-
Notifications
You must be signed in to change notification settings - Fork 486
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add support for HCP Vault Secrets
- Loading branch information
Showing
12 changed files
with
226 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
assets/chezmoi.io/docs/reference/templates/vlt-functions/hcpVaultSecrets.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# `hcpVaultSecrets` *key* [*app-name* [*project* [*organization*]]] | ||
|
||
`hcpVaultSecrets` returns the plaintext secret from [HCP Vault | ||
Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) using the `vlt` | ||
CLI. | ||
|
||
!!! example | ||
|
||
``` | ||
{{ hcpVaultSecrets "username" }} | ||
``` |
11 changes: 11 additions & 0 deletions
11
assets/chezmoi.io/docs/reference/templates/vlt-functions/hcpVaultSecretsJson.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# `hcpVaultSecrets` *key* [*app-name* [*project* [*organization*]]] | ||
|
||
`hcpVaultSecrets` returns the secret from [HCP Vault | ||
Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) using the `vlt` | ||
CLI. | ||
|
||
!!! example | ||
|
||
``` | ||
{{ (hcpVaultSecretsJson "username") }} | ||
``` |
10 changes: 10 additions & 0 deletions
10
assets/chezmoi.io/docs/reference/templates/vlt-functions/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# HCP Vault Secrets | ||
|
||
chezmoi includes support for [HCP Vault | ||
Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) using the `vlt` | ||
CLI to expose data through the `hcpVaultSecrets` and `hcpVaultSecretsJson` | ||
template functions. | ||
|
||
!!! warning | ||
|
||
HCP Vault Secrets is in beta and chezmoi's support for it may change at any time. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
assets/chezmoi.io/docs/user-guide/password-managers/hcp-vault-secrets.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# HCP Vault Secrets | ||
|
||
chezmoi includes support for [HCP Vault | ||
Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets) using the `vlt` | ||
CLI to expose data through the `hcpVaultSecrets` and `hcpVaultSecretsJson` | ||
template functions. | ||
|
||
!!! warning | ||
|
||
HCP Vault Secrets is in beta and chezmoi's support for it may change at any time. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
package cmd | ||
|
||
import ( | ||
"encoding/json" | ||
"fmt" | ||
"os" | ||
"os/exec" | ||
"strings" | ||
|
||
"github.com/twpayne/chezmoi/v2/pkg/chezmoilog" | ||
) | ||
|
||
type hcpVaultSecretsConfig struct { | ||
Command string `json:"command" mapstructure:"command" yaml:"command"` | ||
outputCache map[string][]byte | ||
} | ||
|
||
func (c *Config) hcpVaultSecretsTemplateFunc(key string, additionalArgs ...string) string { | ||
args, err := appendHCPVaultSecretsAdditionalArgs( | ||
[]string{"secrets", "get", "--plaintext"}, | ||
additionalArgs, | ||
) | ||
if err != nil { | ||
panic(err) | ||
} | ||
output, err := c.vltOutput(append(args, key)) | ||
if err != nil { | ||
panic(err) | ||
} | ||
return string(output) | ||
} | ||
|
||
func (c *Config) hcpVaultSecretsJSONTemplateFunc(key string, additionalArgs ...string) any { | ||
args, err := appendHCPVaultSecretsAdditionalArgs( | ||
[]string{"secrets", "get", "--format", "json"}, | ||
additionalArgs, | ||
) | ||
if err != nil { | ||
panic(err) | ||
} | ||
data, err := c.vltOutput(append(args, key)) | ||
if err != nil { | ||
panic(err) | ||
} | ||
var value any | ||
if err := json.Unmarshal(data, &value); err != nil { | ||
panic(err) | ||
} | ||
return value | ||
} | ||
|
||
func appendHCPVaultSecretsAdditionalArgs(args, additionalArgs []string) ([]string, error) { | ||
if len(additionalArgs) > 0 && additionalArgs[0] != "" { | ||
args = append(args, "--app-name", additionalArgs[0]) | ||
} | ||
if len(additionalArgs) > 1 && additionalArgs[1] != "" { | ||
args = append(args, "--project", additionalArgs[1]) | ||
} | ||
if len(additionalArgs) > 2 && additionalArgs[2] != "" { | ||
args = append(args, "--organization", additionalArgs[2]) | ||
} | ||
if len(additionalArgs) > 3 { | ||
// Add one to the number of received arguments as the hcpVaultSecrets | ||
// and hcpVaultSecretsJson template functions report this error and take | ||
// the key as the first argument. | ||
return nil, fmt.Errorf("expected 1 to 4 arguments, got %d", len(additionalArgs)+1) | ||
} | ||
return args, nil | ||
} | ||
|
||
func (c *Config) vltOutput(args []string) ([]byte, error) { | ||
key := strings.Join(args, "\x00") | ||
if data, ok := c.HCPVaultSecrets.outputCache[key]; ok { | ||
return data, nil | ||
} | ||
|
||
cmd := exec.Command(c.HCPVaultSecrets.Command, args...) //nolint:gosec | ||
cmd.Stdin = os.Stdin | ||
cmd.Stderr = os.Stderr | ||
output, err := chezmoilog.LogCmdOutput(cmd) | ||
if err != nil { | ||
return nil, newCmdOutputError(cmd, output, err) | ||
} | ||
|
||
if c.HCPVaultSecrets.outputCache == nil { | ||
c.HCPVaultSecrets.outputCache = make(map[string][]byte) | ||
} | ||
c.HCPVaultSecrets.outputCache[key] = output | ||
return output, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
[windows] skip 'UNIX only' | ||
[!windows] chmod 755 bin/vlt | ||
|
||
# test hcpVaultSecrets template function | ||
exec chezmoi execute-template '{{ hcpVaultSecrets "username" }}' | ||
stdout ^db-user$ | ||
|
||
# test hcpVaultSecrets template function with app name, project, and organization arguments | ||
exec chezmoi execute-template '{{ hcpVaultSecrets "password" "app-name" "project" "organization" }}' | ||
stdout ^password$ | ||
|
||
# test hcpVaultSecrets template function with empty app name, project, and organization arguments | ||
exec chezmoi execute-template '{{ hcpVaultSecrets "username" "" "" "" }}' | ||
stdout ^db-user$ | ||
|
||
# test hcpVaultSecretsJson template function | ||
exec chezmoi execute-template '{{ (hcpVaultSecretsJson "username").created_by.email }}' | ||
stdout ^username@example\.com$ | ||
|
||
-- bin/vlt -- | ||
#!/bin/sh | ||
|
||
case "$*" in | ||
"secrets get --format json username") | ||
cat <<EOF | ||
{ | ||
"created_at": "2023-06-09T13:14:28.140Z", | ||
"created_by": { | ||
"email": "[email protected]", | ||
"name": "example", | ||
"type": "TYPE_USER" | ||
}, | ||
"latest_version": "2", | ||
"name": "username" | ||
} | ||
EOF | ||
;; | ||
"secrets get --plaintext username") | ||
echo db-user | ||
;; | ||
"secrets get --plaintext --app-name app-name --project project --organization organization password") | ||
echo password | ||
;; | ||
*) | ||
echo "$*: unknown command" | ||
exit 1 | ||
;; | ||
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# test that chezmoi apply does not say that a file in an external has changed when it has not | ||
exec chezmoi apply | ||
exec chezmoi apply -v | ||
! stdout . | ||
|
||
-- home/user/.local/share/chezmoi/.chezmoiexternal.toml -- | ||
["Library/Rime"] | ||
type = "archive" | ||
url = "https://github.com/iDvel/rime-ice/archive/refs/heads/main.zip" | ||
exact = true | ||
stripComponents = 1 | ||
refreshPeriod = "720h" | ||
-- home/user/.local/share/chezmoi/Library/exact_Rime/default.custom.yaml -- | ||
patch: | ||
menu: | ||
page_size: 7 |