|
36
|
+
parser (>= 3.3.1.0)
|
37
|
+
rubocop-performance (1.21.1)
|
38
|
+
rubocop (>= 1.48.1, < 2.0)
|
39
|
+
rubocop-ast (>= 1.31.1, < 2.0)
|
41
40
|
ruby-progressbar (1.13.0)
|
42
|
-
standard (1.
|
41
|
+
standard (1.39.2)
|
43
42
|
language_server-protocol (~> 3.17.0.2)
|
44
43
|
lint_roller (~> 1.0)
|
45
|
-
rubocop (~> 1.
|
44
|
+
rubocop (~> 1.64.0)
|
46
45
|
standard-custom (~> 1.0.0)
|
47
|
-
standard-performance (~> 1.
|
46
|
+
standard-performance (~> 1.4)
|
48
47
|
standard-custom (1.0.2)
|
49
48
|
lint_roller (~> 1.0)
|
50
49
|
rubocop (~> 1.50)
|
51
|
-
standard-performance (1.
|
50
|
+
standard-performance (1.4.0)
|
52
51
|
lint_roller (~> 1.1)
|
53
|
-
rubocop-performance (~> 1.
|
54
|
-
|
52
|
+
rubocop-performance (~> 1.21.0)
|
53
|
+
strscan (3.1.0)
|
54
|
+
unicode-display_width (2.5.0)
|
55
55
|
|
56
56
|
PLATFORMS
|
57
57
|
arm64-darwin-21
|
data/README.md
CHANGED
@@ -1,10 +1,10 @@
|
|
1
1
|
# VaultEnvSecrets
|
2
2
|
|
3
|
-
A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [
|
3
|
+
A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [gomplate](https://gomplate.ca) JSON template. Automatic integration with Rails is supported.
|
4
4
|
|
5
5
|
## Requirements/Assumptions
|
6
6
|
|
7
|
-
- By default, a `
|
7
|
+
- By default, a `gomplate` template needs to be present in `config/vault_secrets.json.tmpl` that defines a template that will render secrets to JSON output.
|
8
8
|
- You must be authenticate to Vault in some fashion outside of this library (eg, `vault login` is used before startup and `~/.vault-token` is present, or `VAULT_TOKEN` is set, etc).
|
9
9
|
- For Rails integration, secrets will only be read once on application startup (so to pick up changes in development, you must restart the Rails server).
|
10
10
|
|
@@ -24,7 +24,7 @@ gem install vault_env_secrets
|
|
24
24
|
|
25
25
|
## Example Usage
|
26
26
|
|
27
|
-
This gem mostly defers to to [`
|
27
|
+
This gem mostly defers to to [`gomplate`](https://gomplate.ca), with the assumption that there will be a JSON output file that can be read in. There are a variety of ways to use this, but as an example:
|
28
28
|
|
29
29
|
1. Authenticate against Vault:
|
30
30
|
|
@@ -32,43 +32,34 @@ This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/co
|
|
32
32
|
vault login
|
33
33
|
```
|
34
34
|
|
35
|
-
2. Define a `
|
35
|
+
2. Define a `gomplate` [configuration file](https://docs.gomplate.ca/config/) in `.gomplate.yaml` to declare your Vault datasource:
|
36
36
|
|
37
37
|
```hcl
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
retry {
|
43
|
-
enabled = false
|
44
|
-
}
|
45
|
-
}
|
46
|
-
|
47
|
-
template {
|
48
|
-
source = "./config/vault/secrets.yml.ctmpl"
|
49
|
-
destination = "./tmp/vault/secrets.yml"
|
50
|
-
error_on_missing_key = true
|
51
|
-
perms = 0600
|
52
|
-
}
|
38
|
+
datasources:
|
39
|
+
vault:
|
40
|
+
url: "vault://vault.example.com/secret/data"
|
53
41
|
```
|
54
42
|
|
55
|
-
3. Define the template
|
43
|
+
3. Define the template in the default `config/vault_secrets.json.tmpl` location. In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
|
56
44
|
|
57
45
|
```ctmpl
|
58
|
-
{{ $rails_env := (
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
{{
|
63
|
-
|
64
|
-
|
65
|
-
|
46
|
+
{{ $rails_env := (env.Getenv "RAILS_ENV" "development") }}
|
47
|
+
{{ $secrets := coll.Dict }}
|
48
|
+
|
49
|
+
{{ with (datasource "vault" (printf "my-app/%s/web" $rails_env)).data }}
|
50
|
+
{{ $secrets = coll.Merge $secrets (coll.Dict
|
51
|
+
"SECRET_KEY_BASE" .secret_key_base
|
52
|
+
"SECRET_DB_HOST" .db_host
|
53
|
+
"SECRET_DB_NAME" .db_name
|
54
|
+
"SECRET_DB_USERNAME" .db_username
|
55
|
+
"SECRET_DB_PASSWORD" .db_password
|
56
|
+
)}}
|
66
57
|
{{ end }}
|
67
58
|
|
68
|
-
{{
|
59
|
+
{{ $secrets | data.ToJSON }}
|
69
60
|
```
|
70
61
|
|
71
|
-
4. With the gem installed, any variables defined in the output
|
62
|
+
4. With the gem installed, any variables defined in the output JSON from the `gomplate` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the JSON output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
|
72
63
|
|
73
64
|
## Configuration
|
74
65
|
|
@@ -82,20 +73,12 @@ Optionally disable loading VaultEnvSecrets (for example, if this gem only needs
|
|
82
73
|
VaultEnvSecrets.enabled = false # Defaults to `true`
|
83
74
|
```
|
84
75
|
|
85
|
-
#### `VaultEnvSecrets.
|
76
|
+
#### `VaultEnvSecrets.template_path`
|
86
77
|
|
87
|
-
Set a custom path to the `
|
78
|
+
Set a custom path to the `gomplate` JSON template file.
|
88
79
|
|
89
80
|
```ruby
|
90
|
-
VaultEnvSecrets.
|
91
|
-
```
|
92
|
-
|
93
|
-
#### `VaultEnvSecrets.consul_template_output`
|
94
|
-
|
95
|
-
Set a custom path to the YAML output file generated from the `consul-template` template.
|
96
|
-
|
97
|
-
```ruby
|
98
|
-
VaultEnvSecrets.consul_template_output = "tmp/my_secrets.yml" # Defaults to `tmp/vault/secrets.yml`
|
81
|
+
VaultEnvSecrets.template_path = "config/my_secrets.json.tmpl" # Defaults to `config/vault_secrets.json.tmpl`
|
99
82
|
```
|
100
83
|
|
101
84
|
## Development
|
data/lib/vault_env_secrets.rb
CHANGED
@@ -1,58 +1,51 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require "json"
|
4
|
+
require "open3"
|
3
5
|
require "pathname"
|
4
|
-
require "yaml"
|
5
6
|
|
6
7
|
require_relative "vault_env_secrets/errors"
|
7
8
|
require_relative "vault_env_secrets/version"
|
8
9
|
|
9
10
|
module VaultEnvSecrets
|
10
11
|
@enabled = true
|
11
|
-
@
|
12
|
-
@consul_template_output = "tmp/vault/secrets.yml"
|
12
|
+
@template_path = "config/vault_secrets.json.tmpl"
|
13
13
|
|
14
14
|
class << self
|
15
15
|
attr_accessor :enabled
|
16
|
-
attr_accessor :
|
17
|
-
attr_accessor :consul_template_output
|
16
|
+
attr_accessor :template_path
|
18
17
|
|
19
18
|
def load(env: {})
|
20
19
|
if enabled
|
21
|
-
# Check that the expected
|
22
|
-
|
23
|
-
if defined?(::Rails) &&
|
24
|
-
|
20
|
+
# Check that the expected template file exists.
|
21
|
+
path = Pathname.new(template_path)
|
22
|
+
if defined?(::Rails) && path.relative?
|
23
|
+
path = Rails.root.join(template_path)
|
25
24
|
end
|
26
|
-
unless
|
27
|
-
raise Error.new("
|
25
|
+
unless path.exist?
|
26
|
+
raise Error.new("vault template path (#{path.to_s.inspect}) does not exist")
|
28
27
|
end
|
29
28
|
|
30
|
-
# Run
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
output_path = Pathname.new(consul_template_output)
|
35
|
-
if defined?(::Rails) && output_path.relative?
|
36
|
-
output_path = Rails.root.join(consul_template_output)
|
37
|
-
end
|
38
|
-
unless output_path.exist?
|
39
|
-
raise Error.new("consul-template rendered output path (#{output_path.to_s.inspect}) does not exist")
|
29
|
+
# Run gomplate to render any template files.
|
30
|
+
output, status = Open3.capture2(env, "gomplate", "--file", path.to_s)
|
31
|
+
unless status.success?
|
32
|
+
raise Error.new("vault template gomplate render failed: #{status}")
|
40
33
|
end
|
41
34
|
|
42
|
-
# Read the output
|
35
|
+
# Read the output JSON and set any of the variables as environment
|
43
36
|
# variables.
|
44
|
-
secrets =
|
37
|
+
secrets = JSON.parse(output)
|
45
38
|
if secrets
|
46
|
-
# Make sure the
|
39
|
+
# Make sure the JSON output is an expected hash.
|
47
40
|
unless secrets.is_a?(Hash)
|
48
|
-
raise Error.new("
|
41
|
+
raise Error.new("JSON in vault template output does not of expected Hash type (#{path.to_s.inspect})")
|
49
42
|
end
|
50
43
|
|
51
44
|
secrets.each do |key, value|
|
52
45
|
# Reject nested values that can't be set as simple string values
|
53
46
|
# for environment variable purposes.
|
54
47
|
if value.is_a?(Array) || value.is_a?(Hash)
|
55
|
-
raise Error.new("
|
48
|
+
raise Error.new("JSON in vault template output has nested data that cannot be set as environment variables (#{path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
|
56
49
|
end
|
57
50
|
|
58
51
|
ENV[key] = value.to_s
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: vault_env_secrets
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 2.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Nick Muerdter
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-07-19 00:00:00.000000000 Z
|
12
12
|
dependencies: []
|
13
13
|
description:
|
14
14
|
email:
|
@@ -34,8 +34,8 @@ licenses:
|
|
34
34
|
- MIT
|
35
35
|
metadata:
|
36
36
|
homepage_uri: https://github.com/GUI/vault_env_secrets
|
37
|
-
source_code_uri: https://github.com/GUI/vault_env_secrets/tree/
|
38
|
-
changelog_uri: https://github.com/GUI/vault_env_secrets/blob/
|
37
|
+
source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v2.0.0
|
38
|
+
changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v2.0.0/CHANGELOG.md
|
39
39
|
post_install_message:
|
40
40
|
rdoc_options: []
|
41
41
|
require_paths:
|
@@ -51,7 +51,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
51
51
|
- !ruby/object:Gem::Version
|
52
52
|
version: '0'
|
53
53
|
requirements: []
|
54
|
-
rubygems_version: 3.
|
54
|
+
rubygems_version: 3.5.14
|
55
55
|
signing_key:
|
56
56
|
specification_version: 4
|
57
57
|
summary: Load secrets from Vault into environment variables (via consul-template config
|