leandro-lugaresi
commented
7 years ago :+1: I think this will be a better solution for sensible configs.
Open fcantournet opened 7 years ago
leandro-lugaresi
commented
7 years ago :+1: I think this will be a better solution for sensible configs.
akutz
commented
7 years ago Hi @fcantournet / @leandro-lugaresi,
I'm happy to work on this, but it would be useful to me if you'd explain the basics of how you think Vault integration would work? Imagine I know nothing about Vault (you don't have to imagine it) :)
fcantournet
commented
7 years ago The point is that you need a way for authentification with vault. Generally it's a token. Maybe passed as a flag. Then vault can be seen as a kv store similar to consul . There are other modes of auth that could be addressed later on. There is also the problem of renewing lease in vault I'll do a write up tomorrow
dolfelt
commented
7 years ago Any additional thoughts on this @fcantournet?
netik
commented
6 years ago I'm working on a project right now and really need this functionality.
It seems that viper gets it's etcd and consul abilities by piggybacking those features off of https://github.com/xordataexchange/crypt -- There's no Vault support in that package but we could write a package that provides an interface similar to NewConsulConfigManager and provides Vault support.
Option B would be to fork and patch xordataexchage's crypt to have a NewVaultConfigManager interface.
I'm going to see what I can do this weekend.
netik
commented
6 years ago This diff provides support for Vault, Vault Role (approle) authentication, and Vault Token based authentication. It is very similar to consul in usage.
Set VAULT_TOKEN (or set VAULT_ROLE_ID and VAULT_SECRET_ID) in the environment and then you can do...
viper.AddRemoteProvider("vault", "https://127.0.0.1:8443","/secret/whatever/config.json")
viper.SetConfigType("json")
err := viper.ReadRemoteConfig()
...The expectation is that at the vault location /secret/whatever/config.json there will be a blob with the key 'value' containing your config.
To put json config files into vault:
% vault write /secret/whatever/config.json value=- < yourjsonfile.json
% vault read /secret/whatever/config.json
Key Value
--- -----
refresh_interval 768h
value { "Test": "test" }The code should handle expiry and renewal of tokens just fine. It does not currently support the per-secret refresh_interval. You can handle that with Watches in viper.
I will attempt to get a pull request together.
cc: @fcantournet
bweston92
commented
6 years ago @netik sounds good.
denouche
commented
5 years ago Hello, what about this pull request @netik ? This could be a great feature! Thanks
denouche
commented
5 years ago I just saw the corresponding pull request is #497
Viper can load config directly from Consul / etcd.
I think It would be really cool if it could get secrets from vault in the same fashion. Would that be of interest ?