Why Gemfury? Push, build, and install  RubyGems npm packages Python packages Maven artifacts PHP packages Go Modules Debian packages RPM packages NuGet packages

tmf / @doodle/vault js

Repository URL to install this package:

Version: 
1.0.1  ▾
Details    
  index.js
  kubernetesLogin.js
  mapData.js
  readToken.js
  package.json
  README.md
Size: Mime:
  README.md

@doodle/vault

Greenkeeper badge

Node.js library that exchanges a K8 service account token into a Vault token.

lib-vault-nodejs
Project ID @doodle/vault
JIRA project PLAT
Jenkins job Jenkins

Usage

  1. Add the doodle/vault package as a dependency
$ yarn add @doodle/vault
  1. In your express.js app, before anything that requires the secret value:
const { Vault, getToken, mapData } = require('@doodle/vault');

const secrets = {};
getToken({ role: 'myRole' }) // role only necessary in k8, equals to environment/namespace
  .then(token => Vault({ token }))
  .then(vault => vault.read('secrets/doodle/environment/service/something'))
  .then(mapData({ vaultKey: 'myKey', otherVaultKey: 'otherKey' }, secrets))
  .then(() => {
    // do something with secrets.myKey or secrets.otherKey, but don't just log it!
  })
  .catch(e => console.error(`could not reads secrets from vault: ${e}`));

Contributing

  • Clone repository 
    git clone https://github.com/DoodleScheduling/lib-vault-nodejs.git
cd lib-vault-nodejs
  • Contribute 
    git fetch
git checkout -b my-branch origin/master
# ... commit changes
git push origin my-branch
  • Successfully built branches are published as @doodle/vault
  • Create a pull request
  • Successfully built PRs are published as @doodle/vault but with the PR number suffix for the version -prN .

Documentation

This node.js library implements the Kubernetes login for vault: https://github.com/DoodleScheduling/documentation/blob/master/DevOps/vault/README.md#using-kubernetes-authentication.

It does so by:

  1. reading out the kubernetes service account token
  2. Logging in to vault's Kubernetes auth endpoint
  3. Initialize the vault client with that token
  4. Provide helper methods for reading secrets into data structures like process.env

In kubernetes clusters make sure that NODE_ENV is set to production. Otherwise it assumes local environment and does not use the kubernetes login method.

In theory, node-vault supports an external extension point, client.generateFunction, but it was decided not to use it: There is a major refactor on the way (see #78), and client.generateFunction does not actually retain the logged-in token when generating an authentication method.

Each Kubernetes pod should have a service account. For now, all pods on each Kubernetes environment (staging, preproduction and production) do get a token from a service account named vault-auth: this service account exists separately on each environment. This library exchanges the service account token for a vault token - logged in as a specific vault role - with which we can read Vault secrets from secrets/doodle/*.

Testing

$ yarn test

Products

About

Resources

Contact Gemfury