Skip to content
/ vault-discovery Public

Discovers and opens a TCP tunnel to a Vault primary instance

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

oboukili/vault-discovery

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
gce
gce
 
 
helpers
helpers
 
 
types
types
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.debian
Dockerfile.debian
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Vault-Discovery

Discovers and opens a local TCP tunnel to a Vault cluster's primary instance. Useful as a "sidecar"/"companion app" when using the Terraform Vault provider.

All resources are available as Go library imports.

Usage

GCE

Roles required

  • roles/compute.viewer

Basic

# This is enough when running vault-discover from GCP
export GOOGLE_PROJECT=some-gcp-project
export TAG_INSTANCE_FILTER=vault
vault-discovery

Advanced

export GOOGLE_PROJECT=some-gcp-project
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/gcp/serviceaccount/token
export NAME_INSTANCE_FILTER=vault-
vault-discovery

Features

  • Vault cluster GCE discovery:
    • instances labels
    • instances tags
    • instances name (blob expression prefix)

Configuration

Environment variables

provider variable name required default description
DISCOVERY_PROVIDER no GCE For now, only the "GCE" provider is available.
TLS_SKIP_VERIFY no false Whether to skip or not Vault endpoint certificate.
gce GCE_DEBUG no false Whether to enable gcloud stdout/stderr
gce GOOGLE_PROJECT yes Name of the GCP project to look for instances.
gce GOOGLE_APPLICATION_CREDENTIALS no Should not be needed when running from GCP.
gce NAME_INSTANCE_FILTER no Blob expression prefix to filter instances (example: 'vault-' == 'vault-*').
gce LABEL_INSTANCE_FILTER no Single instance label value to filter instances.
gce TAG_INSTANCE_FILTER no Single instance tag value to filter instances.

Roadmap

  • Vault CA import
  • Kubernetes discovery
  • CLI configuration flags
  • Unit tests
  • Acceptance tests
  • Exposing an interface{} API contract for new discovery providers
  • Get rid of the 'gcloud' tool dependency for the GCE provider (publish a library for creating GCP IAP tunnels?)

Build

Requires go 1.13+

GOOS=linux go build -mod=readonly -ldflags="-s -w" -o vault-discovery

Contributing

New providers

Implementing new providers (kubernetes?) would only require to introduce a new Go package exposing a public getter function returning a (types.VaultTunnelCon, error) tuple (pending an interface{} API contract).

About

Discovers and opens a TCP tunnel to a Vault primary instance

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages