Question

是否可以仅制作一个模板，并根据动态目标生成文件？

我的意思是，我只想设置一个/ path和一个模板文件，然后自动执行，它将读取该路径中的所有机密信息，并以该机密名称生成文件。

我找到的解决方案是：

首先，我使用以下配置运行Vault Agent：

{
  "auto_auth": [
    {
      "method": [
        {
          "config": [
            {
              "role_id_file_path": "roleIDFile",
              "secret_id_file_path": "secretIDFile",
              "remove_secret_id_file_after_reading": "false"
            }
          ],
          "type": "approle"
        }
      ]
    }
  ],
  "exit_after_auth": true,
  "template": [
    {
      "source": "dynamic-secrets.tmpl",
      "destination": "agent-dynamic-secrets.json"
    }
  ],
  "vault": [
    {
      "address": "https://127.0.0.1:8200/",
      "tls_skip_verify": "true"
    }
  ]
}

这是dynamic-secrets.tmpl的内容：

{
  "auto_auth": [
    {
      "method": [
        {
          "config": [
            {
              "role_id_file_path": "roleIDFile",
              "secret_id_file_path": "secretIDFile",
              "remove_secret_id_file_after_reading": "false"
            }
          ],
          "type": "approle"
        }
      ]
    }
  ],
  "exit_after_auth": true,
  "template": [{{ with secret "APP/SECRETS/SECURE-FOLDER" }}{{ range $k, $v := .Data.data }}
    {
      "contents": "[[ with secret \"APP/SECRETS/SECURE-FOLDER\" ]][[ index .Data.data \"{{ $k }}\" | base64Decode ]][[ end ]]",
      "destination": "SECURE-FOLDER/{{ $k }}",
      "left_delimiter": "[[", 
      "right_delimiter": "]]"
    },{{ end }}{{end}}
  ],
  "vault": [
    {
      "address": "https://127.0.0.1:8200/",
      "tls_skip_verify": "true"
    }
  ]
}

它正在为Vault Agent动态生成配置的代理。而且该配置具有所有必要的模板条目，以获取机密并制作这些文件。

最后，我使用刚创建的动态配置运行Vault Agent。

动态配置文件如下：

{
  "auto_auth": [...],
  "exit_after_auth": true,
  "template": [
    {
      "contents": "[[ with secret \"APP/SECRETS/SECURE-FOLDER\" ]][[ index .Data.data \"api_shiro-session-management.ini\" | base64Decode ]][[ end ]]",
      "destination": "SECURE-FOLDER/api_shiro-session-management.ini",
      "left_delimiter": "[[", 
      "right_delimiter": "]]"
    },
    {
      "contents": "[[ with secret \"APP/SECRETS/SECURE-FOLDER\" ]][[ index .Data.data \"bdk/test.bdk\" | base64Decode ]][[ end ]]",
      "destination": "SECURE-FOLDER/bdk/test.bdk",
      "left_delimiter": "[[", 
      "right_delimiter": "]]"
    },
    {
      "contents": "[[ with secret \"APP/SECRETS/SECURE-FOLDER\" ]][[ index .Data.data \"connection/connection - new microsoft - jdbc.xml\" | base64Decode ]][[ end ]]",
      "destination": "SECURE-FOLDER/connection/connection - new microsoft - jdbc.xml",
      "left_delimiter": "[[", 
      "right_delimiter": "]]"
    },
    {
      "contents": "[[ with secret \"APP/SECRETS/SECURE-FOLDER\" ]][[ index .Data.data \"connection/connection - old - jtds.xml\" | base64Decode ]][[ end ]]",
      "destination": "SECURE-FOLDER/connection/connection - old - jtds.xml",
      "left_delimiter": "[[", 
      "right_delimiter": "]]"
    },
    {
      "contents": "[[ with secret \"APP/SECRETS/SECURE-FOLDER\" ]][[ index .Data.data \"connection/connection.xml\" | base64Decode ]][[ end ]]",
      "destination": "SECURE-FOLDER/connection/connection.xml",
      "left_delimiter": "[[", 
      "right_delimiter": "]]"
    },...
  ],
  "vault": [...]
}

在这种情况下，所有机密都是文件的base64编码。但忽略这一部分，我想读取/ path并动态生成文件，而无需为每个文件编写条目。这是更好的方法吗？

Hashicorp Vault Agent-动态模板秘密

0 个答案: