vaultify
Vaultify templates file from vault secrets and auto renews leases
Running vaultify
vaultify
has three commands, template
, renew-leases
, and run
Template
The template
command reads a template, renders the vault secrets into it, and stores the result in a file. In addition it also stores the secret lease information in a secrets file to be able to renew the leases.
template.yaml example:
credentials:
<{- $admin := vault "database/creds/maindb-admin" }>
username: <{ $admin.Data.username | quote }>
password: <{ $admin.Data.password | quote }>
Running vaultify template
:
vaultify template --vault https://vault.vault:8200 \
--role maindb-admin \
--template-file template.yaml \
--output-file /app/config.yaml \
--secrets-output-file /app/secrets.json \
-vv
Renew-leases
The renew-leases
command renews leases that for created by template
command and stored in a secrets file.
Running vaultify renew-leases
:
vaultify renew-leases --vault https://vault.vault:8200 \
--secrets-output-file /app/secrets.json \
--metrics-address ":9105" \
-vv
Run
Running vaultify and continuously renew leases:
vaultify run --vault https://vault.vault:8200 \
--role maindb-admin \
--template-file template.yaml \
--output-file /app/config.yaml \
--metrics-address ":9105" \
-vv
Note that running only this might not work for all work loads. If you run your application in kubernetes and your configuration needs to be rendered before the application starts, you should run the template
command in a initContainer and the renew-leases
command in a side-car.
Metrics
Vaultify run
and renew-leases
are exposing the following metrics:
metric |
type |
description |
vaultify_auth_lease_renewed |
counter |
renewed auth leases |
vaultify_auth_lease_renewal_failed |
counter |
failed auth lease renewals |
vaultify_secret_lease_renewed |
counter |
renewed secret leases |
vaultify_secret_lease_renewal_failed |
counter |
failed secret lease renewals |