Toolchain

• Use go 1.17.1

Toolchain

• Go 1.17 as default compiler
• windows/arm64 target added

• Go 1.17 compiled artifacts
• windows/arm64 target added

Fixes

BundlePatch

• Support data.template property to replace a SecretData content

Changes

CLI

• harp from object - import hierarchically structured data from JSON or YAM as a secret bundle
• hap to object - export a secret bundle as hierarchically structured data to JSON or YAML

Reference(s)

• Secret management with Vault and SOPS - https://github.com/elastic/harp/tree/main/samples/sops

Golang 1.16.5

Golang 1.16.4

SDK

• Golang compiler is now restricted using a semver constraint which allow more permissive restriction.

Golang 1.16.4

Changes

• share command
  • put to use Vault CubbyHole backend as ephemeral storage to share a secret bundle and return a burn-after-read wrapped token;
  • get to retrieve the secret bundle addressed by the wrapped token

Samples

Share simple secret between 2 users

User-A:

# Login to your Vault
$ export VAULT_ADDR="...."
$ export VAULT_TOKEN="..."
$ echo -n "my-secret-value" | harp share put
Token : s.MEc2fYXrzDkUCBzLOcGbIGbK (Expires in 30 seconds)

Send <token> to User-B via untrusted communication channels (email, slack, ...)

$ harp share get --token=s.MEc2fYXrzDkUCBzLOcGbIGbK
my-secret-value

Share a container

Create a bundle from a template and push it in Vault CubbyHole for 15 minutes.

$ harp from bundle-template \
     --in samples/customer-bundle/spec.yaml \
     --values samples/customer-bundle/values.yaml \
     --set quality=production \
     | harp share put --ttl 15m --json | jq -r ".token"
s.UHd8E1h5UELiqjwC4CzaQ3l3

On consumer side

$ harp share get --token=s.UHd8E1h5UELiqjwC4CzaQ3l3 | harp bundle dump --path-only
app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key
app/production/customer1/ece/v1.0.0/adminconsole/database/usage_credentials
...
platform/production/customer1/us-east-1/zookeeper/accounts/admin_credentials
product/ece/v1.0.0/artifact/signature/key

Prepare a secret bundle for an ephemeral worker

Prepare a list of secret paths required by the job (AdminConsole API Key Rotator)

app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key
app/production/customer1/ece/v1.0.0/adminconsole/mailing/sender/mailgun_api_key

Prepare the content to share

$ harp from vault --paths-from list.txt | harp bundle dump --content-only | jq
{
  "app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key": {
    "API_KEY": "okta-foo-api-123456789"
  },
  "app/production/customer1/ece/v1.0.0/adminconsole/mailing/sender/mailgun_api_key": {
    "API_KEY": "mg-admin-9875s-sa"
  }
}

(OPTION) Encrypt the bundle before sharing it via Vault CubbyHole

Asymmetric encryption will be better suited for this use case, but it's not available yet.

$ export PSK=$(harp keygen chacha)
$ harp from vault --paths-from list.txt \
   | harp bundle encrypt --key=$PSK \
   | harp share put --ttl 15m
Token : s.R8SizZuS2oqCVKPGra2UieiG (Expires in 900 seconds)

On consumer side

$ harp share get --token=s.R8SizZuS2oqCVKPGra2UieiG \
   | harp bundle decrypt --key=$PSK \
   | harp bundle dump --content-only \
   | jq
{
  "app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key": {
    "API_KEY": "okta-foo-api-123456789"
  },
  "app/production/customer1/ece/v1.0.0/adminconsole/mailing/sender/mailgun_api_key": {
    "API_KEY": "mg-admin-9875s-sa"
  }
}

It can be used to provision an EC2 bootstrap bundle pulled at the start time via the wrapped token.