diff --git a/README.md b/README.md index 7cc31af..333f147 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # vault-to-docker-secret +Allows to read secrets from [HashiCorp Vault](https://www.vaultproject.io/) and +store them as [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). + ## Installation Download a @@ -11,7 +14,7 @@ platform and you are ready to go. Reads a secret from Vault and stores it as a Docker secret: ``` -vault-to-docker-secret --approle-file=FILE --vault-endpoint=ENDPOINT --secret-path=PATH --secret-key=KEY +vault-to-docker-secret --approle-file=FILE --vault-endpoint=ENDPOINT --vault-path=PATH --vault-key=KEY --secret-name=NAME ``` ## Help diff --git a/bin.js b/bin.js index 3f82d50..c245b4f 100644 --- a/bin.js +++ b/bin.js @@ -13,28 +13,36 @@ const argv = require("yargs") requiresArg: true, type: "string" }) - .option("secret-path", { - alias: "s", + .option("vault-path", { + alias: "p", demandOption: true, description: "Vault secret path", requiresArg: true, type: "string" }) - .option("secret-key", { + .option("vault-key", { alias: "k", demandOption: true, description: "Vault secret key", requiresArg: true, type: "string" }) + .option("secret-name", { + alias: "n", + demandOption: true, + description: "Docker secret name", + requiresArg: true, + type: "string" + }) .usage( - "$0 --approle-file=FILE --vault-endpoint=ENDPOINT --secret-path=PATH --secret-key=KEY" + "$0 --approle-file=FILE --vault-endpoint=ENDPOINT --vault-path=PATH --vault-key=KEY --secret-name=NAME" ) .help().argv; require(".")( argv.approleFile, argv.vaultEndpoint, - argv.secretPath, - argv.secretKey + argv.vaultPath, + argv.vaultKey, + argv.secretName ); diff --git a/main.js b/main.js index 945558e..5ba4e64 100644 --- a/main.js +++ b/main.js @@ -1,15 +1,21 @@ const DOCKER = new require("dockerode")(); let vault; -module.exports = async (approleFile, vaultEndpoint, secretPath, secretKey) => { +module.exports = async ( + approleFile, + vaultEndpoint, + vaultPath, + vaultKey, + secretName +) => { const OPTIONS = { endpoint: vaultEndpoint }; vault = require("node-vault")(OPTIONS); try { const jsonString = await require("fs").promises.readFile(approleFile); const approleJson = JSON.parse(jsonString); const loginResponse = await vaultApproleLogin(approleJson); - const vaultSecret = await readVaultSecret(secretPath, loginResponse); - await createDockerSecretFromValue(secretKey, vaultSecret); + const vaultSecret = await readVaultSecret(vaultPath, loginResponse); + await createDockerSecretFromValue(vaultKey, vaultSecret, secretName); } catch (error) { console.error(error); } @@ -23,15 +29,15 @@ async function vaultApproleLogin(approleJson) { return vault.approleLogin(APPROLE); } -async function readVaultSecret(path, loginResponse) { +async function readVaultSecret(vaultPath, loginResponse) { vault.token = loginResponse.auth.client_token; - return vault.read(path); + return vault.read(vaultPath); } -async function createDockerSecretFromValue(key, vaultSecret) { - const VALUE = Buffer.from(vaultSecret.data.data[key]).toString("base64"); +async function createDockerSecretFromValue(vaultKey, vaultSecret, secretName) { + const VALUE = Buffer.from(vaultSecret.data.data[vaultKey]).toString("base64"); const DOCKER_SECRET = { - name: key, + name: secretName, data: VALUE }; return DOCKER.createSecret(DOCKER_SECRET); diff --git a/package-lock.json b/package-lock.json index dbbf9b5..8a35514 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "vault-to-docker-secret", - "version": "0.1.0", + "version": "0.2.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 9f9e118..c70e17d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "vault-to-docker-secret", - "version": "0.1.0", + "version": "0.2.0", "main": "main.js", "bin": "bin.js", "dependencies": {