vault-discovery

command module

v0.0.0-...-d8490d7 Latest Latest Go to latest Published: Nov 25, 2019 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/oboukili/vault-discovery

Links

Open Source Insights

README ¶

Vault-Discovery

Discovers and opens a local TCP tunnel to a Vault cluster's primary instance. Useful as a "sidecar"/"companion app" when using the Terraform Vault provider.

All resources are available as Go library imports.

Usage

GCE

Roles required

roles/compute.viewer

Basic

# This is enough when running vault-discover from GCP
export GOOGLE_PROJECT=some-gcp-project
export TAG_INSTANCE_FILTER=vault
vault-discovery

Advanced

export GOOGLE_PROJECT=some-gcp-project
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/gcp/serviceaccount/token
export NAME_INSTANCE_FILTER=vault-
vault-discovery

Features

Vault cluster GCE discovery:
- instances labels
- instances tags
- instances name (blob expression prefix)

Configuration

Environment variables

provider	variable name	required	default	description
	DISCOVERY_PROVIDER	no	GCE	For now, only the "GCE" provider is available.
	TLS_SKIP_VERIFY	no	false	Whether to skip or not Vault endpoint certificate.
gce	GCE_DEBUG	no	false	Whether to enable gcloud stdout/stderr
gce	GOOGLE_PROJECT	yes		Name of the GCP project to look for instances.
gce	GOOGLE_APPLICATION_CREDENTIALS	no		Should not be needed when running from GCP.
gce	NAME_INSTANCE_FILTER	no		Blob expression prefix to filter instances (example: 'vault-' == 'vault-*').
gce	LABEL_INSTANCE_FILTER	no		Single instance label value to filter instances.
gce	TAG_INSTANCE_FILTER	no		Single instance tag value to filter instances.

Roadmap

Vault CA import
Kubernetes discovery
CLI configuration flags
Unit tests
Acceptance tests
Exposing an interface{} API contract for new discovery providers
Get rid of the 'gcloud' tool dependency for the GCE provider (publish a library for creating GCP IAP tunnels?)

Build

Requires go 1.13+

GOOS=linux go build -mod=readonly -ldflags="-s -w" -o vault-discovery

Contributing

New providers

Implementing new providers (kubernetes?) would only require to introduce a new Go package exposing a public getter function returning a (types.VaultTunnelCon, error) tuple (pending an interface{} API contract).

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
gce
helpers
types

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL