search

FalcoSuessgott / vkv

vkv enables you to list, compare, move, import, document, backup & encrypt secrets from a HashiCorp Vault KV engine
https://falcosuessgott.github.io/vkv/
MIT License
86 stars 9 forks source link

feat(export): add --export-upper and --export-include-path options #271

Closed FalcoSuessgott closed 4 months ago

FalcoSuessgott commented 4 months ago

fixes #270

Adds the following options to vkv export:

--export-upper will upper-case all env var keys:

> vkv export -p secret/sub/demo -f export --export-upper
export DEMO='hello world'
export PASSWORD='s3cre5<'

--export-include-path will prefix the secrets path and use _ as the delimiter:

> vkv export -p secret/sub/demo -f export --export-upper --export-include-path
export SECRET_SUB_DEMO_DEMO='hello world'
export SECRET_SUB_DEMO_PASSWORD='s3cre5<'
export SECRET_SUB_DEMO_USER='admin'
FalcoSuessgott commented 4 months ago

@tonglil, you might want to have a look. I'm not 100% satisfied with the naming of the parameters, but the functionality is basically working. Maybe you have any feedback

tonglil commented 4 months ago

Thanks for taking a stab at it.

FWIW, at the moment it wouldn't be of much value to me because the secrets are stored with just 1 key (value) per secret (instead of multi-key secrets), so this would print out something like:

> vkv export -p secret/sub/demo -f export --export-upper
export VALUE='hello world'

> vkv export -p secret/sub/demo -f export --export-upper --export-include-path
export SECRET_SUB_DEMO_VALUE='hello world'

eg the secrets are put into vault like so

vault kv put ${VAULT_NAMESPACE//\//_}_secret/sub/foo value=bar
vault kv put ${VAULT_NAMESPACE//\//_}_secret/sub/baz value=qux
vault kv put ${VAULT_NAMESPACE//\//_}_secret/sub/admin value=password
vault kv put ${VAULT_NAMESPACE//\//_}_secret/sub/creds value=@creds.json

Ideally how I'd like to use this is

> vkv export -e secret -p sub -f export --export-field=value --export-include-path
export SUB_FOO=bar
export SUB_BAZ=qux
export SUB_ADMIN=password
export SUB_CREDS='{
  "json": true
}'

Note that --export-field is akin to vault kv get --field=value and --export-include-path is only including the value passed to the -p flag, because the engine is actually quite a long path in my use case (-e something/team/kv1 or -e something/app/kv2) and I don't want that to be included in the env var name.

FalcoSuessgott commented 4 months ago

Okay, I see.. . I understand now. --export-flatten is indeed the correct wording for such output format.

In #265 I'm working on a complete refactor of vkv and adding a new output format would be much easier, until then I think I'm just going to add export-flatten format which outputs the examples you've provided, even though I would argue it's a rather niche use case.

Will give you a heads-up once I'm done adding the format :)

tonglil commented 4 months ago

Sounds good to me! Thanks for considering this use case in the first place

FalcoSuessgott commented 4 months ago

superseeded by #277