search

FalcoSuessgott / vkv

vkv enables you to list, compare, move, import, document, backup & encrypt secrets from a HashiCorp Vault KV engine
https://falcosuessgott.github.io/vkv/
MIT License
86 stars 9 forks source link

Allow writing data into the same KV engine path to another sub-path #283

Closed challouf-omar closed 3 months ago

challouf-omar commented 3 months ago

Can we use the sub-command vkv import to write data into an existing engine path and do not overwrite the existing data ?

FalcoSuessgott commented 3 months ago

I actually thought thats possible, at least it was at one point. But reproducing your use case I found out, that vkv disables and then enables the KV engine, so there is no way to import secrets into an existing engine.

284 should fix it:

# existing KV secrets:
$> vkv export -p secret
secret/ [desc=key/value secret storage] [type=kv2]
├── admin [v=1] [key=value]
│   └── sub=********
│   
├── demo [v=1]
│   └── foo=***
│   
└── sub
    ├── demo [v=1]
    │   ├── demo=***********
    │   ├── password=*******
    │   └── user=*****
    │   
    └── sub2
        └── demo [v=2] [admin=false key=value]
            ├── foo=***
            ├── password=********
            └── user=****

# dry run of importing secrets to the existing engine
$> vkv export -p secret/admin -f=yaml | vkv import - -p secret/new6 --show-values -d     
reading secrets from STDIN
parsing secrets from YAML
fetching any existing KV secrets from "secret/" (if any)
deep merging provided secrets with existing secrets read from "secret/"

preview:

secret/ [desc=key/value secret storage] [type=kv2]
├── admin [v=1] [key=value]
│   └── sub=password
│   
├── demo [v=1]
│   └── foo=bar
│   
├── new6
│   └── admin
│       └── sub=password
│       
│   
└── sub
    ├── demo [v=1]
    │   ├── demo=hello world
    │   ├── password=s3cre5<
    │   └── user=admin
    │   
    └── sub2
        └── demo [v=2] [admin=false key=value]
            ├── foo=bar
            ├── password=password
            └── user=user

apply changes by using the --force flag

# actually writing the secrets
$> vkv export -p secret/admin -f=yaml | vkv import - -p secret/new6 --show-values --force
reading secrets from STDIN
parsing secrets from YAML
writing secret "secret/new6/admin" 
successfully imported all secrets

result:

secret/ [desc=key/value secret storage] [type=kv2]
├── admin [v=1] [key=value]
│   └── sub=password
│   
├── demo [v=1]
│   └── foo=bar
│   
├── new6
│   └── admin [v=1]
│       └── sub=password
│       
│   
└── sub
    ├── demo [v=1]
    │   ├── demo=hello world
    │   ├── password=s3cre5<
    │   └── user=admin
    │   
    └── sub2
        └── demo [v=2] [key=value admin=false]
            ├── foo=bar
            ├── password=password
            └── user=user

I will try to get a solid set of unit tests for these scenarios, similiar to Export/Import with Engine Paths (https://github.com/FalcoSuessgott/vkv/blob/master/cmd/export_test.go#L44), once Ive figured out how to unit tests STDIN input ..

challouf-omar commented 3 months ago

I appreciate your effort, it will save me a lot of time. Thank you so much. I tested it and it works.