dockcmd is a tool providing a collection of BoxOps utility functions. Which can be used standalone or to accelerate CI/CD with BoxBoat's dockhand.
dockhand-secrets-operator leverages this project to facilitate secrets management within Kubernetes.
AWS utilities are under the aws sub-command. For authentication, AWS commands make use of the standard AWS credentials providers and will check in order:
- Access Key/Secret key
- Environment:
${AWS_ACCESS_KEY_ID}${AWS_SECRET_ACCESS_KEY} - Args:
--access-key-id <access-key>--secret-access-key <secret-key>
- Environment:
- AWS Profile:
~/.aws/configand~/.aws/credentials- Environment:
${AWS_PROFILE} - Args:
--profile <profile-name>
- Environment:
- EC2 Instance Profile
See dockcmd aws --help for more details on aws flags.
Retrieve secrets stored as JSON from AWS Secrets Manager. Input files are defined using go templating and dockcmd supports sprig functions, urlEncode, urlDecode, and the Helm toYaml function, as well as alternate template delimiters << >> using --use-alt-delims. External values can be passed in using --set key=value or with --values values.yaml.
Notes:
- the
aws(secretName,secretKey)function is now aliased toawsJson(secretName, secretKey).awswill not be removed. secretNamecan be the Secret ARN - necessary in the case of across account retrieval
dockcmd aws get-secrets --region us-east-1 --set TargetEnv=prod --input-file secret-values.yaml
secret-values.yaml:
---
foo:
keyA: {{ (aws (printf "%s-%s" .TargetEnv "foo") "a") | squote }}
keyB: {{ (aws (printf "%s-%s" .TargetEnv "foo") "b") | squote }}
charlie:
keyC: {{ (aws "foo" "c") | squote }}
keyD: {{ (awsText "root") | quote }}output:
foo:
keyA: '<value-of-secret/foo-prod-a-from-aws-secrets-manager>'
keyB: '<value-of-secret/foo-prod-b-from-aws-secrets-manager>'
charlie:
keyC: '<value-of-secret/foo-charlie-c-from-aws-secrets-manager>'
keyD: "<value-of-secret/root-from-aws-secrets-manager>"Optionally, if you desire to retrieve a specific version of secret from AWS Secrets Manager you can append ?version=UID or ?version=latest to the secret name above, for example:
---
---
foo:
keyA: {{ (aws (printf "%s-%s?version="be70653b-f0d8-47ee-8785-8cbb5be463f8" .TargetEnv "foo") "a") | squote }}
keyB: {{ (aws (printf "%s-%s?version=latest" .TargetEnv "foo") "b") | squote }}
charlie:
keyC: {{ (aws "foo" "c") | squote }}
keyD: {{ (awsText "root") | quote }}Note if you need to find the versions UID you can use the AWS CLI aws secretmanager list-secret-version-ids --secret-id foo
Azure utilities are under the azure sub-command. For authentication, Azure commands make use of these flags and environment variables:
- Client Id/Client Secret
- Environment:
${AZURE_CLIENT_ID}${AZURE_CLIENT_SECRET} - Args:
--client-id <access-key>--client-secret <secret-key>
- Environment:
- Tenant:
- Environment:
${AZURE_TENANT_ID} - Args:
--tenant <tenant-id>
- Environment:
Alternatively the azure cli can be used to authenticate in the current shell with az login.
See dockcmd azure --help for more details on azure flags.
Retrieve secrets stored as JSON from Azure Key Vaults. Input files are defined using go templating and dockcmd supports sprig functions, urlEncode, urlDecode, and the Helm toYaml function, as well as alternate template delimiters << >> using --use-alt-delims. External values can be passed in using --set key=value or with --values values.yaml.
Secrets can be stored in Azure Key Vault either as plain text or as a json payload. See example below:
dockcmd azure get-secrets --set TargetEnv=prod --input-file secret-values.yaml
secret-values.yaml:
---
foo:
keyA: {{ (azureJson "foo" "a") | squote }}
keyB: {{ (azureJson "foo" "b") | squote }}
charlie:
keyC: {{ (azureJson "foo-charlie" "c") | squote }}
keyD: {{ (azureText "root" ) | quote }}output:
foo:
keyA: '<value-of-secret/foo-a-from-azure-key-vault>'
keyB: '<value-of-secret/foo-b-from-azure-key-vault>'
charlie:
keyC: '<value-of-secret/foo-charlie-c-from-azure-key-vault>'
keyD: "<value-of-secret/root-from-azure-key-vault>"Optionally, if you desire to retrieve a specific version of secret from Azure Key Vault you can append ?version=ID or ?version=latest to the secret name above, for example:
---
foo:
keyA: {{ (azureJson "foo?version=latest" "a") | squote }}
keyB: {{ (azureJson "foo?version=d98097e7bbe04f67ba0846b511936d2d" "b") | squote }}
charlie:
keyC: {{ (azureJson "foo-charlie" "c") | squote }}
keyD: {{ (azureText "root" ) | quote }}GCP utilities are under the gcp sub-command. For authentication, GCP commands make use of either Application Default Credentials, or you can provide a credentials JSON file.
- GCP Credential JSON File
- Args:
--credentials-file <key.json>
- Args:
For local usage you can use the gcloud cli can be used to authenticate in the current shell with gcloud auth application-default login.
See dockcmd gcp --help for more details on gcp flags.
Retrieve secrets stored as JSON from GCP Secrets Manager. Input files are defined using go templating and dockcmd supports sprig functions, urlEncode, urlDecode, and the Helm toYaml function, as well as alternate template delimiters << >> using --use-alt-delims. External values can be passed in using --set key=value or with --values values.yaml.
Secrets can be stored in GCP Secrets Manager either as plain text or as a json payload. See example below:
dockcmd gcp get-secrets --project my-project --set TargetEnv=prod --input-file secret-values.yaml
secret-values.yaml:
---
foo:
keyA: {{ (gcpJson "foo" "a") | squote }}
keyB: {{ (gcpJson "foo" "b") | squote }}
charlie:
keyC: {{ (gcpJson "foo-charlie" "c") | squote }}
keyD: {{ (gcpText "root" ) | quote }}output:
foo:
keyA: '<value-of-secret/foo-a-from-gcp-secrets-manager>'
keyB: '<value-of-secret/foo-b-from-gcp-secrets-manager>'
charlie:
keyC: '<value-of-secret/foo-charlie-c-from-gcp-secrets-manager>'
keyD: "<value-of-secret/root-from-gcp-secrets-manager>"Optionally, if you desire to retrieve a specific version of secret from GCP Secrets manager you can append ?version=X or ?version=latest to the secret name above, for example:
---
foo:
keyA: {{ (gcpJson "foo?version=1" "a") | squote }}
keyB: {{ (gcpJson "foo?version=latest" "b") | squote }}
charlie:
keyC: {{ (gcpJson "foo-charlie?version=2" "c") | squote }}
keyD: {{ (gcpText "root" ) | quote }}Elasticsearch utilities are under the es sub-command. Currently, supports Elasticsearch API major version v6 and v7. For authentication, es commands will use the environment or credentials passed in as arguments:
--username <username> or ${ES_USERNAME}
--password <password> or ${ES_PASSWORD}
Note, if you set the api-key then it will override any Basic Auth parameters provided:
--api-key <base64-encoded-auth-token> or ${ES_API_KEY}
If authorization is not required, simply omit the above flags.
See dockcmd es --help for more details on es flags.
Retrieve indices from ES, output is json payload.
See dockcmd es get-indices --help for more details.
Delete indices from ES.
See dockcmd es delete-indices --help for more details
dockcmd gotpl mirrors the capabilities in each of the get-secrets commands but does not connect to a secrets backend. Essentially this command is a go template processor that supports sprig functions, urlEncode, urlDecode, and the Helm toYaml function with helm like value passing.
Input files are defined using go templating and dockcmd supports sprig functions, urlEncode, urlDecode, and the Helm toYaml function, as well as alternate template delimiters << >> using --use-alt-delims. External values can be passed in using --set key=value or with --values values.yaml.
Vault utilities are under the vault sub-command. For authentication, vault commands will use the environment or credentials passed in as arguments:
--vault-token <vault-token> or ${VAULT_TOKEN}
or
--vault-role-id <vault-role-id> --vault-secret-id <vault-secret-id>
See dockcmd vault --help for more details on vault flags.
Retrieve secrets from Vault v1 or v2 KV Secrets Engines. Input files are defined using go templating and dockcmd supports sprig functions, urlEncode, urlDecode, and the Helm toYaml function, as well as alternate template delimiters << >> using --use-alt-delims. External values can be passed in using --set key=value or with --values values.yaml.
dockcmd vault get-secrets --vault-addr https://vault --set TargetEnv=prod --input-file secret-values.yaml
secret-values.yaml:
---
foo:
keyA: {{ (vault "secret/foo" "a") | squote }}
keyB: {{ (vault "secret/foo" "b") | squote }}
charlie:
keyC: {{ (vault (printf "%s/%s/%s" "secret/foo" .TargetEnv "charlie") "c") | squote }}
keyD: {{ (vault "secret/root" "d") | quote }}output:
foo:
keyA: '<value-of-secret/foo-a-from-vault>'
keyB: '<value-of-secret/foo-b-from-vault>'
charlie:
keyC: '<value-of-secret/foo/prod/charlie-c-from-vault>'
keyD: "<value-of-secret/root-d-from-vault>"Optionally, if you desire to retrieve a specific version of secret from Vault V2 Secret Store you can append ?version=X or ?version=latest to the secret name above, for example:
---
foo:
keyA: {{ (vault "foo?version=1" "a") | squote }}
keyB: {{ (vault "foo?version=latest" "b") | squote }}
charlie:
keyC: {{ (vault (printf "%s/%s/%s" "secret/foo" .TargetEnv "charlie") "c") | squote }}
keyD: {{ (vault "secret/root" "d") | quote }}