Vault write support #183
Vault write support #183
Conversation
stuart-c
force-pushed
the
vault-write-support
branch
from
83a4573 to
8c49d24
Compare
stuart-c
force-pushed
the
vault-write-support
branch
10 times, most recently
from
9c6980f to
13d5b16
Compare
|
I've been a little uneasy about the design and I just put my finger on it this morning. $ gomplate -d vault=vault:/// -i 'otp={{(datasource "vault" "ssh/creds/test" "ip=10.1.2.3" "username=user").key}}'
otp=604a4bd5-7afd-30a2-d2d8-80c4aebc6183The trouble with this is that this particular template can only be used with a I think using the URL might be the key here, and maybe we can use query parameters to specify the $ gomplate -d 'vault=vault:///?ip=10.1.2.3&username=user' -i 'otp={{ (ds "vault" "ssh/creds/test").key }}'@stuart-c what do you think? |
|
The problem then is you'd end up with hundreds of -d entries on the command line with the resultant multiple Vault connections/authentications [would also break AWS EC2 auth unless we have nonce saving]. In terms of when I'd be looking to use this:
|
stuart-c
force-pushed
the
vault-write-support
branch
from
13d5b16 to
a0c6c1e
Compare
|
Thinking about it a bit more, in general I don't think you can swap a Vault datasource for a HTTP or file based one - only Vault & Consul use args, which are an important part of the request. The only situation it would work is if you were to have only a single Vault/Consul template entry for a specific key. For example if you had the following template: If you use Vault you'd get two different values (assuming the two secrets are different in Vault), but switching to HTTP or file they would be identical. |
Right - like the following: It's important to me that datasources be more-or-less interchangeable in general. I have situations where I use the same template in one environment where Vault is used to store secrets, and another environment where we store them as Docker Swarm secrets - in which case they show up as files inside a container. That being said, the latter use-case doesn't make too much sense for dynamic secrets because generally they're populated at deploy-time. In the near future, Swarm secrets will support pluggable back-ends (including Vault), so using gomplate to populate dynamic secrets will be less of a thing in that scenario. 🤔 There's no reason we couldn't simply support both methods of providing the additional arguments though, so why don't we start with what's in this PR and then I could add URL query-based args later on if and when the need arises. 🙂 |
|
One thing I would ask, though, is that instead of multiple args can we use a single arg, and specify multiple args as a comma-separated list? Like this: Does this make sense? |
|
Sounds good. I'll update the PR shortly |
|
@stuart-c another way to approach this would be to only support URL query parameters, but allow them to be provided in the path to {{ datasource "vault" "ssh/creds/test?ip=10.1.2.3&username=user" }}This way there'd be no need to special-case based on number of args, and it'd allow specifying params both inside and outside the template. IMO it's a little cleaner this way (at least, implementation-wise). |
stuart-c
force-pushed
the
vault-write-support
branch
from
a0c6c1e to
9c6210f
Compare
|
How's this @hairyhenderson? |
stuart-c
force-pushed
the
vault-write-support
branch
from
607d33f to
724752d
Compare
stuart-c
force-pushed
the
vault-write-support
branch
from
724752d to
5509a09
Compare
|
Thanks - I'm good with this! 🎉 |
This requires #177 to be merged first.
This PR adds write support to the Vault datasource, enabling use of dynamic secrets (such as database credentials).