tmf
tmf / @doodle/vault js
Repository URL to install this package:
|
Version:
1.0.3-rc.0 ▾
|
| index.js |
| kubernetesLogin.js |
| mapData.js |
| readToken.js |
| package.json |
| README.md |
@doodle/vault
Node.js library that exchanges a K8 service account token into a Vault token.
| lib-vault-nodejs | |
|---|---|
| Project ID | @doodle/vault |
| JIRA project | PLAT |
| Jenkins job | Jenkins |
Usage
- Add the
doodle/vaultpackage as a dependency
$ yarn add @doodle/vault
- In your express.js app, before anything that requires the secret value:
const { Vault, getToken, mapData } = require('@doodle/vault'); const secrets = {}; getToken({ role: 'myRole' }) // role only necessary in k8, equals to environment/namespace .then(token => Vault({ token })) .then(vault => vault.read('secrets/doodle/environment/service/something')) .then(mapData({ vaultKey: 'myKey', otherVaultKey: 'otherKey' }, secrets)) .then(() => { // do something with secrets.myKey or secrets.otherKey, but don't just log it! }) .catch(e => console.error(`could not reads secrets from vault: ${e}`));
:warning: If you have installed (and enabled) the vault-token-helper (which is reccomended for Doodle Devs) then reading the token locally (more specifically, if you are running this lib anywhere outside of CI) then the token lookup will likely fail, since this lib assumes that the vault token is stored in the ~/.vault-token file (which is the default location for the vault CLI), but the vault-token-helper overwrites this behavior and uses the macOS keychain (or similar on other operating systems). To get around this for now, you would want to run a command similar to this before attempting to run this lib locally:
$ vaultlogin staging
$ echo $(vault-token-helper get) > ~/.vault-token
:bulb: Remember to securely delete this file when you are done if you prefer not to keep the token in plaintext (this file is not used by the vault-token-helper anyway)
Contributing
- Clone repository
git clone https://github.com/DoodleScheduling/lib-vault-nodejs.git cd lib-vault-nodejs
- Contribute
git fetch git checkout -b my-branch origin/master # ... commit changes git push origin my-branch
- Successfully built branches are published as
@doodle/vault - Create a pull request
- Successfully built PRs are published as
@doodle/vaultbut with the PR number suffix for the version-prN.
Documentation
This node.js library implements the Kubernetes login for vault: https://github.com/DoodleScheduling/documentation/blob/master/DevOps/vault/README.md#using-kubernetes-authentication.
It does so by:
- reading out the kubernetes service account token
- Logging in to vault's Kubernetes auth endpoint
- Initialize the vault client with that token
- Provide helper methods for reading secrets into data structures like
process.env
In kubernetes clusters make sure that NODE_ENV is set to production. Otherwise it assumes local environment and does not use the kubernetes login method.
In theory, node-vault supports an external extension point, client.generateFunction, but it was decided not to use it: There is a major refactor on the way (see #78), and client.generateFunction does not actually retain the logged-in token when generating an authentication method.
Each Kubernetes pod should have a service account. For now, all pods on each Kubernetes environment (staging, preproduction and production) do get a token from a service account named vault-auth: this service account exists separately on each environment. This library exchanges the service account token for a vault token - logged in as a specific vault role - with which we can read Vault secrets from secrets/doodle/*.
Testing
$ yarn test