From 5ba459bc8740cce5f0fe16508af3ef8e465b59e8 Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Fri, 23 Feb 2024 11:12:27 +0100 Subject: [PATCH 1/3] feat(examples): update readme, add examples Signed-off-by: Bence Csati --- README.md | 18 +++- examples/README.md | 3 + examples/secret-init-as-a-standalone-tool.md | 87 ++++++++++++++++++++ examples/secret-init-with-secrets-webhook.md | 3 + 4 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 examples/README.md create mode 100644 examples/secret-init-as-a-standalone-tool.md create mode 100644 examples/secret-init-with-secrets-webhook.md diff --git a/README.md b/README.md index 243798f..6976303 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,23 @@ **Minimalistic init system for containers injecting secrets from various secret stores.** -## Usage +## Features -TODO + +- `Multi-provider support`: No need to explicitly specify the secret provider; instead, secrets are loaded based on environment variable references. +- `Async loading`: Secrets are loaded asynchronously, enhancing speed and efficiency. +- `Load without modification`: `Secret-init` replaces environment variable values, with values from secret providers, without modification. +- `Renew secrets`: If `secret-init` is used in daemon mode, it will renew secrets in the background. + +| **Supported Providers** | **Status** | +|--------------------------------------------------------------|----------------| +| [HashiCorp Vault](https://www.vaultproject.io) | ✅ Implemented | +| [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)| Upcoming | + +## Getting started + +- `Secret-init` is designed for use with the [Kubernetes mutating webhook](https://bank-vaults.dev/docs/mutating-webhook/); however, it can also function as a standalone tool. +- Take a look at some of the [examples](examples) that showcase the use of `secret-init`. ## Development diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..b24398f --- /dev/null +++ b/examples/README.md @@ -0,0 +1,3 @@ +## Usage Examples + +Discover a range of examples that highlight the functionalities of **Secret-init**. diff --git a/examples/secret-init-as-a-standalone-tool.md b/examples/secret-init-as-a-standalone-tool.md new file mode 100644 index 0000000..36fcfcb --- /dev/null +++ b/examples/secret-init-as-a-standalone-tool.md @@ -0,0 +1,87 @@ +## Secret-init as a standalone tool +**Multi-provider setup** + +## Prerequisites + +- Golang `>= 1.21` +- Makefile +- Docker compose + +## Environment setup + +```bash +# Deploy a Vault instance +make up +``` + +```bash +# FILE PROVIDER SETUP + +# Create a folder for the example assets +mkdir -p example + +# Create secrets for the file provider +printf "secret-value" >> "example/secret-file" +printf "super-secret-value" >> "example/super-secret-value" + +#NOTE: Optionally you can set a mount path for the file provider by using the FILE_MOUNT_PATH environment variable. +``` + +```bash +# VAULT PROVIDER SETUP + +# Create a tokenfile +printf $VAULT_TOKEN > "example/token-file" +export VAULT_TOKEN_FILE=$PWD/example/token-file + +#NOTE: Secret-init can authenticate to Vault by supplying role/path credentials. + +# Create secrets for the vault provider +vault kv put secret/test/mysql MYSQL_PASSWORD=3xtr3ms3cr3t +vault kv put secret/test/aws AWS_ACCESS_KEY_ID=secretId AWS_SECRET_ACCESS_KEY=s3cr3t + +#NOTE: If you would like to use secret-init in daemon mode to renew secrets in the background. + +#Set daemon mode + +export SECRET_INIT_DAEMON="true" +``` + +```bash +# Export environment variables +export FILE_SECRET_1=file:$PWD/example/secret-file +export FILE_SECRET_2=file:$PWD/example/super-secret-value +export MYSQL_PASSWORD=vault:secret/data/test/mysql#MYSQL_PASSWORD +export AWS_SECRET_ACCESS_KEY=vault:secret/data/test/aws#AWS_SECRET_ACCESS_KEY +export AWS_ACCESS_KEY_ID=vault:secret/data/test/aws#AWS_ACCESS_KEY_ID +``` + +## Run secret-init + +```bash +# Build the secret-init binary +go build + +# Run secret-init with a command e.g. +./secret-init env | grep 'MYSQL_PASSWORD\|AWS_SECRET_ACCESS_KEY\|AWS_ACCESS_KEY_ID\|FILE_SECRET_1\|FILE_SECRET_2' +``` + +## Cleanup + +```bash +# Remove files and binary +rm -rd example/ +rm -rf secret-init + +# Remove the Vault instance +make down + +# Unset the environment variables +unset VAULT_TOKEN_FILE +unset SECRET_INIT_DAEMON +unset FILE_SECRET_1 +unset FILE_SECRET_2 +unset MYSQL_PASSWORD +unset AWS_SECRET_ACCESS_KEY +unset AWS_ACCESS_KEY_ID +``` diff --git a/examples/secret-init-with-secrets-webhook.md b/examples/secret-init-with-secrets-webhook.md new file mode 100644 index 0000000..b31be5d --- /dev/null +++ b/examples/secret-init-with-secrets-webhook.md @@ -0,0 +1,3 @@ +## secret-init in combination with the secret injection webhook + +Usage examples can be found in the webhooks [documentation](https://bank-vaults.dev/docs/mutating-webhook/). From d406e5f37ee78656c4be3c4de6d0302688e18ef4 Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Fri, 23 Feb 2024 14:20:21 +0100 Subject: [PATCH 2/3] fix: minor fixes Signed-off-by: Bence Csati --- README.md | 12 ++++---- examples/README.md | 3 +- examples/secret-init-as-a-standalone-tool.md | 29 ++++++++++---------- examples/secret-init-with-secrets-webhook.md | 3 -- 4 files changed, 23 insertions(+), 24 deletions(-) delete mode 100644 examples/secret-init-with-secrets-webhook.md diff --git a/README.md b/README.md index 6976303..c835bcc 100644 --- a/README.md +++ b/README.md @@ -8,19 +8,19 @@ ## Features -- `Multi-provider support`: No need to explicitly specify the secret provider; instead, secrets are loaded based on environment variable references. -- `Async loading`: Secrets are loaded asynchronously, enhancing speed and efficiency. -- `Load without modification`: `Secret-init` replaces environment variable values, with values from secret providers, without modification. -- `Renew secrets`: If `secret-init` is used in daemon mode, it will renew secrets in the background. +- **Multi-provider support** - Automatically deduces and initializes required secret providers from environment variable references. +- **Async loading** - Secrets are loaded asynchronously to improve speed. +- **Renew secrets** - Use daemon mode to renew secrets in the background. | **Supported Providers** | **Status** | |--------------------------------------------------------------|----------------| -| [HashiCorp Vault](https://www.vaultproject.io) | ✅ Implemented | +| File proivder | ✅ Implemented | +| [HashiCorp Vault](https://www.vaultproject.io) | ✅ Implemented | | [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)| Upcoming | ## Getting started -- `Secret-init` is designed for use with the [Kubernetes mutating webhook](https://bank-vaults.dev/docs/mutating-webhook/); however, it can also function as a standalone tool. +- `secret-init` is designed for use with the [Kubernetes mutating webhook](https://bank-vaults.dev/docs/mutating-webhook/). It can also function as a standalone tool. - Take a look at some of the [examples](examples) that showcase the use of `secret-init`. ## Development diff --git a/examples/README.md b/examples/README.md index b24398f..c8c3716 100644 --- a/examples/README.md +++ b/examples/README.md @@ -1,3 +1,4 @@ ## Usage Examples -Discover a range of examples that highlight the functionalities of **Secret-init**. +Discover a range of examples that highlight the functionalities of **secret-init**: +- [Standalone tool](secret-init-as-a-standalone-tool) diff --git a/examples/secret-init-as-a-standalone-tool.md b/examples/secret-init-as-a-standalone-tool.md index 36fcfcb..c96b346 100644 --- a/examples/secret-init-as-a-standalone-tool.md +++ b/examples/secret-init-as-a-standalone-tool.md @@ -15,36 +15,33 @@ make up ``` ```bash -# FILE PROVIDER SETUP - # Create a folder for the example assets mkdir -p example +``` -# Create secrets for the file provider -printf "secret-value" >> "example/secret-file" -printf "super-secret-value" >> "example/super-secret-value" - +- Prepare File provider +```bash #NOTE: Optionally you can set a mount path for the file provider by using the FILE_MOUNT_PATH environment variable. ``` +- Prepare Vault provider ```bash -# VAULT PROVIDER SETUP - # Create a tokenfile printf $VAULT_TOKEN > "example/token-file" export VAULT_TOKEN_FILE=$PWD/example/token-file #NOTE: Secret-init can authenticate to Vault by supplying role/path credentials. +``` + +## Define secrets to inject +```bash +# Create secrets for the file provider +printf "secret-value" >> "example/secret-file" +printf "super-secret-value" >> "example/super-secret-value" # Create secrets for the vault provider vault kv put secret/test/mysql MYSQL_PASSWORD=3xtr3ms3cr3t vault kv put secret/test/aws AWS_ACCESS_KEY_ID=secretId AWS_SECRET_ACCESS_KEY=s3cr3t - -#NOTE: If you would like to use secret-init in daemon mode to renew secrets in the background. - -#Set daemon mode - -export SECRET_INIT_DAEMON="true" ``` ```bash @@ -62,6 +59,10 @@ export AWS_ACCESS_KEY_ID=vault:secret/data/test/aws#AWS_ACCESS_KEY_ID # Build the secret-init binary go build +# Use in daemon mode +SECRET_INIT_DAEMON="true" + + # Run secret-init with a command e.g. ./secret-init env | grep 'MYSQL_PASSWORD\|AWS_SECRET_ACCESS_KEY\|AWS_ACCESS_KEY_ID\|FILE_SECRET_1\|FILE_SECRET_2' ``` diff --git a/examples/secret-init-with-secrets-webhook.md b/examples/secret-init-with-secrets-webhook.md deleted file mode 100644 index b31be5d..0000000 --- a/examples/secret-init-with-secrets-webhook.md +++ /dev/null @@ -1,3 +0,0 @@ -## secret-init in combination with the secret injection webhook - -Usage examples can be found in the webhooks [documentation](https://bank-vaults.dev/docs/mutating-webhook/). From 8ba867c6e22e6c9de5ba28ff28c586c35fa7c715 Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Fri, 23 Feb 2024 15:59:25 +0100 Subject: [PATCH 3/3] fix: minor fixes Signed-off-by: Bence Csati --- examples/secret-init-as-a-standalone-tool.md | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/examples/secret-init-as-a-standalone-tool.md b/examples/secret-init-as-a-standalone-tool.md index c96b346..0dd52da 100644 --- a/examples/secret-init-as-a-standalone-tool.md +++ b/examples/secret-init-as-a-standalone-tool.md @@ -19,31 +19,29 @@ make up mkdir -p example ``` -- Prepare File provider +### Prepare File provider ```bash +# Create secrets for the file provider +printf "secret-value" >> "example/secret-file" +printf "super-secret-value" >> "example/super-secret-value" + #NOTE: Optionally you can set a mount path for the file provider by using the FILE_MOUNT_PATH environment variable. ``` -- Prepare Vault provider +### Prepare Vault provider ```bash # Create a tokenfile printf $VAULT_TOKEN > "example/token-file" export VAULT_TOKEN_FILE=$PWD/example/token-file -#NOTE: Secret-init can authenticate to Vault by supplying role/path credentials. -``` - -## Define secrets to inject -```bash -# Create secrets for the file provider -printf "secret-value" >> "example/secret-file" -printf "super-secret-value" >> "example/super-secret-value" +#NOTE: Secret-init can authenticate to Vault by supplying role/path credentials. # Create secrets for the vault provider vault kv put secret/test/mysql MYSQL_PASSWORD=3xtr3ms3cr3t vault kv put secret/test/aws AWS_ACCESS_KEY_ID=secretId AWS_SECRET_ACCESS_KEY=s3cr3t ``` +## Define secrets to inject ```bash # Export environment variables export FILE_SECRET_1=file:$PWD/example/secret-file @@ -62,7 +60,6 @@ go build # Use in daemon mode SECRET_INIT_DAEMON="true" - # Run secret-init with a command e.g. ./secret-init env | grep 'MYSQL_PASSWORD\|AWS_SECRET_ACCESS_KEY\|AWS_ACCESS_KEY_ID\|FILE_SECRET_1\|FILE_SECRET_2' ```