1
0
Fork 0
mirror of https://github.com/Luzifer/git-credential-vault.git synced 2024-12-22 18:51:16 +00:00
Implementation of the Git Credential Storage utilizing Vault as storage backend
Find a file
2022-01-22 03:15:36 +01:00
.gitignore Initial version 2020-04-01 14:19:29 +02:00
.repo-runner.yaml Add auto-build 2020-04-01 14:24:09 +02:00
go.mod upgrade vault api and support kv2 (#1) 2022-01-22 03:15:36 +01:00
go.sum upgrade vault api and support kv2 (#1) 2022-01-22 03:15:36 +01:00
History.md prepare release v0.1.0 2020-04-01 15:46:24 +02:00
LICENSE Add META files 2020-04-01 15:07:41 +02:00
main.go Handle missing credentials gracefully 2020-04-01 15:05:58 +02:00
main_test.go Initial version 2020-04-01 14:19:29 +02:00
Makefile Add auto-build 2020-04-01 14:24:09 +02:00
README.md Make it more obvious prefix is configurable 2020-04-01 16:08:08 +02:00
vault.go upgrade vault api and support kv2 (#1) 2022-01-22 03:15:36 +01:00

Go Report Card

Luzifer / git-credential-vault

git-credential-vault is an implementation of the Git Credential Storage utilizing Vault as storage backend.

The only supported action is get as storage is managed through Vault related tools / the web-UI. The tool expects to find Vault keys per host containing username / password fields in it. Those fields are then combined with the data received from git and sent back for authentication.

Expected Vault structure

secret/git-credentials (pass this to --vault-path-prefix)
 +- github.com
 |   +- username = api
 |   +- password = verysecrettoken
 +- gitlab.com
     +- username = user
     +- password = anothertoken

Usage

# export VAULT_ADDR=http://localhost:8200
# export VAULT_TOKEN=somesecretvaulttoken
# echo -e "protocol=https\nhost=github.com\n\n" | ./git-credential-vault --vault-path-prefix secret/git-credentials get
host=github.com
username=api
password=myverysecrettoken
protocol=https

Dockerfile example (git clone)

In this example the VAULT_TOKEN is passed in through a build-arg which means you MUST revoke the token before pushing the image, otherwise you will be leaking an active credential!

FROM alpine

ARG VAULT_ADDR
ARG VAULT_TOKEN

RUN set -ex \
 && apk --no-cache add curl git \
 && curl -sSfL "https://github.com/Luzifer/git-credential-vault/releases/download/v0.1.0/git-credential-vault_linux_amd64.tar.gz" | tar -xz -C /usr/bin \
 && mv /usr/bin/git-credential-vault_linux_amd64 /usr/bin/git-credential-vault \
 && git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'

RUN set -ex \
 && git clone https://github.com/myuser/secretrepo.git /src
# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .

Dockerfile example (go get)

In this example the VAULT_TOKEN is passed in through a build-arg which means you MUST revoke the token before pushing the image, otherwise you will be leaking an active credential!

FROM golang:alpine

ARG VAULT_ADDR
ARG VAULT_TOKEN

RUN set -ex \
 && apk --no-cache add git \
 && go get -u -v github.com/Luzifer/git-credential-vault \
 && git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'

RUN set -ex \
 && go get -v github.com/myuser/secretrepo
# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .