-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #28 from bank-vaults/feat/update-api
- Loading branch information
Showing
32 changed files
with
1,114 additions
and
628 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,71 +1,135 @@ | ||
## Secret Sync | ||
|
||
Enables secret synchronization between two secret store services (e.g. between Vault and AWS) in a configurable manner. | ||
Enables secret synchronization between two secret store services (e.g. between Hashicorp Vault and AWS) in a configurable and explicit manner. | ||
|
||
> [!WARNING] | ||
> This is an early alpha version and there will be changes made to the API. You can support us with your feedback. | ||
### Supported secret stores | ||
- Vault | ||
- FileDir (regular system directory) | ||
- Hashicorp Vault | ||
- FileDir (store is a folder, secrets are plain unencrypted files) | ||
|
||
### Quick usage | ||
Synchronize secrets every hour from Vault-A to Vault-B instance. | ||
### Examples | ||
|
||
#### Define stores and sync job strategy | ||
<details> | ||
<summary>Synchronize specific secrets every hour between two Hashicorp Vault instance</summary> | ||
|
||
#### Define stores | ||
```yaml | ||
### Vault-A - Source | ||
### SecretStore: path/to/vault-source.yaml | ||
permissions: Read | ||
provider: | ||
vault: | ||
vault: | ||
address: "http://0.0.0.0:8200" | ||
unseal-keys-path: "secret" | ||
storePath: "secret" | ||
role: "" | ||
auth-path: "userpass" | ||
token-path: "" | ||
authPath: "userpass" | ||
tokenPath: "" | ||
token: "root" | ||
``` | ||
```yaml | ||
### Vault-B - Dest | ||
### SecretStore: path/to/vault-dest.yaml | ||
permissions: Write | ||
provider: | ||
vault: | ||
### Vault-B - Target | ||
### SecretStore: path/to/vault-target.yaml | ||
vault: | ||
address: "http://0.0.0.0:8201" | ||
unseal-keys-path: "secret" | ||
storePath: "secret" | ||
role: "" | ||
auth-path: "userpass" | ||
token-path: "" | ||
authPath: "userpass" | ||
tokenPath: "" | ||
token: "root" | ||
``` | ||
#### Define sync strategy | ||
```yaml | ||
### SyncJob: path/to/sync-job.yaml | ||
schedule: "@every 1h" | ||
plan: | ||
- secret: | ||
key: "a" | ||
- secret: | ||
key: "b/b" | ||
- secret: | ||
key: "c/c/c" | ||
- query: | ||
path: "d/d/d" | ||
## Defines how the secrets will be synced | ||
sync: | ||
## 1. Usage: Sync key from ref | ||
- secretRef: | ||
key: /source/credentials/username | ||
target: # If not specified, will be synced under the same key | ||
key: /target/example-1 | ||
|
||
## 2. Usage: Sync all keys from query | ||
- secretQuery: | ||
path: /source/credentials | ||
key: | ||
regexp: .* | ||
target: # If not specified, all keys will be synced under the same path | ||
keyPrefix: /target/example-2/ | ||
|
||
## 3. Usage: Sync key from ref with templating | ||
- secretRef: | ||
key: /source/credentials/password | ||
target: | ||
key: /target/example-3 | ||
|
||
# Template defines how the secret will be synced to target store. | ||
# Either "rawData" or "data" should be specified, not both. | ||
template: | ||
rawData: '{{ .Data }}' # Save as raw (accepts multiline string) | ||
data: # Save as map (accepts nested values) | ||
example: '{{ .Data }}' | ||
|
||
## 4. Usage: Sync all keys from query with templating | ||
- secretQuery: | ||
path: /source/credentials | ||
key: | ||
regexp: ".*" | ||
key-transform: | ||
- regexp: | ||
source: "d/d/d/(.*)" | ||
target: "d/d/d/$1-final" | ||
regexp: .* | ||
target: | ||
keyPrefix: /target/example-4/ | ||
template: | ||
rawData: 'SECRET-PREFIX-{{ .Data }}' | ||
|
||
## 5. Usage: Sync single key from query with templating | ||
- secretQuery: | ||
path: /source/credentials/query-data/ | ||
key: | ||
regexp: (username|password) | ||
flatten: true | ||
target: | ||
key: /target/example-5 | ||
|
||
template: | ||
data: | ||
user: '{{ .Data.username }}' | ||
pass: '{{ .Data.password }}' | ||
|
||
## 6. Usage: Sync single key from multiple sources with templating | ||
- secretSources: | ||
- name: username # Username mapping, available as ".Data.username" | ||
secretRef: | ||
key: /source/credentials/username | ||
|
||
- name: password # Password mapping, available as ".Data.password" | ||
secretRef: | ||
key: /source/credentials/password | ||
|
||
- name: dynamic_query # Query mapping, available as "Data.dynamic_query.<key>" | ||
secretQuery: | ||
path: /source/credentials | ||
key: | ||
regexp: .* | ||
|
||
target: | ||
key: /target/example-6 | ||
|
||
template: | ||
data: | ||
username: '{{ .Data.username }}' | ||
password: '{{ .Data.password }}' | ||
userpass: '{{ .Data.dynamic_query.username }}/{{ .Data.dynamic_query.password }}' | ||
``` | ||
#### Perform sync | ||
```bash | ||
secret-sync --source path/to/vault-source.yaml \ | ||
--dest path/to/vault-dest.yaml \ | ||
--target path/to/vault-target.yaml \ | ||
--sync path/to/sync-job.yaml | ||
# Use --schedule "@every 1m" to override sync job file config. | ||
``` | ||
|
||
</details> | ||
|
||
### Docs | ||
Check documentation and example usage at [PROPOSAL](docs/proposal.md). | ||
Check documentation and example usage at [DOCS](docs/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
this-is-password |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
this-is-username |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,2 @@ | ||
permissions: ReadWrite | ||
provider: | ||
file: | ||
dir-path: "/tmp/dest" | ||
file: | ||
dirPath: "/tmp/target" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,2 @@ | ||
permissions: ReadWrite | ||
provider: | ||
file: | ||
dir-path: "/tmp/source" | ||
file: | ||
dirPath: "/tmp/source" |
Oops, something went wrong.