2015-09-18 05:14:15 -04:00
### **Vault Side Kick**
2015-09-18 12:18:17 -04:00
2015-09-18 05:14:15 -04:00
**Summary:**
2015-09-18 12:45:34 -04:00
Vault Sidekick is a add-on container which can be used as a generic entry-point for interacting with Hashicorp [Vault ](https://vaultproject.io ) service, retrieving secrets
2015-09-18 05:14:15 -04:00
(both static and dynamic) and PKI certs. The sidekick will take care of renewal's and extension of leases for you and renew the credentials in the specified format for you.
**Usage:**
```shell
2015-09-23 09:25:14 -04:00
[jest@starfury vault-sidekick]$ bin/vault-sidekick --help
Usage of bin/vault-sidekick:
2015-09-18 05:14:15 -04:00
-alsologtostderr=false: log to standard error as well as files
2015-09-23 09:25:14 -04:00
-auth="": a configuration file in a json or yaml containing authentication arguments
2015-09-18 05:14:15 -04:00
-cn=: a resource to retrieve and monitor from vault (e.g. pki:name:cert.name, secret:db_password, aws:s3_backup)
2015-10-14 09:17:17 -04:00
-ca-cert="": a CA certificate to use in order to validate the vault service certificate
2015-09-23 09:25:14 -04:00
-delete-token=false: once the we have connected to vault, delete the token file from disk
-dryrun=false: perform a dry run, printing the content to screen
2015-09-18 05:14:15 -04:00
-log_backtrace_at=:0: when logging hits line file:N, emit a stack trace
-log_dir="": If non-empty, write log files in this directory
-logtostderr=false: log to standard error instead of files
-output="/etc/secrets": the full path to write the protected resources (VAULT_OUTPUT if available)
2015-09-23 09:25:14 -04:00
-stats=5m0s: the interval to produce statistics on the accessed resources
2015-09-18 05:14:15 -04:00
-stderrthreshold=0: logs at or above this threshold go to stderr
2015-09-23 09:25:14 -04:00
-tls-skip-verify=false: skip verifying the vault certificate
2015-09-18 05:14:15 -04:00
-token="": the token used to authenticate to teh vault service (VAULT_TOKEN if available)
-v=0: log level for V logs
-vault="https://127.0.0.1:8200": the url the vault service is running behind (VAULT_ADDR if available)
-vmodule=: comma-separated list of pattern=N settings for file-filtered logging
```
2015-10-09 12:42:24 -04:00
**Building**
There is a Makefile in the base repository, so assuming you have make and go: # make
2015-09-18 05:14:15 -04:00
**Example Usage**
The below is taken from a [Kubernetes ](https://github.com/kubernetes/kubernetes ) pod specification;
```YAML
spec:
containers:
2015-09-18 12:45:34 -04:00
- name: vault-side-kick
2015-09-18 05:14:15 -04:00
image: gambol99/vault-sidekick:latest
args:
- -output=/etc/secrets
2016-03-17 10:10:44 -04:00
- -cn=pki:project1/certs/example.com:common_name=commons.example.com,revoke=true,update=2h
2015-10-21 09:40:06 -04:00
- -cn=secret:secret/db/prod/username:file=.credentials
- -cn=secret:secret/db/prod/password
- -cn=aws:aws/creds/s3_backup_policy:file=.s3_creds
2015-09-18 05:14:15 -04:00
volumeMounts:
2015-09-18 12:45:34 -04:00
- name: secrets
2015-09-18 05:14:15 -04:00
mountPath: /etc/secrets
```
The above say's
- Write all the secrets to the /etc/secrets directory
- Retrieve a dynamic certificate pair for me, with the common name: 'commons.example.com' and renew the cert when it expires automatically
- Retrieve the two static secrets /db/prod/{username,password} and write them to .credentials and password.secret respectively
2015-09-18 12:45:34 -04:00
- Apply the IAM policy, renew the policy when required and file the API tokens to .s3_creds in the /etc/secrets directory
- Read the template at /etc/templates/db.tmpl, produce the content from Vault and write to /etc/credentials file
2015-09-21 06:31:12 -04:00
**Authentication**
2015-09-23 17:39:50 -04:00
A authentication file can be specified in either yaml of json format which contains a method field, indicating one of the authentication
methods provided by vault i.e. userpass, token, github etc and then followed by the required arguments for that plugin.
2015-09-21 06:31:12 -04:00
2015-09-18 12:18:17 -04:00
**Secret Renewals**
2015-09-18 12:45:34 -04:00
The default behaviour of vault-sidekick is **not** to renew a lease, but to retrieve a new secret and allow the previous to
expire, in order ensure the rotation of secrets. If you don't want this behaviour on a resource you can override using resource options. For exmaple,
2015-09-18 12:18:17 -04:00
your using the mysql dynamic secrets, you want to renew the secret not replace it
```shell
2015-10-21 09:40:06 -04:00
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=mysql:mysql/creds/my_database:fmt=yaml,renew=true
2015-09-18 12:18:17 -04:00
or an iam policy renewed every hour
2015-10-21 09:40:06 -04:00
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:aws/creds/policy:fmt=yaml,renew=true,update=1h
2015-09-18 12:18:17 -04:00
```
Or you want to rotate the secret every **1h** and **revoke** the previous one
```shell
2015-10-21 09:40:06 -04:00
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=aws:project/creds/my_s3_bucket:fmt=yaml,update=1h,revoke=true
The format is;
-cn=RESOURCE_TYPE:PATH:OPTIONS
2015-09-18 12:18:17 -04:00
```
2015-09-18 12:45:34 -04:00
2016-03-16 12:23:14 -04:00
The sidekick supports the following resource types: mysql, postgres, pki, aws, secret, cubbyhole, raw, cassandra and transit
2015-09-18 09:12:09 -04:00
**Output Formatting**
2015-09-18 05:14:15 -04:00
2016-03-12 13:54:19 -05:00
The following output formats are supported: json, yaml, ini, txt, cert, csv, bundle, env
2015-09-18 12:45:34 -04:00
2015-09-18 05:14:15 -04:00
Using the following at the demo secrets
```shell
[jest@starfury vault-sidekick]$ vault write secret/password this=is demo=value nothing=more
Success! Data written to: secret/password
2015-09-18 12:45:34 -04:00
[jest@starfury vault-sidekick]$ vault read secret/password
2015-09-18 05:14:15 -04:00
Key Value
lease_id secret/password/7908eceb-9bde-e7de-23da-96131505214a
lease_duration 2592000
lease_renewable false
demo value
nothing more
this is
```
2015-09-18 12:45:34 -04:00
In order to change the output format:
2015-09-18 05:14:15 -04:00
```shell
2015-10-21 09:40:06 -04:00
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=ini -logtostderr=true -dry-run
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=json -logtostderr=true -dry-run
[jest@starfury vault-sidekick]$ build/vault-sidekick -cn=secret:secret/password:fmt=yaml -logtostderr=true -dry-run
2015-09-18 05:14:15 -04:00
```
2016-03-17 10:10:44 -04:00
Format: 'cert' is less of a format of more file scheme i.e. is just extracts the 'certificate', 'issuing_ca' and 'private_key' and creates the three files FILE.{ca,key,crt}. The
bundle format is very similar in the sense it similar takes the private key and certificate and places into a single file.
2015-09-18 09:12:09 -04:00
**Resource Options**
2015-10-14 09:17:17 -04:00
- **file**: (filaname) by default all file are relative to the output directory specified and will have the name NAME.RESOURCE; the fn options allows you to switch names and paths to write the files
2016-03-22 14:26:22 -04:00
- **create**: (create) create the resource
2015-10-14 09:17:17 -04:00
- **update**: (update) override the lease time of this resource and get/renew a secret on the specified duration e.g 1m, 2d, 5m10s
- **renew**: (renewal) override the default behavour on this resource, renew the resource when coming close to expiration e.g true, TRUE
- **delay**: (renewal-delay) delay the revoking the lease of a resource for x period once time e.g 1m, 1h20s
- **revoke**: (revoke) revoke the old lease when you get retrieve a old one e.g. true, TRUE (default to allow the lease to expire and naturally revoke)
2015-09-18 12:18:17 -04:00
- **fmt**: (format) allows you to specify the output format of the resource / secret, e.g json, yaml, ini, txt
2016-03-17 10:10:44 -04:00
- **exec** (execute) execute's a command when resource is updated or changed
