An alternative yaml file path can be specified by setting the VALUES_SECRET environment variable:
export VALUES_SECRET=~/foo/bar.yaml; ./pattern.sh make load-secrets
Secrets Loading
Loading secrets in the vault is usually done by running ./pattern.sh make load-secrets from the Pattern’s repository. This runs ansible code that parses local yaml files containing the secrets to be uploaded to the Vault running on the Hub
The secrets needed for the pattern are in the values-secret.yaml.template file in the pattern’s repository.
Copy values-secret.yaml.template to ~/values-secret-multicloud-gitops.yaml and edit it according to your needs
You could also run ./pattern.sh make load-secrets to run it through a container without installing too many dependencies |
Please encrypt the file with ansible-vault encrypt ~/values-secret-multicloud-gitops.yaml (i.e. no clear-text secrets at rest)
make load-secrets will prompt for the decryption key if it is encrypted |
It looks for files in the following order (and stops as soon as one is found):
~/.config/validatedpatterns/values-secret-<patternname>.yaml
~/values-secret-<patternname>.yaml (e.g. ~/values-secret-multicloud-gitops.yaml)
<patternrepository>/values-secret.yaml.template
Secrets Template in the Patterns
Two file format versions are understood by the loading mechanism: "version: 1.0" (default) and "version: 2.0". Please specify and use "version: 2.0" when possible Version 2.0 supports file-uploading, prompting for secrets, base64-encoding, reading secrets from INI-files (e.g. ~/.aws/credentials), uploading to multiple vault paths and generating secrets inside Vault directly using password policies Version 1.0 is a lot more limited in terms of capabilities and deprecated Both versions have corresponding JSON schemas: V1 and V2 Complete examples can be found here
version: "2.0"
secrets:
- name: config-demo
vaultPrefixes:
- global
fields:
- name: secret
onMissingValue: generate
vaultPolicy: validatedPatternDefaultPolicyThe validatedPatternDefaultPolicy is a default password policy that is guaranteed to exist
It is defined here
The secret is 20 character longs (min 1 lowercase, min 1 uppercase, min 1 number, min 1 special char)
It is possible to create a custom policy and use that one to generate secrets randomly
Secret Examples
version: "2.0"
secrets:
- name: config-demo
vaultMount: secret
vaultPrefixes:
- region-one
- snowflake
fields:
- name: secretfile
path: /tmp/ca.crt
onMissingValue: prompt
base64: true
prompt: "Insert path to Certificate Authority"This Will prompt the user with:
Insert path to Certificate Authority [/tmp/ca.crt]:
Pressing only enter will accept the default in [] (no echo on input!!) "/tmp/ca.crt" will be read, base64 encoded and uploaded
It will be uploaded as an attribute called "secretfile" to two different vault keys:
secret/region-one/config-demo
secret/snowflake/config-demo
version: "2.0"
secrets:
- name: aws
fields:
- name: aws_access_key_id
ini_file: ~/.aws/credentials
ini_section: default
ini_key: aws_access_key_id
- name: aws_secret_access_key
ini_file: ~/.aws/credentials
ini_section: default
ini_key: aws_secret_access_keyThis reads ~/.aws/credentials and uses the [default] section to look for the aws_access_key_id and aws_secret_access_key in the file
version: "2.0"
vaultPolicies:
basicPolicy: |
length=10
rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
rule "charset" { charset = "0123456789" min-chars = 1 }
secrets:
- name: config-demo
vaultPrefixes:
- region-one
fields:
- name: secret
onMissingValue: generate
override: true
vaultPolicy: basicPolicyThis will use the basicPolicy to generate a random value as an attribute called secret in the secret/region-one/config-demo vault path
