diff --git a/README.md b/README.md index 298ac0f..7abd3d0 100644 --- a/README.md +++ b/README.md @@ -61,10 +61,11 @@ $ vault-init --help Configuration options can also be passed in as environment variables, using the uppercased snake-case version of the respective flag name (eg. `VAULT_ADDR` for `--vault-addr`). -Most commands require you to specify the encryption and storage backend to use via the `--encryption` and `--storage` flag, respectively. Each backend has its own set of configuration options, with their names typically following the given pattern: +Most commands require you to specify the encryption and storage backend to use via the `--encryption` and `--storage` flag, respectively. Each backend has its own set of configuration options, with their names typically following the given patterns: ``` ---[backend-name]-[encryption|storage]-[flag-name] +--encryption-[backend-name]-[flag-name] +--storage-[backend-name]-[flag-name] ``` You will need to specify the appropriate flags depending on the backends you have chosen. Full documentation on configuration options for each backend can be found in [`docs/encryption.md`](docs/encryption.md) and [`docs/storage.md`](docs/storage.md). diff --git a/cmd/vault-init/show.go b/cmd/vault-init/show.go index ed2ac89..c44fefc 100644 --- a/cmd/vault-init/show.go +++ b/cmd/vault-init/show.go @@ -34,8 +34,8 @@ func attachShowCommand(cmd *kingpin.CmdClause) *ShowCommand { Default("local"). EnumVar(&show.Encryption.Name, "local") - cmd.Flag("local-encryption-secret-key", "The 32-byte secret key to use for encrypting root tokens and unseal keys."). - Envar("LOCAL_ENCRYPTION_SECRET_KEY"). + cmd.Flag("encryption-local-secret-key", "The 32-byte secret key to use for encrypting root tokens and unseal keys."). + Envar("ENCRYPTION_LOCAL_SECRET_KEY"). PlaceHolder("SECRET-KEY"). StringVar(&show.Encryption.Local.SecretKey) @@ -44,8 +44,8 @@ func attachShowCommand(cmd *kingpin.CmdClause) *ShowCommand { Default("postgres"). EnumVar(&show.Storage.Name, "postgres") - cmd.Flag("postgres-storage-connection-url", "The URL to use for connecting to the Postgres server."). - Envar("POSTGRES_STORAGE_CONNECTION_URL"). + cmd.Flag("storage-postgres-connection-url", "The URL to use for connecting to the Postgres server."). + Envar("STORAGE_POSTGRES_CONNECTION_URL"). PlaceHolder("CONNECTION-URL"). URLVar(&show.Storage.Postgres.ConnectionURL) diff --git a/cmd/vault-init/start.go b/cmd/vault-init/start.go index 429eb76..b1e844c 100644 --- a/cmd/vault-init/start.go +++ b/cmd/vault-init/start.go @@ -51,8 +51,8 @@ func attachStartCommand(cmd *kingpin.CmdClause) *StartCommand { Default("local"). EnumVar(&start.Encryption.Name, "local") - cmd.Flag("local-encryption-secret-key", "The 32-byte secret key to use for encrypting root tokens and unseal keys."). - Envar("LOCAL_ENCRYPTION_SECRET_KEY"). + cmd.Flag("encryption-local-secret-key", "The 32-byte secret key to use for encrypting root tokens and unseal keys."). + Envar("ENCRYPTION_LOCAL_SECRET_KEY"). PlaceHolder("SECRET-KEY"). StringVar(&start.Encryption.Local.SecretKey) @@ -61,8 +61,8 @@ func attachStartCommand(cmd *kingpin.CmdClause) *StartCommand { Default("postgres"). EnumVar(&start.Storage.Name, "postgres") - cmd.Flag("postgres-storage-connection-url", "The URL to use for connecting to the Postgres server."). - Envar("POSTGRES_STORAGE_CONNECTION_URL"). + cmd.Flag("storage-postgres-connection-url", "The URL to use for connecting to the Postgres server."). + Envar("STORAGE_POSTGRES_CONNECTION_URL"). PlaceHolder("CONNECTION-URL"). URLVar(&start.Storage.Postgres.ConnectionURL) diff --git a/docker-compose.yaml b/docker-compose.yaml index acf941e..ef301b7 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -31,5 +31,5 @@ services: - vault environment: VAULT_ADDR: http://vault:8200 - LOCAL_ENCRYPTION_SECRET_KEY: FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo - POSTGRES_STORAGE_CONNECTION_URL: postgres://vault:vault@postgres:5432/vault?sslmode=disable + ENCRYPTION_LOCAL_SECRET_KEY: FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo + STORAGE_POSTGRES_CONNECTION_URL: postgres://vault:vault@postgres:5432/vault?sslmode=disable diff --git a/docs/encryption.md b/docs/encryption.md index dce11b0..a2ba772 100644 --- a/docs/encryption.md +++ b/docs/encryption.md @@ -10,7 +10,7 @@ The `local` encryption backend uses the [AES-GCM encryption algorithm](https://w #### Configuration -- `--local-encryption-secret-key`: The 32-byte secret key to use for encrypting root tokens and unseal keys. +- `--encryption-local-secret-key`: The 32-byte secret key to use for encrypting root tokens and unseal keys. You can use [OpenSSL](https://www.openssl.org/) to generate a secure 32-byte secret key: diff --git a/docs/examples.md b/docs/examples.md index 51f3518..a191e85 100644 --- a/docs/examples.md +++ b/docs/examples.md @@ -9,8 +9,8 @@ Run the `start` command to launch the daemon process that automatically initiali ```shell $ vault-init start \ --vault-addr "http://127.0.0.1:8200" \ - --local-encryption-secret-key "FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo" \ - --postgres-storage-connection-url "postgres://vault:vault@127.0.0.1:5432/vault?sslmode=disable" + --encryption-local-secret-key "FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo" \ + --storage-postgres-connection-url "postgres://vault:vault@127.0.0.1:5432/vault?sslmode=disable" ``` ### `show` @@ -19,8 +19,8 @@ Run the `show` command to fetch and decrypt the root token and unseal keys gener ```shell $ vault-init show \ - --local-encryption-secret-key "FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo" \ - --postgres-storage-connection-url "postgres://vault:vault@127.0.0.1:5432/vault?sslmode=disable" + --encryption-local-secret-key "FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo" \ + --storage-postgres-connection-url "postgres://vault:vault@127.0.0.1:5432/vault?sslmode=disable" ``` ## Docker diff --git a/docs/kubernetes/example.yaml b/docs/kubernetes/example.yaml index 806ec5e..91dfa23 100644 --- a/docs/kubernetes/example.yaml +++ b/docs/kubernetes/example.yaml @@ -6,7 +6,7 @@ metadata: labels: app: example data: - local-encryption-secret-key: RmphVUNxcVRJb3JHVGUxWjg2cnMyWWZrUmdRNmlJZ28= + encryption-local-secret-key: RmphVUNxcVRJb3JHVGUxWjg2cnMyWWZrUmdRNmlJZ28= --- apiVersion: v1 kind: ConfigMap @@ -79,10 +79,10 @@ spec: env: - name: VAULT_ADDR value: http://127.0.0.1:8200 - - name: POSTGRES_STORAGE_CONNECTION_URL + - name: STORAGE_POSTGRES_CONNECTION_URL value: postgres://example:example@example-postgres.default.svc.cluster.local:5432/example?sslmode=disable - - name: LOCAL_ENCRYPTION_SECRET_KEY + - name: ENCRYPTION_LOCAL_SECRET_KEY valueFrom: secretKeyRef: name: example-secret - key: local-encryption-secret-key + key: encryption-local-secret-key diff --git a/docs/storage.md b/docs/storage.md index a33dfcc..c11dae1 100644 --- a/docs/storage.md +++ b/docs/storage.md @@ -20,4 +20,4 @@ CREATE TABLE vault_init_data ( #### Configuration -- `--postgres-storage-connection-URL`: The URL to use for connecting to the Postgres server. +- `--storage-postgres-connection-URL`: The URL to use for connecting to the Postgres server.