search

cruise-automation / daytona

A Vault client, but for containers and servers.
Apache License 2.0
310 stars 33 forks source link

Introducing secret Unmarshal function #73

Closed broamski closed 2 years ago

broamski commented 3 years ago

Introducing a way to populate go structs with secret data from Vault.

SecretUnmarshler reads data from Vault and stores the result(s) in the a provided struct. This can be useful to inject sensitive configuration items directly into config structs.

The following field types are currently supported:

Secret Data Example 1: Consider the design of the following secret path: secret/application, that contains several sub-keys:

Reading the path secret/application/api_key returns the data:

{
  "data": {
    "value": "anapikey"
  }
}

Reading the path secret/application/db_password returns the data:

{
  "data": {
    "value": "adbpassword"
  }
}

Secret Data Example 2: Consider the design of the following secret path: secret/application/configs, that contains several data keys

Reading the path secret/application/configs returns the data:

{
  "data": {
    "api_key": "anapikey",
    "db_password": "adbpassword"
  }
}

Usage Example 1

A field tagged with vault_path_key implies that the apex is a top-level secret path, and the value provided by vault_path_key is the suffix key in the path. The full final path will be a combination of the apex and the path key. e.g. Using the example # 1 above, an apex of secret/application with a vault_path_key of db_password, will attempt to read the data stored in secret/application/db_password and store the returned valie in the field DBPassword. By default a data key of 'value' is used. The data key can be customized via the tag vault_path_data_key

type Config struct {
    APIKey     string `vault_path_key:"api_key"`
    DBPassword string `vault_path_key:"db_password"`
}

secret, err := daytona.NewSecretUnmarshler()
if err != nil {
    panic(err)
}

c := Config{}

err = secret.Unmarshal("secret/application", &c)
if err != nil {
    panic(err)
}

Usage Example 2

A field tagged with vault_data_key implies that the apex is a full, final secret path and the value provided by vault_data_key is the name of the data key. e.g. Using the example # 2 above, an apex of secret/application/configs with a vault_data_key of db_password, will attempt to read the data stored in secret/application/configs, referencing the db_password data key and storing the returned value in the field DBPassword.

type Config struct {
    APIKey     string `vault_data_key:"api_key"`
    DBPassword string `vault_data_key:"db_password"`
}

secret, err := daytona.NewSecretUnmarshler()
if err != nil {
    panic(err)
}

c := Config{}

err = secret.Unmarshal("secret/application/configs", &c)
if err != nil {
    panic(err)
}