cf plugin to push cf app with vault
From CF-Community
$ cf install-plugin -r CF-Community "push-with-vault"From GitHub Release
Download tar.gz file from release page.
$ tar -zxvf cf-push-with-vault_*.tar.gz
$ cf install-plugin -f ./cf-push-with-vault
$ cf push-with-vault -h
NAME:
push-with-vault - This enable to use (( )) place holders in manifest files. (( )) are evaluated by vault
USAGE:
$ cf push-with-vault [APP_NAME]
OPTIONS:
--domain, -d Specify a custom domain (e.g. private-domain.example.com, apps.internal.com) to use instead of the default domain
--file, -f Path to manifest (default: ./manifest.yml)
--hostname, -n Hostname (e.g. my-subdomain)
--path-prefix, -pp Path under which to namespace credential lookup
--vault-addr, -va Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/. (default: "VAULT_ADDR" env)
--vault-token, -vt Vault authentication token. (default: "VAULT_TOKEN" env)
If you want to push cf app has follow manifest with vault.
---
applications:
- name: APP-ONE
path: ./APP-ONE-DIRECTORY
env:
bar: ((/foo/bar))You must set /foo/bar to vault with value field. (inspired by Credential lookup rules)
$ vault write /foo/bar value="cred"This plugin can only KV Secrets Engine - Version 1
$ export VAULT_ADDR=https://your.vault.address
$ export VAULT_TOKEN=xxxxxxxxxxxx
$ cf push-with-vault --path-prefix=/foo -f manifest.ymlThis command has same effect as below.
$ export VAULT_ADDR=https://your.vault.address
$ export VAULT_TOKEN=xxxxxxxxxxxx
$ cf push -f manifest -v foo/bar = `vault read -field=value /foo/bar` If your cloudfoundry server version is old, this command is unavailable.
But this plugin is available because this parses manifest file and set credentials from vault.