From 11de83f4712d6ff52f88f37535fd45d6eeee5083 Mon Sep 17 00:00:00 2001 From: Julian Lengelsen Date: Thu, 5 Mar 2020 17:52:28 +0100 Subject: [PATCH] Add option for Docker secret name Previously the name of the Docker secret was derived from the key of the Vault secret. Since Vault allows for secrets on different paths to share the same key this was problematic in some cases. --- README.md | 5 ++++- bin.js | 20 ++++++++++++++------ main.js | 22 ++++++++++++++-------- package-lock.json | 2 +- package.json | 2 +- 5 files changed, 34 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 7cc31af..333f147 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # vault-to-docker-secret +Allows to read secrets from [HashiCorp Vault](https://www.vaultproject.io/) and +store them as [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). + ## Installation Download a @@ -11,7 +14,7 @@ platform and you are ready to go. Reads a secret from Vault and stores it as a Docker secret: ``` -vault-to-docker-secret --approle-file=FILE --vault-endpoint=ENDPOINT --secret-path=PATH --secret-key=KEY +vault-to-docker-secret --approle-file=FILE --vault-endpoint=ENDPOINT --vault-path=PATH --vault-key=KEY --secret-name=NAME ``` ## Help diff --git a/bin.js b/bin.js index 3f82d50..c245b4f 100644 --- a/bin.js +++ b/bin.js @@ -13,28 +13,36 @@ const argv = require("yargs") requiresArg: true, type: "string" }) - .option("secret-path", { - alias: "s", + .option("vault-path", { + alias: "p", demandOption: true, description: "Vault secret path", requiresArg: true, type: "string" }) - .option("secret-key", { + .option("vault-key", { alias: "k", demandOption: true, description: "Vault secret key", requiresArg: true, type: "string" }) + .option("secret-name", { + alias: "n", + demandOption: true, + description: "Docker secret name", + requiresArg: true, + type: "string" + }) .usage( - "$0 --approle-file=FILE --vault-endpoint=ENDPOINT --secret-path=PATH --secret-key=KEY" + "$0 --approle-file=FILE --vault-endpoint=ENDPOINT --vault-path=PATH --vault-key=KEY --secret-name=NAME" ) .help().argv; require(".")( argv.approleFile, argv.vaultEndpoint, - argv.secretPath, - argv.secretKey + argv.vaultPath, + argv.vaultKey, + argv.secretName ); diff --git a/main.js b/main.js index 945558e..5ba4e64 100644 --- a/main.js +++ b/main.js @@ -1,15 +1,21 @@ const DOCKER = new require("dockerode")(); let vault; -module.exports = async (approleFile, vaultEndpoint, secretPath, secretKey) => { +module.exports = async ( + approleFile, + vaultEndpoint, + vaultPath, + vaultKey, + secretName +) => { const OPTIONS = { endpoint: vaultEndpoint }; vault = require("node-vault")(OPTIONS); try { const jsonString = await require("fs").promises.readFile(approleFile); const approleJson = JSON.parse(jsonString); const loginResponse = await vaultApproleLogin(approleJson); - const vaultSecret = await readVaultSecret(secretPath, loginResponse); - await createDockerSecretFromValue(secretKey, vaultSecret); + const vaultSecret = await readVaultSecret(vaultPath, loginResponse); + await createDockerSecretFromValue(vaultKey, vaultSecret, secretName); } catch (error) { console.error(error); } @@ -23,15 +29,15 @@ async function vaultApproleLogin(approleJson) { return vault.approleLogin(APPROLE); } -async function readVaultSecret(path, loginResponse) { +async function readVaultSecret(vaultPath, loginResponse) { vault.token = loginResponse.auth.client_token; - return vault.read(path); + return vault.read(vaultPath); } -async function createDockerSecretFromValue(key, vaultSecret) { - const VALUE = Buffer.from(vaultSecret.data.data[key]).toString("base64"); +async function createDockerSecretFromValue(vaultKey, vaultSecret, secretName) { + const VALUE = Buffer.from(vaultSecret.data.data[vaultKey]).toString("base64"); const DOCKER_SECRET = { - name: key, + name: secretName, data: VALUE }; return DOCKER.createSecret(DOCKER_SECRET); diff --git a/package-lock.json b/package-lock.json index dbbf9b5..8a35514 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "vault-to-docker-secret", - "version": "0.1.0", + "version": "0.2.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 9f9e118..c70e17d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "vault-to-docker-secret", - "version": "0.1.0", + "version": "0.2.0", "main": "main.js", "bin": "bin.js", "dependencies": {