当前位置：文江博客话题详情

hashicorp保险库注射目录

发布于 2025-01-21 19:23:56 字数 225 浏览 1 评论 0原文

我想使用代理喷油器注入整个目录。

首先，我想知道这是否有可能。

我会解释自己：

我有此秘密目录：/secret/dev/app/以及app，我有aws/some_secrets，<代码> db/some_secrets 等...

是否可以在没有完整秘密名称的情况下注入应用程序目录？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

难得心□动 2025-01-28 19:23:56

我会说看看代理模板。

如果您查看教程：

{{ with secret "secret/data/customers/acme" }}
Organization: {{ .Data.data.organization }}
ID: {{ .Data.data.customer_id }}
Contact: {{ .Data.data.contact_email }}
{{ end }}

您可以简单地使用脚本模板此模板文件，然后运行代理。但是您生成动态模板文件的脚本必须进行一些繁重的举重...

列出KV V2 Basepath下的所有秘密（如果引擎安装座路径没有/字符）：

#!/usr/bin/env bash
listall() {
  kv2opt="/metadata"
  if [ "${1}" = "-kv2" ]; then
    kv2opt="/metadata"
    shift
  elif [ "${1}" = "-kv1" ]; then
    kv2opt=""
    shift
  fi
  sarg=$(printf '%s' "${1}" | sed -E 's~/*$~~g' | sed -E 's~^/*~~g')
  engine=$(printf '%s' "${sarg}" | cut -d/ -f1 )
  if [ "$(printf '%s' "${sarg}" | cut -d/ -f2)" = "metadata" ]; then
    vpath=$(printf '%s' "${sarg}" | sed -E "s~^${engine}/metadata/?~~g" )
  else
    vpath=$(printf '%s' "${sarg}" | sed -E "s~^${engine}/?~~g" )
  fi
  curl -s -H "X-Vault-Request: true" -H "X-Vault-Token: ${VAULT_TOKEN}" --request LIST \
    "${VAULT_ADDR}/v1/${engine}${kv2opt}/${vpath}" | jq -rc '.data.keys[]' | while IFS= read -r li; do
    if [ "${li: -1}" != "/" ]; then
      printf "%s/%s\n" "${sarg}" "${li}"
    else
      listall "${sarg}/${li}"
    fi
  done
}
listall -kv2 "secret/dev/app" | while IFS= read -r path; do
  cat << EOF >> template.tpl
{{ with secret "${path}" }}
${path}: {{ .Data.data }}
{{ end }}
EOF
done

.. .. 。但是，如果必须在模板完成后用机器读取东西，那将是毫无用处的，因此您可能需要有一个新的循环阅读每个秘密，以弄清每个秘密上的键。然后进行一些高级格式。但是，您构建问题的方式，从技术上回答了问题，您可以弄清楚如何完成其余的问题（或重新构架您的问题，或提出新问题）。

I would say take a look at Agent Templates.

If you take a look at step 7 of the tutorial:

{{ with secret "secret/data/customers/acme" }}
Organization: {{ .Data.data.organization }}
ID: {{ .Data.data.customer_id }}
Contact: {{ .Data.data.contact_email }}
{{ end }}

You could simply template this template file with a script then run the agent. But your script that generates the dynamic template file would have to do some heavy lifting...

List all secrets under a KV v2 basepath (if the engine mount path has no / characters in it):

#!/usr/bin/env bash
listall() {
  kv2opt="/metadata"
  if [ "${1}" = "-kv2" ]; then
    kv2opt="/metadata"
    shift
  elif [ "${1}" = "-kv1" ]; then
    kv2opt=""
    shift
  fi
  sarg=$(printf '%s' "${1}" | sed -E 's~/*$~~g' | sed -E 's~^/*~~g')
  engine=$(printf '%s' "${sarg}" | cut -d/ -f1 )
  if [ "$(printf '%s' "${sarg}" | cut -d/ -f2)" = "metadata" ]; then
    vpath=$(printf '%s' "${sarg}" | sed -E "s~^${engine}/metadata/?~~g" )
  else
    vpath=$(printf '%s' "${sarg}" | sed -E "s~^${engine}/?~~g" )
  fi
  curl -s -H "X-Vault-Request: true" -H "X-Vault-Token: ${VAULT_TOKEN}" --request LIST \
    "${VAULT_ADDR}/v1/${engine}${kv2opt}/${vpath}" | jq -rc '.data.keys[]' | while IFS= read -r li; do
    if [ "${li: -1}" != "/" ]; then
      printf "%s/%s\n" "${sarg}" "${li}"
    else
      listall "${sarg}/${li}"
    fi
  done
}
listall -kv2 "secret/dev/app" | while IFS= read -r path; do
  cat << EOF >> template.tpl
{{ with secret "${path}" }}
${path}: {{ .Data.data }}
{{ end }}
EOF
done

...and then maybe run the resultant template.tpl file through the Vault Agent using the template process. But that's pretty useless if things have to be read by a machine after the template finishes, so you may need to have a new loop read each secret to figure out what the keys are on each secret. And then do some advanced formatting. However, the way you structured your question, this technically answers it, and you can figure out how to do the rest (or reframe your question, or ask a new question).

回复收藏 0 原文

~没有更多了~