vault_env_secrets 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a239afd0a1d9d133166b8c3f88f15162d9b4537437b5eee5ac602f99246ba196
-  data.tar.gz: 07ad320f88de1b735c9f5be34a95be6b6897fe71ae8943e5e36cd8e141c685ee
+  metadata.gz: a342ebc246007f7a1157b228efb4b7f10f711ee425e08e951596f7490b608661
+  data.tar.gz: 7846c31b5eb2c8feaddb213e7e2c8ebb66f66343d34169cbe496d322ae9cd798
 SHA512:
-  metadata.gz: 10feaf9ceffbb1892c20702623cbcec3c07b62bfbdcef60e216d4b1b9063ce3e68e70afbe1ec28710d0640be1f412b59ab9025322c841fd149c4c625770916dc
-  data.tar.gz: 475a66ab45ef7e558a1c7c09f919af52207695ec1d9691918df9087b4efb3388d0c35e1e45b0a4d47fc52488bae233f45c4425b6a71d33afac1e9088f7ff7aa1
+  metadata.gz: 2d4b22ad4bb0828eaed9224e87f451026e8949504951f5ba08f1251eef4c871042f37c541c83b4559a1123eae7fad65c57c0c7da4f1cc27147bcb0bbb582a2eb
+  data.tar.gz: 8bfb66cbe3dba8f773b23c7ff21cdd5831928257faf0f3e9292c3eb855c4f8b5ad6bb4dfd2763ca29d1cb6d89aff3ea91fe88fd298f30f3b43793b9fb8fb6bcc

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # VaultEnvSecrets Change Log
 
+## [2.0.0] - 2024-07-19
+
+### Changed
+
+- Switch from `consul-template` to `gomplate` for template rendering via Vault. This eliminates the need for writing to a temp file in plain text.
+
 ## [1.0.0] - 2023-08-19
 
 - Initial release

data/Gemfile.lock

@@ -1,57 +1,57 @@
 PATH
   remote: .
   specs:
-    vault_env_secrets (1.0.0)
+    vault_env_secrets (2.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.2)
-    base64 (0.1.1)
-    json (2.6.3)
+    json (2.7.2)
     language_server-protocol (3.17.0.3)
     lint_roller (1.1.0)
-    minitest (5.19.0)
-    parallel (1.23.0)
-    parser (3.2.2.3)
+    minitest (5.24.1)
+    parallel (1.25.1)
+    parser (3.3.4.0)
       ast (~> 2.4.1)
       racc
-    racc (1.7.1)
+    racc (1.8.0)
     rainbow (3.1.1)
-    rake (13.0.6)
-    regexp_parser (2.8.1)
-    rexml (3.2.6)
-    rubocop (1.56.0)
-      base64 (~> 0.1.1)
+    rake (13.2.1)
+    regexp_parser (2.9.2)
+    rexml (3.3.2)
+      strscan
+    rubocop (1.64.1)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
-      parser (>= 3.2.1.0)
-    rubocop-performance (1.19.0)
-      rubocop (>= 1.7.0, < 2.0)
-      rubocop-ast (>= 0.4.0)
+    rubocop-ast (1.31.3)
+      parser (>= 3.3.1.0)
+    rubocop-performance (1.21.1)
+      rubocop (>= 1.48.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
     ruby-progressbar (1.13.0)
-    standard (1.31.0)
+    standard (1.39.2)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.0)
-      rubocop (~> 1.56.0)
+      rubocop (~> 1.64.0)
       standard-custom (~> 1.0.0)
-      standard-performance (~> 1.2)
+      standard-performance (~> 1.4)
     standard-custom (1.0.2)
       lint_roller (~> 1.0)
       rubocop (~> 1.50)
-    standard-performance (1.2.0)
+    standard-performance (1.4.0)
       lint_roller (~> 1.1)
-      rubocop-performance (~> 1.19.0)
-    unicode-display_width (2.4.2)
+      rubocop-performance (~> 1.21.0)
+    strscan (3.1.0)
+    unicode-display_width (2.5.0)
 
 PLATFORMS
   arm64-darwin-21

data/README.md

@@ -1,10 +1,10 @@
 # VaultEnvSecrets
 
-A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [consul-template](https://github.com/hashicorp/consul-template) YAML template. Automatic integration with Rails is supported.
+A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [gomplate](https://gomplate.ca) JSON template. Automatic integration with Rails is supported.
 
 ## Requirements/Assumptions
 
-- By default, a `consul-template` config file needs to be present in `config/vault.hcl` that defines a `template` that will render secrets in a YAML output file to `tmp/vault/secrets.yml`.
+- By default, a `gomplate` template needs to be present in `config/vault_secrets.json.tmpl` that defines a template that will render secrets to JSON output.
 - You must be authenticate to Vault in some fashion outside of this library (eg, `vault login` is used before startup and `~/.vault-token` is present, or `VAULT_TOKEN` is set, etc).
 - For Rails integration, secrets will only be read once on application startup (so to pick up changes in development, you must restart the Rails server).
 
@@ -24,7 +24,7 @@ gem install vault_env_secrets
 
 ## Example Usage
 
-This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/consul-template), with the assumption that there will be a YAML output file that can be read in. There are a variety of ways to use this, but as an example:
+This gem mostly defers to to [`gomplate`](https://gomplate.ca), with the assumption that there will be a JSON output file that can be read in. There are a variety of ways to use this, but as an example:
 
 1. Authenticate against Vault:
 
@@ -32,43 +32,34 @@ This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/co
     vault login
     ```
 
-2. Define a `consul-template` [configuration file](https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file) in the default `config/vault.hcl` location:
+2. Define a `gomplate` [configuration file](https://docs.gomplate.ca/config/) in `.gomplate.yaml` to declare your Vault datasource:
 
     ```hcl
-    vault {
-      address = "https://vault.example.com/"
-      renew_token = true
-
-      retry {
-        enabled = false
-      }
-    }
-
-    template {
-      source = "./config/vault/secrets.yml.ctmpl"
-      destination = "./tmp/vault/secrets.yml"
-      error_on_missing_key = true
-      perms = 0600
-    }
+    datasources:
+      vault:
+        url: "vault://vault.example.com/secret/data"
     ```
 
-3. Define the template that the `config/vault.hcl` config file references (which should be configured to output to `tmp/vault/secrets.yml` by default). In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
+3. Define the template in the default `config/vault_secrets.json.tmpl` location. In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
 
     ```ctmpl
-    {{ $rails_env := (envOrDefault "RAILS_ENV" "development") }}
-
-    {{ with secret (printf "secret/my-app/%s/web" $deploy_env) }}
-      {{ scratch.MapSet "secrets" "SECRET_KEY_BASE" .Data.data.secret_key_base }}
-      {{ scratch.MapSet "secrets" "SECRET_DB_HOST" .Data.data.db_host }}
-      {{ scratch.MapSet "secrets" "SECRET_DB_NAME" .Data.data.db_name }}
-      {{ scratch.MapSet "secrets" "SECRET_DB_USERNAME" .Data.data.db_username }}
-      {{ scratch.MapSet "secrets" "SECRET_DB_PASSWORD" .Data.data.db_password }}
+    {{ $rails_env := (env.Getenv "RAILS_ENV" "development") }}
+    {{ $secrets := coll.Dict }}
+
+    {{ with (datasource "vault" (printf "my-app/%s/web" $rails_env)).data }}
+      {{ $secrets = coll.Merge $secrets (coll.Dict
+        "SECRET_KEY_BASE" .secret_key_base
+        "SECRET_DB_HOST" .db_host
+        "SECRET_DB_NAME" .db_name
+        "SECRET_DB_USERNAME" .db_username
+        "SECRET_DB_PASSWORD" .db_password
+      )}}
     {{ end }}
 
-    {{ scratch.Get "secrets" | toYAML }}
+    {{ $secrets | data.ToJSON }}
     ```
 
-4. With the gem installed, any variables defined in the output YAML from the `consul-template` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the YAML output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
+4. With the gem installed, any variables defined in the output JSON from the `gomplate` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the JSON output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
 
 ## Configuration
 
@@ -82,20 +73,12 @@ Optionally disable loading VaultEnvSecrets (for example, if this gem only needs
 VaultEnvSecrets.enabled = false # Defaults to `true`
 ```
 
-#### `VaultEnvSecrets.consul_template_config`
+#### `VaultEnvSecrets.template_path`
 
-Set a custom path to the `consul-template` config file.
+Set a custom path to the `gomplate` JSON template file.
 
 ```ruby
-VaultEnvSecrets.consul_template_config = "config/my_config.hcl" # Defaults to `config/vault.hcl`
-```
-
-#### `VaultEnvSecrets.consul_template_output`
-
-Set a custom path to the YAML output file generated from the `consul-template` template.
-
-```ruby
-VaultEnvSecrets.consul_template_output = "tmp/my_secrets.yml" # Defaults to `tmp/vault/secrets.yml`
+VaultEnvSecrets.template_path = "config/my_secrets.json.tmpl" # Defaults to `config/vault_secrets.json.tmpl`
 ```
 
 ## Development

data/lib/vault_env_secrets/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module VaultEnvSecrets
-  VERSION = "1.0.0"
+  VERSION = "2.0.0"
 end

data/lib/vault_env_secrets.rb

@@ -1,58 +1,51 @@
 # frozen_string_literal: true
 
+require "json"
+require "open3"
 require "pathname"
-require "yaml"
 
 require_relative "vault_env_secrets/errors"
 require_relative "vault_env_secrets/version"
 
 module VaultEnvSecrets
   @enabled = true
-  @consul_template_config = "config/vault.hcl"
-  @consul_template_output = "tmp/vault/secrets.yml"
+  @template_path = "config/vault_secrets.json.tmpl"
 
   class << self
     attr_accessor :enabled
-    attr_accessor :consul_template_config
-    attr_accessor :consul_template_output
+    attr_accessor :template_path
 
     def load(env: {})
       if enabled
-        # Check that the expected consul-template config file exists.
-        config_path = Pathname.new(consul_template_config)
-        if defined?(::Rails) && config_path.relative?
-          config_path = Rails.root.join(consul_template_config)
+        # Check that the expected template file exists.
+        path = Pathname.new(template_path)
+        if defined?(::Rails) && path.relative?
+          path = Rails.root.join(template_path)
         end
-        unless config_path.exist?
-          raise Error.new("consul-template config path (#{config_path.to_s.inspect}) does not exist")
+        unless path.exist?
+          raise Error.new("vault template path (#{path.to_s.inspect}) does not exist")
         end
 
-        # Run consul-template to render any template files.
-        system(env, "consul-template", "-config", config_path.to_s, "-once", exception: true)
-
-        # Check that the expected output file exists.
-        output_path = Pathname.new(consul_template_output)
-        if defined?(::Rails) && output_path.relative?
-          output_path = Rails.root.join(consul_template_output)
-        end
-        unless output_path.exist?
-          raise Error.new("consul-template rendered output path (#{output_path.to_s.inspect}) does not exist")
+        # Run gomplate to render any template files.
+        output, status = Open3.capture2(env, "gomplate", "--file", path.to_s)
+        unless status.success?
+          raise Error.new("vault template gomplate render failed: #{status}")
         end
 
-        # Read the output YAML file and set any of the variables as environment
+        # Read the output JSON and set any of the variables as environment
         # variables.
-        secrets = YAML.safe_load_file(output_path)
+        secrets = JSON.parse(output)
         if secrets
-          # Make sure the YAML output is an expected hash.
+          # Make sure the JSON output is an expected hash.
           unless secrets.is_a?(Hash)
-            raise Error.new("YAML in consul-template output file does not of expected Hash type (#{output_path.to_s.inspect})")
+            raise Error.new("JSON in vault template output does not of expected Hash type (#{path.to_s.inspect})")
           end
 
           secrets.each do |key, value|
             # Reject nested values that can't be set as simple string values
             # for environment variable purposes.
             if value.is_a?(Array) || value.is_a?(Hash)
-              raise Error.new("YAML in consul-template output file has nested data that cannot be set as environment variables (#{output_path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
+              raise Error.new("JSON in vault template output has nested data that cannot be set as environment variables (#{path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
             end
 
             ENV[key] = value.to_s

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault_env_secrets
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Nick Muerdter
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-08-19 00:00:00.000000000 Z
+date: 2024-07-19 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -34,8 +34,8 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/GUI/vault_env_secrets
-  source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v1.0.0
-  changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v1.0.0/CHANGELOG.md
+  source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v2.0.0
+  changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v2.0.0/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -51,7 +51,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.14
 signing_key:
 specification_version: 4
 summary: Load secrets from Vault into environment variables (via consul-template config