cloudfoundry/credhub-cli

add a key-value pair format for `credhub export`

Closed this issue · 5 comments

jtarchie commented

What version of the credhub server you are using?

master

What version of the credhub cli you are using?

2.0.0

If you were attempting to accomplish a task, what was it you were attempting to do?

After a discussing with @athornton2012 and @TisVictress, we'd like to propose an additional format for credhub export.

The current export has a structure with made for easy importing into another Credhub.

We'd like to have a format that make it easier to consume the variables for YAML interpolation. This interpolation would not happen via a bosh director / concourse atc. This is for another CLI.

For example, the current output of a credhub export:

type: user
name: /example-user
value:
  username: FQnwWoxgSrDuqDLmeLpU
  password: 6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL
  password_hash: $6$h3b3JsG5$MnrPIrF6T3zAWk9uaun64vWY.vaBQ5nTRFZjjVqKuDWccxWXn8n6vstQykXEReamb4GYh2q1HC7vFy11wflXd0

The output format that we'd like to add, perhaps as credhub export --format simple.

example-user_username: FQnwWoxgSrDuqDLmeLpU
example-user_password: 6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL

NOTE: The pattern is useful because it prevents object collision when using YAML interpolation.

The above format allows YAML interpolation in a config file like:

some-config: value
username: ((/example-user_username))
password: ((/example-user_password))

We'd like to add this capability to credhub CLI because we don't want our CLI to have a direct dependency on a credhub server.

What did you expect to happen?

N/A

What was the actual behavior?

N/A

cf-gitbot commented

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/160299276

The labels on this github issue will be updated when the story is started.

jtarchie commented

To follow up with the vision of this story.

This is the proposed implementation and "sort-of" story in our backlog.

I set some credentials in credhub

creds.yml an example creds file to be imported

credentials:
- name: /some-path/password
  type: password
  value: test-password-value
- name: /some-path/value
  type: value
  value: test-value
- name: /some-path/certificate
  type: certificate
  value:
    ca: ca-certificate
    certificate: certificate
    private_key: private-key
- name: /some-path/rsa
  type: rsa
  value:
    public_key: public-key
    private_key: private-key
- name: /some-path/ssh
  type: ssh
  value:
    public_key: ssh-public-key
    private_key: private-key
- name: /some-path/user
  type: user
  value:
    username: covfefe
    password: test-user-password
- name: /some-path/json
  type: json
  value:
    arbitrary_object:
      nested_array:
      - array_val1
      - array_object_subvalue: covfefe
    1: key is not a string
    3.14: pi
    true: key is a bool
$ credhub login
$ credhub import -f creds.yml

in a concourse pipeline far away, which is what we are trying to implement.

- task: get credentials
  file: tasks/credhub-lookup.yml
  params:
    # these are stored in concourse's credhub -- path /concourse/team-name/pipeline-name
    CREDHUB_SERVER: ((credhub-url))
    CREDHUB_USERNAME: ((credhub-username))
    CREDHUB_PASSWORD: ((credhub-password))
    CREDHUB_PATH: /some-path # this the prefix path of the cred set above

This task would call the proposed credhub export --format simple.

This task produces an output (vars.yml) that would look like:

password: test-password-value
value: test-value
certificate_ca: ca-certificate
certificate_certificate: certificate
certificate_private_key: private-key
rsa_public_key: public-key
rsa_private_key: private-key
ssh_public_key: ssh-public-key
ssh_private_key: private-key
user_username: covfefe
user_password: test-user-password
json: |
	{
		"arbitrary_object": {
			"nested_array": [
				"array_val1",
				{
					"array_object_subvalue": "covfefe"
				}
			]
		},
		"1": "key is not a string",
		"3.14": "pi",
		"true": "key is a bool"
	}
athornton2012 commented

@jtarchie looks good! I noticed that in the output vars.yml file you had the keys be the credential names appended to the value key, but you did not include the full path of the credential name. For example you had certificate_ca: ca-certificate instead of /some-path/certificate_ca: ca-certificate. I could see this being a problem if you are trying export two credentials that have the same name, but different paths.

athornton2012 commented

@jtarchie bumping on this

jtarchie commented

The discussion with @crawsible, we are investigating with the team to do credhub interpolation. We can close this in favor of your Tracker story.