Secrets Loading
Loading secrets in the vault is usually done by running ./pattern.sh make load-secrets from the Pattern’s repository. This runs ansible code that parses local yaml files containing the secrets to be uploaded to the Vault running on the Hub
The secrets needed for the pattern are in the values-secret.yaml.template file in the pattern’s repository.
Copy values-secret.yaml.template to ~/values-secret-multicloud-gitops.yaml and edit it according to your needs
You could also run ./pattern.sh make load-secrets to run it through a container without installing too many dependencies
|
Please encrypt the file with ansible-vault encrypt ~/values-secret-multicloud-gitops.yaml (i.e. no clear-text secrets at rest)
make load-secrets will prompt for the decryption key if it is encrypted
|
It looks for files in the following order (and stops as soon as one is found):
-
~/.config/validatedpatterns/values-secret-<patternname>.yaml
-
~/values-secret-<patternname>.yaml (e.g. ~/values-secret-multicloud-gitops.yaml)
-
<patternrepository>/values-secret.yaml.template
An alternative yaml file path can be specified by setting the VALUES_SECRET environment variable:
export VALUES_SECRET=~/foo/bar.yaml; ./pattern.sh make load-secrets
Secrets Template in the Patterns
Two file format versions are understood by the loading mechanism: “version: 1.0” (default) and “version: 2.0”. Please specify and use “version: 2.0” when possible Version 2.0 supports file-uploading, prompting for secrets, base64-encoding, reading secrets from INI-files (e.g. ~/.aws/credentials), uploading to multiple vault paths and generating secrets inside Vault directly using password policies Version 1.0 is a lot more limited in terms of capabilities and deprecated Both versions have corresponding JSON schemas: V1 and V2 Complete examples can be found here
version: "2.0"
secrets:
- name: config-demo
vaultPrefixes:
- global
fields:
- name: secret
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicy-
The validatedPatternDefaultPolicy is a default password policy that is guaranteed to exist
-
It is defined here
-
The secret is 20 character longs (min 1 lowercase, min 1 uppercase, min 1 number, min 1 special char)
-
It is possible to create a custom policy and use that one to generate secrets randomly
Secret Examples
version: "2.0"
secrets:
- name: config-demo
vaultMount: secret
vaultPrefixes:
- region-one
- snowflake
fields:
- name: secretfile
path: /tmp/ca.crt
onMissingValue: prompt
base64: true
prompt: "Insert path to Certificate Authority"This Will prompt the user with:
-
Insert path to Certificate Authority [/tmp/ca.crt]:
-
Pressing only enter will accept the default in [] (no echo on input!!) “/tmp/ca.crt” will be read, base64 encoded and uploaded
-
It will be uploaded as an attribute called “secretfile” to two different vault keys:
-
secret/region-one/config-demo
-
secret/snowflake/config-demo
-
version: "2.0"
secrets:
- name: aws
fields:
- name: aws_access_key_id
ini_file: ~/.aws/credentials
ini_section: default
ini_key: aws_access_key_id
- name: aws_secret_access_key
ini_file: ~/.aws/credentials
ini_section: default
ini_key: aws_secret_access_keyThis reads ~/.aws/credentials and uses the [default] section to look for the aws_access_key_id and aws_secret_access_key in the file
version: "2.0"
vaultPolicies:
basicPolicy: |
length=10
rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
rule "charset" { charset = "0123456789" min-chars = 1 }
secrets:
- name: config-demo
vaultPrefixes:
- region-one
fields:
- name: secret
onMissingValue: generate # One of: error,generate,prompt (generate is only valid for normal secrets)
# This override attribute is false by default. The attribute is only valid with 'generate'. If the secret already exists in the
# vault it won't be changed unless override is set to true
override: true
vaultPolicy: basicPolicyThis will use the basicPolicy to generate a random value as an attribute called secret in the secret/region-one/config-demo vault path