vault-config
an insanely simple way to back your apps config by vault, and make it committable
node-config inspired config that is backed by hashicorp vault that is backed by vault-get data interface
install
npm install vault-config
usage
setup your .vaultrc
(you can commit this to your repo)
"VAULT_CONFIG_ENDPOINT": "..." // or use env var (required) "VAULT_CONFIG_ROOT_PATH": "..." // or use env var (default "secret") "VAULT_CONFIG_SECRET_SHARES": "..." // or use env var (default 1) "NODE_ENV=.*": // default config (every other match extends this) "vault": // vault-get interface "database": "host": "website.com/databases/mysql/master/host" "username": "website.com/databases/mysql/master/username" "password": "website.com/databases/mysql/master/password" "NODE_ENV=development": "local": // local temp overrides "database": "host": "localhost" "username": "root" "password": "" "NODE_ENV=production": "vault": // vault-get interface "gmail": "username": "prod.website.com/accounts/gmail/username" "password": "prod.website.com/accounts/gmail/password"
setup your .vaultsecrets
(do not commit to repo)
"VAULT_CONFIG_TOKEN": "..." // or use env var (required) "VAULT_CONFIG_KEYS": "..." "..." // or use env var (optional) "VAULT_CONFIG_KEY": "..." // or use env var (optional)
if everything is correct you should be able to do the following
// blocks on first module load if vault keys are requested; console;
which would log out the following
// in development database: host: 'localhost' username: 'root' password: '' // in production database: host: 'VAULE OBTAINED FROM VAULT' username: 'VAULE OBTAINED FROM VAULT' password: 'VAULE OBTAINED FROM VAULT' gmail: username: 'VAULE OBTAINED FROM VAULT' password: 'VAULE OBTAINED FROM VAULT'
You can also specify the location of the .vaultrc
/ .vaultsecret
files via env variables
VAULT_CONFIG_RCPATH=/path/to/.vaultrc
VAULT_CONFIG_SECRETSPATH=/path/to/.vaultsecret
autorenew (token renewal)
by default tokens will be autorenewed you can disable this by specifying VAULT_AUTORENEW_DISABLED=1
, and you can override the increment by doing VAULT_AUTORENEW_INCREMENT=86400
localoverrides
you can create a .vaultlocalrc
next to your .vaultrc
and it will merge into .vaultrc
(a .vaultlocalrc
is not intended to be commited)
debugging
DEBUG=vault ...