share secrets within teams to avoid plain-text secrets from day one
When looking at helm it becomes evident how much more filters would be needed to effectively adjust yaml files.
Handlebars was a nice try, yet it only shows that filters are what makes a language powerful. Fortunately it's still time to change, so let's swap handlebars with liquid.
Even though the main binary should by sy
as before, the code should be structured to
provide cli
versions of the respective subcommand, e.g. vault-cli
.
That way, people can also use special-purpose sub-programs directly without having
a binary that contains all the other cruft.
This can be useful to make pass
standins more approachable, and also build custom
sy
binaries with just a sub-set of the functionality (for example, without pass
stand-in capability).
In order to get the project where it is supposed to be, it can't be in my user's space. We will have multiple repositories and hopefully some more contributors.
The new organization should have the following repositories:
Having spend some time reading up on the issue, and having realized that there is a reason the 'Web of Trust' model as implemented by GPG/PGP are not particularly wide-spread for a reason, for adoption, there should be a way to turn it off and delegate trust checking to external sources (like keybase.io).
Also given the way the vault is typically used, we should disable it by default, and make enabling it optional to more advanced teams.
extract
subcommandThe extract
capability makes it feasible to store secrets in structured files
like YAML or JSON, as it allows to extract pieces of data in various ways.
Think basic jq
but with native support for YAML files.
merge
subcommandThe merge
subcommand allows to combine JSON or YAML files.
This is useful to partition context and data according to your needs, yet use
all of the values in combination for substitution.
It is particularly useful if some of that content was just decrypted from a vault.
The merge sub-command
a.b.c
or a/b/c
a.0.c.1
or a/0/c/1
control the escape characters to allow passwords to be escaped properly, as needed, depending on the output format. Otherwise there is the chance of producing invalid YAML.
improvements to substitute
--verify
- try to decode substituted values and fail on errorgeneral improvements
Make it easy to generate property-sets by merging structured files together, and
make said context available to a handlebars
powered engine to perform substitutions.
This allows to bring together context owned by various entities into a single aggregated one, with the possibility for later contexts to override earlier ones.
With this capability, it's also possible to substitute secrets into files, for example
like this: sy sub base.json sub/ours.yaml <(sy vault show secret.yaml) < deployment.yml | kubectl apply -f -
.
Read more in the documentation.
Partitions are just another vault with individual config, but operations on vaults are aware of partitions. This allows sharing of keys for example, and alters the way vaults are displayed when showing them.
sy vault
to operate anywhere with a .gpg-id
file, like pass.vault --vault-id
is now vault --select
Besides the many improvements, you will also find a complete book about the capabilities so far!
We also sign our binaries from here on, and make them available via homebrew.
vault list
now produces precise URLs.vault remove
can remove resources from the vault.vault recipient add
now signs and re-exports added fingerprints to make
recipient verification part of adding them, and help build a Web of Trust.vault recipients remove
removes recipients and re-encrypts the vaults content.vault recipient add
also adds recipients which are only in your gpg keychain.
Previously it would always require an exported public key in the right spot.vault recipient add --verified
allows to add any recipient by name, but requires
you to assure you are able to encrypt for that recipient.vault add
now creates sub-directories automatically.vault edit
now tries to encrypt before launching the editor.vault add :something
with a tty as standard input will open an editor automatically.The breaking change requiring a major version increment is changes to the sy-vault.yml
file.
at
field is now called secrets
recipients
and gpg-keys
paths are no relative to the sy-vault.yml
file, not relative to the
secrets
directory.sy vault
is now --secrets-dir-dir/-s
recipients add
will now require fingerprints unless --verified
is specified.These improvements make handling paths consistent and less suprising.
s3
now officially is sy
on the command-line, and spelled sheesy
. Crates
were renamed accordingly, too.
This is the first usable version, providing only the minimal amount of features. A lot of the value contained is a fully automated system for quality assurance and deployment, which will help keeping the releases coming.