This is a script made because having a good system to handle secrets in pipeline is apparently too hard to implement. It is given as is will probably bug if you push it a bit too much. I will probably never maintain this script. so use it at your own risk.
This Bash script automates the process of retrieving secrets from HashiCorp Vault and using them to generate configuration files from templates. It searches for files with the .vaulttpl extension in the current directory, replaces Vault placeholders with actual secrets, and outputs the processed files without the .vaulttpl extension.
You can have it to generate a self contained script that will encapsulate all secrets found and encrypt them using AES. Useful when git forges does not care about security of users.
- Vault CLI: The script requires the HashiCorp Vault CLI to be installed and accessible in the system's
PATH. - Vault Access: You must have access to a Vault instance and authentication credentials.
- OpenSSL: You might need openssl in case you want to use the hydrator system
- Environment Variables:
VAULT_ADDR: Specifies the Vault server address.VAULT_TOKEN: If not set, the script will attempt to log in using LDAP authentication.VAULT_USERandVAULT_PASSWORD: Required for LDAP authentication ifVAULT_TOKENis not provided.VAULT_TEMPLATE_KEY: (optional) password of the generated hydrate.sh script that will encapsulate secrets in a single encrypted fileVAULT_TEMPLATE_HYDRATOR_PATH: (default=secrets/hydrate.sh)
- Ensure Vault CLI is installed and configured.
- Set the required environment variables for Vault authentication.
- Run the script:
vault-template
- The script will:
- Authenticate to Vault (if
VAULT_TOKENis not already set). - Search for all
.vaulttplfiles in the current directory. - Replace Vault placeholders with actual secret values.
- Generate the final configuration files without the
.vaulttplextension.
- Authenticate to Vault (if
vget <path> <field>: Retrieves a specific field from a secret stored in Vault.escape <char>: Escapes a given character in a string.escape_dollar_sign: Escapes dollar signs ($) to prevent unintended variable substitution.
If you have a template file named config.json.vaulttpl:
{
"database_password": "$(vget secret/data/db password)"
}After running the script, it will generate config.json with the actual secret value from Vault.
- The script uses
set -e -o pipefailto ensure it exits immediately if any command fails. - Templates are processed using
eval, so ensure input files are trusted to avoid command injection risks.
- Authentication Issues: Ensure
VAULT_USERandVAULT_PASSWORDare correctly set if using LDAP authentication. - Permission Denied: Verify that your Vault token has access to the required secrets.
- Missing Dependencies: Ensure the Vault CLI is installed and accessible.
This script simplifies the management of secret-based configurations, making it easier to maintain secure applications.
-
Ensure you have some templates defined like described before in a folder named
secretsat the root of your project -
Ensure you have a repository variable only accessible by admin named VAULT_TEMPLATE_KEY with a random password
-
Add a step to gather secrets in your pipeline definition:
- step:
name: Gather secrets
image: <your image>
runs-on:
- self.hosted
- linux
- docker
artifacts:
- secrets/hydrate.sh
script:
- export VAULT_USER=$LDAP_USER
- export VAULT_PASSWORD=$LDAP_PASSWORD
- vault-template
- step:
name: test
image: alpine
script:
- apk add openssl
- ./secrets/hydrate.sh