Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an export command #38

Merged
merged 2 commits into from
Apr 23, 2018
Merged

Add an export command #38

merged 2 commits into from
Apr 23, 2018

Conversation

archgrove
Copy link
Contributor

We're currently deploying Credhub alongside Concourse as our primary CI credential store. It's been largely fantastic - thanks so much. There's one thing we've missed so far, which is export.

The ability to mass-export credentials from Credhub would solve two helpful use-cases for us.

  1. Backup; we can export the credentials, and store them in an additional encrypted location for backup purposes. As Concourse has a "disposable" setup philosophy (Pipelines and resources are all stored externally), we would like to not have a specific Postgres backup strategy in place (that, indeed, would not prove robust as the Credhub schema changes over time).
  2. Mass update; we have a fair number of credentials in Credhub, and did not always store them at the ideal keys. Mass-moving credentials between paths would be much easier if they could be exported, updated in the export, then re-imported.

To facilitate these scenarios, we've created an export command, that mirrors the extant import command. By default, it exports all credentials to stdout in YAML that is credhub import compatible. The CLI flag -p can restrict the paths being exported; the flag -f will redirect the output directly to a file.

It would be really useful to us if this could be upstreamed. If there are changes in style or approach that might help this, we're happy to make them. All suggestions and feedback are most welcome.

@cfdreddbot
Copy link

Hey archgrove!

Thanks for submitting this pull request!

All pull request submitters and commit authors must have a Contributor License Agreement (CLA) on-file with us. Please sign the appropriate CLA (individual or corporate).

When sending signed CLA please provide your github username in case of individual CLA or the list of github usernames that can make pull requests on behalf of your organization.

If you are confident that you're covered under a Corporate CLA, please make sure you've publicized your membership in the appropriate Github Org, per these instructions.

Once you've publicized your membership, one of the owners of this repository can close and reopen this pull request, and dreddbot will take another look.

@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/155883718

The labels on this github issue will be updated when the story is started.

@archgrove archgrove force-pushed the add_export_command branch from 92cc047 to ccbda79 Compare March 11, 2018 19:50
@archgrove archgrove closed this Apr 11, 2018
@archgrove archgrove reopened this Apr 11, 2018
@cfdreddbot
Copy link

Hey archgrove!

Thanks for submitting this pull request!

All pull request submitters and commit authors must have a Contributor License Agreement (CLA) on-file with us. Please sign the appropriate CLA (individual or corporate).

When sending signed CLA please provide your github username in case of individual CLA or the list of github usernames that can make pull requests on behalf of your organization.

If you are confident that you're covered under a Corporate CLA, please make sure you've publicized your membership in the appropriate Github Org, per these instructions.

Once you've publicized your membership, one of the owners of this repository can close and reopen this pull request, and dreddbot will take another look.

@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/156696248

The labels on this github issue will be updated when the story is started.

@archgrove archgrove closed this Apr 12, 2018
@archgrove archgrove reopened this Apr 12, 2018
@cfdreddbot
Copy link

Hey archgrove!

Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA.

@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/156720341

The labels on this github issue will be updated when the story is started.

@archgrove archgrove force-pushed the add_export_command branch from ccbda79 to 2213191 Compare April 20, 2018 09:10
@archgrove
Create bulk export models
8d8c853 
We would like to be able to export credentials, both for backup and
mass-editing purposes.  These bulk export models provide a mechanism to turn
a slice of `credhub.credentials.Credential` into a YAML representation that
can be serialised or reimported by the bulk import process.

A test ensures that whatever is created remains importable as the code evolves.
@archgrove
Add a command to export credentials
fd2ab34 
Exporting credentials is useful both for backup and management purposes
(e.g. mass-moving a number of credentials to a different path). This
command enables exporting by path matching, utilising the bulk export
models to create an output that is reimportable.

By default, the command exports all credentials to `stdout` in import
compatible YAML. The `-p` flag can be used to restrict the paths
exported; the `-f` flag to write the output to a file. Note that the
credentials are held unencrypted in-memory during this process; as this
seems true of all the code, this should not be seen as a problem; just a
caveat.
@archgrove archgrove force-pushed the add_export_command branch from 2213191 to fd2ab34 Compare April 20, 2018 09:21
@benmoss benmoss merged commit f55ae36 into cloudfoundry:master Apr 23, 2018
@benmoss
Copy link

benmoss commented Apr 23, 2018

Thanks @archgrove! Looks good.

@archgrove
Copy link
Contributor Author

@benmoss I probably need to provide the documentation linked to in the flag (https://credhub-api.cfapps.io/#export-credentials). Is that in a repo somewhere I can PR to?

@benmoss
Copy link

benmoss commented Apr 23, 2018

@archgrove nice catch. i think of those as being our API documentation, but we documented import there too, which also isn't really an API feature but just a CLI abstraction. if you want to you can send a PR to https://github.com/cloudfoundry-incubator/credhub-api-site

@archgrove
Copy link
Contributor Author

@benmoss Done; see cloudfoundry/credhub-api-site#6. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
accepted
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@archgrove @cfdreddbot @cf-gitbot @benmoss