This is a Porter plugin to inject credentials to Porter bundle from hashicorp's vault.
porter plugin install hashicorp --version v1.0.0 --url https://github.com/getporter/hashicorp-plugins/releases/download
Until the upstream plugin is updated to work with Porter v1, this is a fork with compatibility fixes. For older versions of Porter, use version v0.1.0 of the original hashicorp plugin. We only support the KV Version 2 secret engine. Please raise an issue if you're looking for support for other secret engines.
To use vault plugin, add the following config to porter's config file (default location: ~/.porter/config.yaml). Replace vault_addr, vault_token and path_prefix with proper values.
The example below retrieves the vault_token from the VAULT_TOKEN environment variable. Do not store sensitive data in the Porter configuration file.
default-secrets: "porter-secrets"
secrets:
name: "porter-secrets"
plugin: "hashicorp.vault"
config:
vault_addr: "http://vault.example.com:7500"
path_prefix: "organization/team/project"
vault_token: "${env.VAULT_TOKEN}"path_prefix allows you to specify a prefix for your secret path.
Let's say you have a secret (myawesomeproject) with path organization/team/project/myawesomeproject, then you can configure path_prefix as organization/team/project.
You can optionally change where Porter saves secrets by setting porter_secret.
By default, Porter generated secrets are saved to PATH_PREFIX/SECRET_KEY/porter.
The plugin resolves the secret using the secret value set in the Parameter or Credential Set, using the path prefix defined in the Porter configuration file.
name: myparameterset
parameters:
- name: mysql-connection-string
source:
secret: myapp/v1/connstrThe secret value can use sub-paths to further select the correct secret. In the example above, the mysql-connection-string parameter resolves to the secret at PATH_PREFIX/myapp/v1/connstr.