Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: Add 'agent generate-config' sub-command #20530

Merged
merged 21 commits into from
May 19, 2023
Merged

Conversation

averche
Copy link
Contributor

@averche averche commented May 5, 2023

Note: documentation will be added in a different PR

Background

This pull request implements a new sub-command agent generate-config. It is part of the larger effort to add environment variable support within Vault Agent (VLT-253).

The goal of this sub-command is to help new users with an easy on-boarding to Vault, specifically for integrating Vault into their applications. It will recurse through the Vault path tree for the given path(s) and produce an agent.hcl configuration file with token_file authentication method and default environment-variable-to-secret mappings. The file can then be used by Vault Agent in a process supervisor mode (will be implemented in future PRs).

For the first release of this template configuration helper, we will only support KV-V1 and KV-V2 secret types.

Example

$ vault agent generate-config \
       -type="env-template" \
       -exec="./my-app.sh" \
       -path="secret/test" \
       -path="secret/my-app/*"                                                           

Successfully generated "agent.hcl" configuration file!

agent.hcl:

auto_auth {

  method {
    type = "token_file"

    config {
      token_file_path = "/Users/avean/.vault-token"
    }
  }
}

template_config {
  static_secret_render_interval = "30s"
  exit_on_retry_failure         = true
}

vault {
  address = "http://localhost:8200"
}

env_template "TEST_PASSWORD" {
  contents             = "{{ with secret \"secret/data/test\" }}{{ .Data.data.password }}{{ end }}"
  error_on_missing_key = true
}
env_template "TEST_USER" {
  contents             = "{{ with secret \"secret/data/test\" }}{{ .Data.data.user }}{{ end }}"
  error_on_missing_key = true
}
env_template "API_KEY_VAL1" {
  contents             = "{{ with secret \"secret/data/my-app/api-key\" }}{{ .Data.data.val1 }}{{ end }}"
  error_on_missing_key = true
}
env_template "DATABASE_PASSWORD" {
  contents             = "{{ with secret \"secret/data/my-app/database\" }}{{ .Data.data.password }}{{ end }}"
  error_on_missing_key = true
}
env_template "DATABASE_USER" {
  contents             = "{{ with secret \"secret/data/my-app/database\" }}{{ .Data.data.user }}{{ end }}"
  error_on_missing_key = true
}
env_template "BAR_VAL1" {
  contents             = "{{ with secret \"secret/data/my-app/nested/bar\" }}{{ .Data.data.val1 }}{{ end }}"
  error_on_missing_key = true
}
env_template "BAR_VAL2" {
  contents             = "{{ with secret \"secret/data/my-app/nested/bar\" }}{{ .Data.data.val2 }}{{ end }}"
  error_on_missing_key = true
}
env_template "FOO_VAL1" {
  contents             = "{{ with secret \"secret/data/my-app/nested/foo\" }}{{ .Data.data.val1 }}{{ end }}"
  error_on_missing_key = true
}
env_template "FOO_VAL2" {
  contents             = "{{ with secret \"secret/data/my-app/nested/foo\" }}{{ .Data.data.val2 }}{{ end }}"
  error_on_missing_key = true
}

exec {
  command                   = ["./my-app.sh"]
  restart_on_secret_changes = "always"
  restart_stop_signal       = "SIGTERM"
}

Related pull requests

@averche averche added this to the 1.14 milestone May 5, 2023
@averche averche changed the title Add 'agent generate-config' command-line cli: Add 'agent generate-config' sub-command May 5, 2023
@averche averche marked this pull request as ready for review May 5, 2023 16:22
@averche averche requested review from VioletHynes and a team May 5, 2023 16:25
command/agent_generate_config.go Outdated Show resolved Hide resolved
command/agent_generate_config.go Outdated Show resolved Hide resolved
Comment on lines 156 to 161
var configPath string
if len(args) == 1 {
configPath = args[0]
} else {
configPath = "agent.hcl"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should the default be stdout?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe 🤷 We kind of want to give a warning about the token auto-auth method so I'm slightly leaning towards writing to a file. We could also require a file to be specified.

)

// TestConstructTemplates tests the construcTemplates helper function
func TestConstructTemplates(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after we add the config, should add tests that the generated config should be readable

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call, we definitely should

@VioletHynes
Copy link
Contributor

Looks great! Added some comments so far but broadly it looks fantastic. One thing I'm also interested in: we should add docs for this subcommand. I don't really mind if that's as part of a different PR or if it's part of this one, but we should make sure docs are added. I'm happy to review them all the same.

command/agent_generate_config_test.go Outdated Show resolved Hide resolved
)

// TestConstructTemplates tests the construcTemplates helper function
func TestConstructTemplates(t *testing.T) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call, we definitely should

command/agent_generate_config_test.go Outdated Show resolved Hide resolved
command/agent_generate_config.go Outdated Show resolved Hide resolved
@averche
Copy link
Contributor Author

averche commented May 5, 2023

Looks great! Added some comments so far but broadly it looks fantastic. One thing I'm also interested in: we should add docs for this subcommand. I don't really mind if that's as part of a different PR or if it's part of this one, but we should make sure docs are added. I'm happy to review them all the same.

Thanks! Yes, docs is definitely next 👍 I will probably hold off on merging this till the docs PR is ready.

@VioletHynes
Copy link
Contributor

Just to make sure we're not waiting on each other: I'm hoping to see the note about changing the auto_auth type and the additional tests for the other parts of generated config before I approve.

Once these are added, feel free to re-request me as a viewer to ping me!

@averche averche requested review from VioletHynes and dhuckins May 9, 2023 00:48
@averche
Copy link
Contributor Author

averche commented May 9, 2023

Just to make sure we're not waiting on each other: I'm hoping to see the note about changing the auto_auth type and the additional tests for the other parts of generated config before I approve.

Once these are added, feel free to re-request me as a viewer to ping me!

Thanks! I added both

Copy link
Contributor

@VioletHynes VioletHynes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Nice work.

@@ -0,0 +1,3 @@
```release-note:feature
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@averche could you please update this changelog file using the format for announcing a new feature? https://hashicorp.atlassian.net/wiki/spaces/VAULT/pages/1311244491/Changelog+Process#New-and-Major-Features

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mladlow should we also make that change for #20739 ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dhuckins Are these two PRs the same or different "features"? If you scroll through historical changelog sections for major releases, you can see what's been called out in the "features" section. For the features section, it's expected that features will have multiple PRs and it doesn't always make sense to have a changelog entry for every PR that composes a major new feature.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gotcha, same feature (at least they are related). so just one should be fine. thanks!

Copy link
Collaborator

@mladlow mladlow Jun 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like in the RC changelog this line is still showing up in the Features section - https://github.com/hashicorp/vault/pull/21077/files#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR43. Could someone update the file on the 1.14 release branch OR delete it on that branch please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants