vvauth 0.3.0 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +45 -0
- package/index.js +14 -24
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -4,3 +4,48 @@ This projects helps you log yourself in a HCL vault and retrieve VAULT_TOKEN thr
|
|
|
4
4
|
* jwt login
|
|
5
5
|
* ssh (with agent) login
|
|
6
6
|
|
|
7
|
+
|
|
8
|
+
# Vauth configuration
|
|
9
|
+
## Vauth configuration file location
|
|
10
|
+
vauth configuration file lies on a `.vauthrc` file (this name can be controlled by the VAUTHRC env var).
|
|
11
|
+
vauth will try to find
|
|
12
|
+
* if specified, the VAUTHRC file
|
|
13
|
+
* fallback to a .vauthrc file in the current directory
|
|
14
|
+
* fallback to a .vauthrc file in the current user home directory
|
|
15
|
+
|
|
16
|
+
## Vauth configuration format
|
|
17
|
+
vauth configuration file is a simple yaml file with a specific macro expansion syntax for dynamic parts.
|
|
18
|
+
The configuration file should abide the following schema
|
|
19
|
+
|
|
20
|
+
### configuration macro expansion set
|
|
21
|
+
* $${profile.XXX} expand to vault entity metadata/custom_metadata vars
|
|
22
|
+
* $${env.XXX} expand to local environement vars
|
|
23
|
+
* $${secrets.XXX} expand to remote scrapped secrets (see the env.paths)
|
|
24
|
+
|
|
25
|
+
```
|
|
26
|
+
# vauth URL
|
|
27
|
+
vault_addr: https://vauth.myserver.org
|
|
28
|
+
|
|
29
|
+
# for vauth-auth-plugin-ssh, configure the binding role here
|
|
30
|
+
ssh_auth:
|
|
31
|
+
role: $${env.VAUTH_USER_LOGIN}
|
|
32
|
+
env:
|
|
33
|
+
map:
|
|
34
|
+
TF_HTTP_USERNAME: $${profile.VAUTH_USER_LOGIN}
|
|
35
|
+
TF_HTTP_PASSWORD: $${profile.GITLAB_API_TOKEN}
|
|
36
|
+
AWS_ACCESS_KEY_ID: $${secrets.AWS_ACCESS_KEY_ID}
|
|
37
|
+
AWS_SECRET_ACCESS_KEY: $${secrets.AWS_SECRET_ACCESS_KEY}
|
|
38
|
+
|
|
39
|
+
# remote secrets mecanism
|
|
40
|
+
# set the secrets mount point - default to secrets
|
|
41
|
+
[path: secrets]
|
|
42
|
+
# list extra secrets to be reached and populated into the $${secrets.XXX} macro
|
|
43
|
+
paths:
|
|
44
|
+
- /some/pa4-backend.creds
|
|
45
|
+
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
|
|
49
|
+
# Credits
|
|
50
|
+
* [Francois Leurent](https://github.com/131)
|
|
51
|
+
|
package/index.js
CHANGED
|
@@ -52,7 +52,7 @@ class vvauth {
|
|
|
52
52
|
let vauth_rc = VAUTH_RC.filter(path => path && fs.existsSync(path))[0];
|
|
53
53
|
if(vauth_rc) {
|
|
54
54
|
let body = fs.readFileSync(vauth_rc, 'utf8');
|
|
55
|
-
this.rc = walk(parse(body), v => replaceEnv(v, process.env));
|
|
55
|
+
this.rc = walk(parse(body), v => replaceEnv(v, {env : process.env}));
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
58
|
|
|
@@ -66,7 +66,7 @@ class vvauth {
|
|
|
66
66
|
}
|
|
67
67
|
|
|
68
68
|
async connect() {
|
|
69
|
-
let
|
|
69
|
+
let VAULT_TOKEN, {rc : {ssh_auth, jwt_auth}} = this;
|
|
70
70
|
|
|
71
71
|
if(!VAULT_TOKEN && ssh_auth && process.env.SSH_AUTH_SOCK)
|
|
72
72
|
VAULT_TOKEN = await this._login_vault_ssh({...ssh_auth});
|
|
@@ -136,37 +136,27 @@ class vvauth {
|
|
|
136
136
|
async env(source = false) {
|
|
137
137
|
let {profile} = await this._get_profile();
|
|
138
138
|
|
|
139
|
-
let env = {VAULT_TOKEN : this.VAULT_TOKEN},
|
|
140
|
-
{git, map =
|
|
141
|
-
|
|
142
|
-
if(!Array.isArray(map))
|
|
143
|
-
map = [map];
|
|
139
|
+
let env = {VAULT_TOKEN : this.VAULT_TOKEN}, secrets = {},
|
|
140
|
+
{git, map = {}, paths, path : mount = "secrets"} = this.rc.env || {};
|
|
144
141
|
|
|
145
142
|
if(git) {
|
|
146
|
-
map
|
|
147
|
-
"GIT_COMMITTER_NAME" :
|
|
148
|
-
"GIT_COMMITTER_EMAIL" :
|
|
149
|
-
"GIT_AUTHOR_EMAIL" :
|
|
150
|
-
"GIT_AUTHOR_NAME" :
|
|
151
|
-
"GIT_USER_LOGIN" :
|
|
152
|
-
}
|
|
143
|
+
map = {...map,
|
|
144
|
+
"GIT_COMMITTER_NAME" : profile.VAUTH_USER_NAME,
|
|
145
|
+
"GIT_COMMITTER_EMAIL" : profile.VAUTH_USER_MAIL,
|
|
146
|
+
"GIT_AUTHOR_EMAIL" : profile.VAUTH_USER_MAIL,
|
|
147
|
+
"GIT_AUTHOR_NAME" : profile.VAUTH_USER_NAME,
|
|
148
|
+
"GIT_USER_LOGIN" : profile.VAUTH_USER_LOGIN,
|
|
149
|
+
};
|
|
153
150
|
}
|
|
154
151
|
if(paths) {
|
|
155
152
|
for(let secret_path of paths) {
|
|
156
153
|
console.error("reaching paths", secret_path);
|
|
157
154
|
let data = await this._read(mount, secret_path);
|
|
158
|
-
|
|
159
|
-
}
|
|
160
|
-
}
|
|
161
|
-
|
|
162
|
-
for(let entry of map) {
|
|
163
|
-
if(typeof entry == "string")
|
|
164
|
-
entry = {[entry] : entry};
|
|
165
|
-
for(let [k, v] of Object.entries(entry)) {
|
|
166
|
-
if(profile[v])
|
|
167
|
-
env[k] = profile[v];
|
|
155
|
+
secrets = {...secrets, ...data};
|
|
168
156
|
}
|
|
169
157
|
}
|
|
158
|
+
for(let [k, v] of Object.entries(map))
|
|
159
|
+
env[k] = replaceEnv(v, {env : process.env, profile, secrets});
|
|
170
160
|
|
|
171
161
|
if(source) {
|
|
172
162
|
this._publish_env(env);
|