--- menu: workshop: parent: Secrets Management title: Secrets Loading weight: 62 --- :toc: include::modules/comm-attributes.adoc[] [#secretLoading] == Secrets Loading Loading secrets in the vault is usually done by running `./pattern.sh make load-secrets` from the Pattern's repository. This runs ansible code that parses local yaml files containing the secrets to be uploaded to the Vault running on the Hub The secrets needed for the pattern are in the `values-secret.yaml.template` file in the pattern's repository. Copy `values-secret.yaml.template` to `~/values-secret-multicloud-gitops.yaml` and edit it according to your needs TIP: You could also run `./pattern.sh make load-secrets` to run it through a container without installing too many dependencies Please encrypt the file with `ansible-vault encrypt ~/values-secret-multicloud-gitops.yaml` (i.e. no clear-text secrets at rest) NOTE: `make load-secrets` will prompt for the decryption key if it is encrypted It looks for files in the following order (and stops as soon as one is found): * ~/.config/validatedpatterns/values-secret-.yaml * ~/values-secret-.yaml (e.g. ~/values-secret-multicloud-gitops.yaml) * /values-secret.yaml.template [.TIP] ==== An alternative yaml file path can be specified by setting the **VALUES_SECRET** environment variable: export VALUES_SECRET=~/foo/bar.yaml; ./pattern.sh make load-secrets ==== [#valuesecret] == Secrets Template in the Patterns Two file format versions are understood by the loading mechanism: "version: 1.0" (default) and "version: 2.0". **Please specify and use "version: 2.0" when possible** Version 2.0 supports file-uploading, prompting for secrets, base64-encoding, reading secrets from INI-files (e.g. ~/.aws/credentials), uploading to multiple vault paths and generating secrets inside Vault directly using password policies Version 1.0 is a lot more limited in terms of capabilities and deprecated Both versions have corresponding JSON schemas: link:https://github.com/validatedpatterns/common/blob/main/ansible/roles/vault_utils/values-secrets.v1.schema.json[V1] and link:https://github.com/validatedpatterns/common/blob/main/ansible/roles/vault_utils/values-secrets.v2.schema.json[V2] Complete examples can be found link:https://github.com/validatedpatterns/common/blob/main/ansible/roles/vault_utils/README.md[here] [#policy] [source,yaml] ---- version: "2.0" secrets: - name: config-demo vaultPrefixes: - global fields: - name: secret onMissingValue: generate vaultPolicy: validatedPatternDefaultPolicy ---- [.IMPORTANT] ==== * The validatedPatternDefaultPolicy is a default password policy that is guaranteed to exist * It is defined link:https://github.com/validatedpatterns/common/blob/main/ansible/plugins/module_utils/load_secrets_v2.py#L28[here] * The secret is 20 character longs (min 1 lowercase, min 1 uppercase, min 1 number, min 1 special char) * It is possible to create a custom policy and use that one to generate secrets randomly ==== [#secretexamples] === Secret Examples [#certificate] [source,yaml] ---- version: "2.0" secrets: - name: config-demo vaultMount: secret vaultPrefixes: - region-one - snowflake fields: - name: secretfile path: /tmp/ca.crt onMissingValue: prompt base64: true prompt: "Insert path to Certificate Authority" ---- This Will prompt the user with: * Insert path to Certificate Authority [/tmp/ca.crt]: * Pressing only enter will accept the default in [] (no echo on input!!) "/tmp/ca.crt" will be read, base64 encoded and uploaded * It will be uploaded as an attribute called "secretfile" to two different vault keys: ** secret/region-one/config-demo ** secret/snowflake/config-demo [#awscreds] [source,yaml] ---- version: "2.0" secrets: - name: aws fields: - name: aws_access_key_id ini_file: ~/.aws/credentials ini_section: default ini_key: aws_access_key_id - name: aws_secret_access_key ini_file: ~/.aws/credentials ini_section: default ini_key: aws_secret_access_key ---- This reads `~/.aws/credentials` and uses the `[default]` section to look for the `aws_access_key_id` and `aws_secret_access_key` in the file [#custompolicy] [source,yaml] ---- version: "2.0" vaultPolicies: basicPolicy: | length=10 rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } rule "charset" { charset = "0123456789" min-chars = 1 } secrets: - name: config-demo vaultPrefixes: - region-one fields: - name: secret onMissingValue: generate override: true vaultPolicy: basicPolicy ---- This will use the `basicPolicy` to generate a random value as an attribute called `secret` in the `secret/region-one/config-demo` vault path