Project

settings_reader-vault_resolver

0.0
The project is in a healthy, maintained state
settings_reader-vault_resolvermatic-insurance/settings_reader-vault_resolverHomepageDocumentationSource CodeBug Tracker
This gem works as a resolver for `settings_reader` gem. \ Any value with matching format will be resolved using Vault \ with support of dynamic secrets and lease renewal.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
18,552
Stars
2
Forks
0
Watchers
10
 Releases
Current version
0.5.0
Total releases
19
First release
2022-01-19
Latest release
2024-01-22
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
23
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2022-11-26
Reverse Dependencies
0

 Dependencies

Runtime

concurrent-ruby
~> 1.1
vault
~> 0.16
settings_reader
~> 0.1
 Project Readme

SettingsReader::VaultResolver

Build Status Test Coverage

Settings Reader plugin to resolve values using in Hashicorp Vault

This gem works as a plugin for Settings Reader

Installation

Add this line to your application's Gemfile:

gem 'settings_reader'
gem 'settings_reader-vault_resolver'

Usage

Initialization

At the load of application when initializing settings_reader:

#Init vault
Vault.address = 'http://127.0.0.1:8200'
Vault.token = 'MY_SUPER_SECRET_TOKEN'

#Load Settings Reader and configure resolver
AppSettings = SettingsReader.load do |config|
  # ... SettingReader configurations
  
  # Configure vault resolver
  SettingsReader::VaultResolver.configure do |vault_resolver_config|
    vault_resolver_config.logger = Rails.logger
    vault_resolver_config.vault_initializer = -> { authenticate_vault }
    # ... other VaultResolver configurations
  end
  
  # Add vault resolver as one of resolvers
  config.resolvers << SettingsReader::VaultResolver.resolver
end

Usage

If one of the values provided will begin with vault:// scheme - VaultResolver gem will kick in and will try to resolve path in Vault

Assuming your settings has following structure:

app:
  name: 'MyCoolApp'
  hostname: 'http://localhost:3001'
  static_secret: 'vault://secret/apps/my_cool_app#app_secret'
  dynamic_secret: 'vault://database/creds/app-db#username'

When requesting app/secret from SettingsReader it will resolve in Vault as:

secret = AppSettings.get('app/static_secret') 
# Gem will read `vault://secret/app#secret` from YAML
# Gem will resolve value in Vault using Vault.kv('secret').read('apps/my_cool_app')
# Gem will return `app_secret` attribute from the secret resolved above

db_user = AppSettings.get('app/dynamic_secret')
# Gem will request dynamic credentials from `vault://database/creds/app-db` and cache them
# Gem will renew lease on retrieved credentials 3 minutes prior lease expiration from vault
# Gem will return `username` attribute from dynamic secret

Development

  1. Run bin/setup to install dependencies
  2. Run docker-compose up to spin up dependencies (Vault)
  3. Run tests rspec
  4. Add new test
  5. Add new code
  6. Go to step 3
  7. Create PR

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/matic-insurance/settings_reader-vault_resolver. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the SettingsReader::VaultResolver project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.