vault-manager is an automation tool for managing hashicorp vault configurations based on Vault GO API Client
docker run --rm -t \
-v <PATH_TO_FILE_WITH_GRAPHQL_QUERY>:/query.graphql \
-e GRAPHQL_QUERY_FILE=/query.graphql \
-e GRAPHQL_SERVER=<GRAPHQL_SERVER_URL> \
-e GRAPHQL_USERNAME=<GRAPHQL_USERNAME> \
-e GRAPHQL_PASSWORD=<GRAPHQL_PASSWORD> \
-e VAULT_ADDR=<VAULT_INSTANCE_URL> \
-e VAULT_AUTHTYPE=approle \
-e VAULT_ROLE_ID=<APPROLE_ROLE_ID> \
-e VAULT_SECRET_ID=<APPROLE_SECRET_ID> \
quay.io/app-sre/vault-manager:latest -dry-runNote that running vault-manager with -dry-run flag will only print planned actions, remove this flag to make changes enter into effect
-dry-run, default=false-thread-pool-size, default=10-thread-pool-size determine how many threads can be utilizeddata.json within tests/app-interface is utilized by the qontract-server created for testing. If schema / query changes are made, this data bundle must be re-generated and committed with the PR. To re-generate: update SCHEMAS_IMAGE_TAG within .env (make sure to commit this change as well) and execute make data within /tests/app-interface
For local development, the script /local-dev.sh can be ran to configure necessary resources to mirror testing performed within PR check builds.
Once the script completes, the following containers will be running:
/tests/keycloak for configuration files applied to the instance/tests/app-interface/data/services/vault/config for all resources being reconciled by testslocalhost:8200localhost:8202From root of repo, run source dev-env
You can now execute run vault-manager against the local vault instances. Note that after a non -dry-run, the resources will be added to the vault instances. To reset, simply rerun local-dev.sh
Note: --net=host isn't supported for Mac(doc). So if you are developing from Mac, remove the flag from local-dev.sh and also remove key-cloak related docker run command.
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/cmd/vault-manager/main.go",
"args": ["--dry-run"],
"env": {
"VAULT_ADDR": "http://127.0.0.1:8200",
"VAULT_TOKEN": "root",
"VAULT_AUTHTYPE": "token",
"GRAPHQL_SERVER": "http://localhost:4000/graphql",
"GRAPHQL_QUERY_FILE": "/Users/olivia/SourceCode/app-sre/vault-manager/query.graphql"
}
}
]
}This project use BATS for integration test, using mentioned primary and secondary vault instance. You can debug them by point environment variable GRAPHQL_QUERY_FILE to the .graphql under /fixtures.
You will notice that the first -dry-run execution after spinning up environment will fail stating a specified output path does not match existing KV engines. This is due to how the tests within /tests/run-tests.sh are executed.
To resolve you can either:
a) manually create the app-interface secret engine for both vault instances
b) remove output_path from the following files:
/tests/app-interface/data/services/vault/config/roles/master/approles/vault-manager.yml /tests/app-interface/data/services/vault/config/roles/secondary/approles/app-interface.yml Depending on local container runtime, permission issues when attempting to reconcile the vault audit devices may be encountered. If your development is not affecting logic within /toplevel/audit.go, you can remove the files within /tests/app-interface/data/services/vault/config/audit-backends and re-generate the data.json. do not commit data.json with these attributes missing