vault_env_secrets 1.0.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a239afd0a1d9d133166b8c3f88f15162d9b4537437b5eee5ac602f99246ba196
4
- data.tar.gz: 07ad320f88de1b735c9f5be34a95be6b6897fe71ae8943e5e36cd8e141c685ee
3
+ metadata.gz: a342ebc246007f7a1157b228efb4b7f10f711ee425e08e951596f7490b608661
4
+ data.tar.gz: 7846c31b5eb2c8feaddb213e7e2c8ebb66f66343d34169cbe496d322ae9cd798
5
5
  SHA512:
6
- metadata.gz: 10feaf9ceffbb1892c20702623cbcec3c07b62bfbdcef60e216d4b1b9063ce3e68e70afbe1ec28710d0640be1f412b59ab9025322c841fd149c4c625770916dc
7
- data.tar.gz: 475a66ab45ef7e558a1c7c09f919af52207695ec1d9691918df9087b4efb3388d0c35e1e45b0a4d47fc52488bae233f45c4425b6a71d33afac1e9088f7ff7aa1
6
+ metadata.gz: 2d4b22ad4bb0828eaed9224e87f451026e8949504951f5ba08f1251eef4c871042f37c541c83b4559a1123eae7fad65c57c0c7da4f1cc27147bcb0bbb582a2eb
7
+ data.tar.gz: 8bfb66cbe3dba8f773b23c7ff21cdd5831928257faf0f3e9292c3eb855c4f8b5ad6bb4dfd2763ca29d1cb6d89aff3ea91fe88fd298f30f3b43793b9fb8fb6bcc
data/CHANGELOG.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # VaultEnvSecrets Change Log
2
2
 
3
+ ## [2.0.0] - 2024-07-19
4
+
5
+ ### Changed
6
+
7
+ - Switch from `consul-template` to `gomplate` for template rendering via Vault. This eliminates the need for writing to a temp file in plain text.
8
+
3
9
  ## [1.0.0] - 2023-08-19
4
10
 
5
11
  - Initial release
data/Gemfile.lock CHANGED
@@ -1,57 +1,57 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault_env_secrets (1.0.0)
4
+ vault_env_secrets (2.0.0)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
8
8
  specs:
9
9
  ast (2.4.2)
10
- base64 (0.1.1)
11
- json (2.6.3)
10
+ json (2.7.2)
12
11
  language_server-protocol (3.17.0.3)
13
12
  lint_roller (1.1.0)
14
- minitest (5.19.0)
15
- parallel (1.23.0)
16
- parser (3.2.2.3)
13
+ minitest (5.24.1)
14
+ parallel (1.25.1)
15
+ parser (3.3.4.0)
17
16
  ast (~> 2.4.1)
18
17
  racc
19
- racc (1.7.1)
18
+ racc (1.8.0)
20
19
  rainbow (3.1.1)
21
- rake (13.0.6)
22
- regexp_parser (2.8.1)
23
- rexml (3.2.6)
24
- rubocop (1.56.0)
25
- base64 (~> 0.1.1)
20
+ rake (13.2.1)
21
+ regexp_parser (2.9.2)
22
+ rexml (3.3.2)
23
+ strscan
24
+ rubocop (1.64.1)
26
25
  json (~> 2.3)
27
26
  language_server-protocol (>= 3.17.0)
28
27
  parallel (~> 1.10)
29
- parser (>= 3.2.2.3)
28
+ parser (>= 3.3.0.2)
30
29
  rainbow (>= 2.2.2, < 4.0)
31
30
  regexp_parser (>= 1.8, < 3.0)
32
31
  rexml (>= 3.2.5, < 4.0)
33
- rubocop-ast (>= 1.28.1, < 2.0)
32
+ rubocop-ast (>= 1.31.1, < 2.0)
34
33
  ruby-progressbar (~> 1.7)
35
34
  unicode-display_width (>= 2.4.0, < 3.0)
36
- rubocop-ast (1.29.0)
37
- parser (>= 3.2.1.0)
38
- rubocop-performance (1.19.0)
39
- rubocop (>= 1.7.0, < 2.0)
40
- rubocop-ast (>= 0.4.0)
35
+ rubocop-ast (1.31.3)
36
+ parser (>= 3.3.1.0)
37
+ rubocop-performance (1.21.1)
38
+ rubocop (>= 1.48.1, < 2.0)
39
+ rubocop-ast (>= 1.31.1, < 2.0)
41
40
  ruby-progressbar (1.13.0)
42
- standard (1.31.0)
41
+ standard (1.39.2)
43
42
  language_server-protocol (~> 3.17.0.2)
44
43
  lint_roller (~> 1.0)
45
- rubocop (~> 1.56.0)
44
+ rubocop (~> 1.64.0)
46
45
  standard-custom (~> 1.0.0)
47
- standard-performance (~> 1.2)
46
+ standard-performance (~> 1.4)
48
47
  standard-custom (1.0.2)
49
48
  lint_roller (~> 1.0)
50
49
  rubocop (~> 1.50)
51
- standard-performance (1.2.0)
50
+ standard-performance (1.4.0)
52
51
  lint_roller (~> 1.1)
53
- rubocop-performance (~> 1.19.0)
54
- unicode-display_width (2.4.2)
52
+ rubocop-performance (~> 1.21.0)
53
+ strscan (3.1.0)
54
+ unicode-display_width (2.5.0)
55
55
 
56
56
  PLATFORMS
57
57
  arm64-darwin-21
data/README.md CHANGED
@@ -1,10 +1,10 @@
1
1
  # VaultEnvSecrets
2
2
 
3
- A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [consul-template](https://github.com/hashicorp/consul-template) YAML template. Automatic integration with Rails is supported.
3
+ A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [gomplate](https://gomplate.ca) JSON template. Automatic integration with Rails is supported.
4
4
 
5
5
  ## Requirements/Assumptions
6
6
 
7
- - By default, a `consul-template` config file needs to be present in `config/vault.hcl` that defines a `template` that will render secrets in a YAML output file to `tmp/vault/secrets.yml`.
7
+ - By default, a `gomplate` template needs to be present in `config/vault_secrets.json.tmpl` that defines a template that will render secrets to JSON output.
8
8
  - You must be authenticate to Vault in some fashion outside of this library (eg, `vault login` is used before startup and `~/.vault-token` is present, or `VAULT_TOKEN` is set, etc).
9
9
  - For Rails integration, secrets will only be read once on application startup (so to pick up changes in development, you must restart the Rails server).
10
10
 
@@ -24,7 +24,7 @@ gem install vault_env_secrets
24
24
 
25
25
  ## Example Usage
26
26
 
27
- This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/consul-template), with the assumption that there will be a YAML output file that can be read in. There are a variety of ways to use this, but as an example:
27
+ This gem mostly defers to to [`gomplate`](https://gomplate.ca), with the assumption that there will be a JSON output file that can be read in. There are a variety of ways to use this, but as an example:
28
28
 
29
29
  1. Authenticate against Vault:
30
30
 
@@ -32,43 +32,34 @@ This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/co
32
32
  vault login
33
33
  ```
34
34
 
35
- 2. Define a `consul-template` [configuration file](https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file) in the default `config/vault.hcl` location:
35
+ 2. Define a `gomplate` [configuration file](https://docs.gomplate.ca/config/) in `.gomplate.yaml` to declare your Vault datasource:
36
36
 
37
37
  ```hcl
38
- vault {
39
- address = "https://vault.example.com/"
40
- renew_token = true
41
-
42
- retry {
43
- enabled = false
44
- }
45
- }
46
-
47
- template {
48
- source = "./config/vault/secrets.yml.ctmpl"
49
- destination = "./tmp/vault/secrets.yml"
50
- error_on_missing_key = true
51
- perms = 0600
52
- }
38
+ datasources:
39
+ vault:
40
+ url: "vault://vault.example.com/secret/data"
53
41
  ```
54
42
 
55
- 3. Define the template that the `config/vault.hcl` config file references (which should be configured to output to `tmp/vault/secrets.yml` by default). In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
43
+ 3. Define the template in the default `config/vault_secrets.json.tmpl` location. In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
56
44
 
57
45
  ```ctmpl
58
- {{ $rails_env := (envOrDefault "RAILS_ENV" "development") }}
59
-
60
- {{ with secret (printf "secret/my-app/%s/web" $deploy_env) }}
61
- {{ scratch.MapSet "secrets" "SECRET_KEY_BASE" .Data.data.secret_key_base }}
62
- {{ scratch.MapSet "secrets" "SECRET_DB_HOST" .Data.data.db_host }}
63
- {{ scratch.MapSet "secrets" "SECRET_DB_NAME" .Data.data.db_name }}
64
- {{ scratch.MapSet "secrets" "SECRET_DB_USERNAME" .Data.data.db_username }}
65
- {{ scratch.MapSet "secrets" "SECRET_DB_PASSWORD" .Data.data.db_password }}
46
+ {{ $rails_env := (env.Getenv "RAILS_ENV" "development") }}
47
+ {{ $secrets := coll.Dict }}
48
+
49
+ {{ with (datasource "vault" (printf "my-app/%s/web" $rails_env)).data }}
50
+ {{ $secrets = coll.Merge $secrets (coll.Dict
51
+ "SECRET_KEY_BASE" .secret_key_base
52
+ "SECRET_DB_HOST" .db_host
53
+ "SECRET_DB_NAME" .db_name
54
+ "SECRET_DB_USERNAME" .db_username
55
+ "SECRET_DB_PASSWORD" .db_password
56
+ )}}
66
57
  {{ end }}
67
58
 
68
- {{ scratch.Get "secrets" | toYAML }}
59
+ {{ $secrets | data.ToJSON }}
69
60
  ```
70
61
 
71
- 4. With the gem installed, any variables defined in the output YAML from the `consul-template` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the YAML output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
62
+ 4. With the gem installed, any variables defined in the output JSON from the `gomplate` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the JSON output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
72
63
 
73
64
  ## Configuration
74
65
 
@@ -82,20 +73,12 @@ Optionally disable loading VaultEnvSecrets (for example, if this gem only needs
82
73
  VaultEnvSecrets.enabled = false # Defaults to `true`
83
74
  ```
84
75
 
85
- #### `VaultEnvSecrets.consul_template_config`
76
+ #### `VaultEnvSecrets.template_path`
86
77
 
87
- Set a custom path to the `consul-template` config file.
78
+ Set a custom path to the `gomplate` JSON template file.
88
79
 
89
80
  ```ruby
90
- VaultEnvSecrets.consul_template_config = "config/my_config.hcl" # Defaults to `config/vault.hcl`
91
- ```
92
-
93
- #### `VaultEnvSecrets.consul_template_output`
94
-
95
- Set a custom path to the YAML output file generated from the `consul-template` template.
96
-
97
- ```ruby
98
- VaultEnvSecrets.consul_template_output = "tmp/my_secrets.yml" # Defaults to `tmp/vault/secrets.yml`
81
+ VaultEnvSecrets.template_path = "config/my_secrets.json.tmpl" # Defaults to `config/vault_secrets.json.tmpl`
99
82
  ```
100
83
 
101
84
  ## Development
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module VaultEnvSecrets
4
- VERSION = "1.0.0"
4
+ VERSION = "2.0.0"
5
5
  end
@@ -1,58 +1,51 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "json"
4
+ require "open3"
3
5
  require "pathname"
4
- require "yaml"
5
6
 
6
7
  require_relative "vault_env_secrets/errors"
7
8
  require_relative "vault_env_secrets/version"
8
9
 
9
10
  module VaultEnvSecrets
10
11
  @enabled = true
11
- @consul_template_config = "config/vault.hcl"
12
- @consul_template_output = "tmp/vault/secrets.yml"
12
+ @template_path = "config/vault_secrets.json.tmpl"
13
13
 
14
14
  class << self
15
15
  attr_accessor :enabled
16
- attr_accessor :consul_template_config
17
- attr_accessor :consul_template_output
16
+ attr_accessor :template_path
18
17
 
19
18
  def load(env: {})
20
19
  if enabled
21
- # Check that the expected consul-template config file exists.
22
- config_path = Pathname.new(consul_template_config)
23
- if defined?(::Rails) && config_path.relative?
24
- config_path = Rails.root.join(consul_template_config)
20
+ # Check that the expected template file exists.
21
+ path = Pathname.new(template_path)
22
+ if defined?(::Rails) && path.relative?
23
+ path = Rails.root.join(template_path)
25
24
  end
26
- unless config_path.exist?
27
- raise Error.new("consul-template config path (#{config_path.to_s.inspect}) does not exist")
25
+ unless path.exist?
26
+ raise Error.new("vault template path (#{path.to_s.inspect}) does not exist")
28
27
  end
29
28
 
30
- # Run consul-template to render any template files.
31
- system(env, "consul-template", "-config", config_path.to_s, "-once", exception: true)
32
-
33
- # Check that the expected output file exists.
34
- output_path = Pathname.new(consul_template_output)
35
- if defined?(::Rails) && output_path.relative?
36
- output_path = Rails.root.join(consul_template_output)
37
- end
38
- unless output_path.exist?
39
- raise Error.new("consul-template rendered output path (#{output_path.to_s.inspect}) does not exist")
29
+ # Run gomplate to render any template files.
30
+ output, status = Open3.capture2(env, "gomplate", "--file", path.to_s)
31
+ unless status.success?
32
+ raise Error.new("vault template gomplate render failed: #{status}")
40
33
  end
41
34
 
42
- # Read the output YAML file and set any of the variables as environment
35
+ # Read the output JSON and set any of the variables as environment
43
36
  # variables.
44
- secrets = YAML.safe_load_file(output_path)
37
+ secrets = JSON.parse(output)
45
38
  if secrets
46
- # Make sure the YAML output is an expected hash.
39
+ # Make sure the JSON output is an expected hash.
47
40
  unless secrets.is_a?(Hash)
48
- raise Error.new("YAML in consul-template output file does not of expected Hash type (#{output_path.to_s.inspect})")
41
+ raise Error.new("JSON in vault template output does not of expected Hash type (#{path.to_s.inspect})")
49
42
  end
50
43
 
51
44
  secrets.each do |key, value|
52
45
  # Reject nested values that can't be set as simple string values
53
46
  # for environment variable purposes.
54
47
  if value.is_a?(Array) || value.is_a?(Hash)
55
- raise Error.new("YAML in consul-template output file has nested data that cannot be set as environment variables (#{output_path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
48
+ raise Error.new("JSON in vault template output has nested data that cannot be set as environment variables (#{path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
56
49
  end
57
50
 
58
51
  ENV[key] = value.to_s
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault_env_secrets
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 2.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nick Muerdter
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-08-19 00:00:00.000000000 Z
11
+ date: 2024-07-19 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description:
14
14
  email:
@@ -34,8 +34,8 @@ licenses:
34
34
  - MIT
35
35
  metadata:
36
36
  homepage_uri: https://github.com/GUI/vault_env_secrets
37
- source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v1.0.0
38
- changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v1.0.0/CHANGELOG.md
37
+ source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v2.0.0
38
+ changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v2.0.0/CHANGELOG.md
39
39
  post_install_message:
40
40
  rdoc_options: []
41
41
  require_paths:
@@ -51,7 +51,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
51
51
  - !ruby/object:Gem::Version
52
52
  version: '0'
53
53
  requirements: []
54
- rubygems_version: 3.4.10
54
+ rubygems_version: 3.5.14
55
55
  signing_key:
56
56
  specification_version: 4
57
57
  summary: Load secrets from Vault into environment variables (via consul-template config