Skip to content

Latest commit

 

History

History
216 lines (153 loc) · 6.17 KB

README.md

File metadata and controls

216 lines (153 loc) · 6.17 KB

Secure Templates

Coverage

Secure Templates is a tool to render templates using go-templates and load data values from secrets engine.

Installation for Linux and Mac

Install on /usr/local/bin with sudo

curl -s https://raw.githubusercontent.com/zcloud-ws/secure-templates/main/scripts/install.sh | sudo sh -

Install on work directory without sudo

curl -s https://raw.githubusercontent.com/zcloud-ws/secure-templates/main/scripts/install.sh | sh -

Manual installation and Windows users

Go to releases page and download the file according your system.

Samples

Supported Secrets engines

  • Vault: A free Vault solution by HashiCorp
    • In development, you can use a docker to run Vault. See
  • Local file: Local file using rsa key par to encrypt data

Config file

{
  "secret_engine": "local-file",
  "vault_config": {
    "address": "http://localhost:8200",
    "token": "token",
    "secret_engine": "kv",
    "ns": "dev"
  },
  "local_file_config": {
    "filename": "test/configs/local-file-secret.json",
    "enc_priv_key": "LS0tLS...."
  },
  "options": {
    "secretShowNameAsValueIfEmpty": false,
    "secretIgnoreNotFoundKey": false,
    "envShowNameAsValueIfEmpty": false,
    "envAllowAccessToSecureTemplateEnvs": false,
    "envRestrictedNameRegex": "SC_.+"
  }
}

Commands

init-config

Initialize a sample config with local-file as a secret engine

secure-templates init-config -o local-file-cfg.json

Options

NAME:
   secure-templates init-config - Init a sample config

USAGE:
   secure-templates init-config [command options] [arguments...]

OPTIONS:
   --output value, -o value, --out value   [$SEC_TPL_OUTPUT]
   --secret-file value                    (default: "./test/configs/local-file-secret.json")
   --private-key-passphrase value         [$LOCAL_SECRET_PRIVATE_KEY_PASSPHRASE]
   --help, -h                             show help
2024/03/03 00:46:34 ERROR Required flag "config" not set

Environment variables

  • SEC_TPL_OUTPUT: Path to output config file.
  • LOCAL_SECRET_PRIVATE_KEY_PASSPHRASE: Passphrase to encrypt private key.

manage-secret

Manage secret engine

Create or update the key app_passwd into secret core with value abc123

secure-templates manage-secret put core app_passwd abc123

Subcommands arguments

  • put: SECRET KEY VALUE
  • import: SECRET ENV FILE

Options

NAME:
   secure-templates manage-secret - Manage secret

USAGE:
   secure-templates manage-secret command [command options] 

COMMANDS:
   put      Add or update key value
   import   Add or update key value using env file
   help, h  Shows a list of commands or help for one command

OPTIONS:
   --config value, -c value, --cfg value   [$SEC_TPL_CONFIG]
   --help, -h                             show help

Environment variables

  • LOCAL_SECRET_PRIVATE_KEY: Private key encoded with base64.
  • LOCAL_SECRET_PRIVATE_KEY_PASSPHRASE: Passphrase to decrypt private key.

Template Render

Render template using values from configured secret engine

Render a template file

secure-templates FILEPATH

Arguments

  • FILEPATH: Filepath for template to render.

Options

NAME:
   secure-templates - A template render tool

USAGE:
   secure-templates [global options] command [command options] 

VERSION:
   dev

DESCRIPTION:
   Secure Templates is a tool to render templates using go-templates and load data values from secrets engine.

COMMANDS:
   init-config    Init a sample config
   manage-secret  Manage secret
   help, h        Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config value, -c value, --cfg value   [$SEC_TPL_CONFIG]
   --output value, -o value, --out value   [$SEC_TPL_OUTPUT]
   --print-keys, -p                       (default: false)
   --help, -h                             show help
   --version, -v                          print the version

Environment variables

  • SEC_TPL_CONFIG: Path to config file.
  • SEC_TPL_OUTPUT: Path to output template file.
  • VAULT_TOKEN: Vault token to call the Vault API.
  • LOCAL_SECRET_PRIVATE_KEY: Private key encoded with base64. Used only for local-secret engine.
  • LOCAL_SECRET_PRIVATE_KEY_PASSPHRASE: Passphrase to decrypt private key. Used only for local-secret engine.

Template Functions

  • env: Get environment variable.
  • secret: Get the Key value of a secret engine. If the key name is not provided, it returns a key and value map that can be iterated.
  • sprig functions: Visit the docs for a complete list of functions.

Configuration options

These are configuration options for the Secure Templates tool. Here's a brief explanation for each:

  • secretShowNameAsValueIfEmpty: If set to true, when a secret key's value is empty, the key's name will be shown as the value.
  • secretIgnoreNotFoundKey: If set to true, the tool will ignore if a secret key is not found in the secrets engine.
  • envShowNameAsValueIfEmpty: Similar to secretShowNameAsValueIfEmpty, but for environment variables. If set to true, when an environment variable's value is empty, the variable's name will be shown as the value.
  • envAllowAccessToSecureTemplateEnvs: If set to true, the tool will allow access to secure template environment variables.
  • envRestrictedNameRegex: This is a regular expression that defines the naming convention for restricted environment variables. In the provided example, any environment variable starting with "SC_" would be considered restricted.

Author

Edimar Cardoso

Emails:

Website: www.zcloud.ws

License

MIT