Releases: elastic/harp
Releases · elastic/harp
v0.1.19
cmd/harp/v0.1.19
cmd/harp/v0.1.19
This tag was signed with the committer’s verified signature.
Zenithar
Thibault NORMAND
Dependency updates
v0.1.18
cmd/harp/v0.1.18
cmd/harp/v0.1.18
This tag was signed with the committer’s verified signature.
Zenithar
Thibault NORMAND
Golang 1.16.6
v0.1.17
cmd/harp/v0.1.17
cmd/harp/v0.1.17
This tag was signed with the committer’s verified signature.
Zenithar
Thibault NORMAND
Golang 1.16.5
v0.1.16
cmd/harp/v0.1.16
cmd/harp/v0.1.16
This tag was signed with the committer’s verified signature.
Zenithar
Thibault NORMAND
Golang 1.16.4
v0.1.15
Changes
sharecommandputto use Vault CubbyHole backend as ephemeral storage to share a secret bundle and return a burn-after-read wrapped token;getto retrieve the secret bundle addressed by the wrapped token
Samples
Share simple secret between 2 users
User-A:
# Login to your Vault
$ export VAULT_ADDR="...."
$ export VAULT_TOKEN="..."
$ echo -n "my-secret-value" | harp share put
Token : s.MEc2fYXrzDkUCBzLOcGbIGbK (Expires in 30 seconds)Send <token> to User-B via untrusted communication channels (email, slack, ...)
$ harp share get --token=s.MEc2fYXrzDkUCBzLOcGbIGbK
my-secret-valueShare a container
Create a bundle from a template and push it in Vault CubbyHole for 15 minutes.
$ harp from bundle-template \
--in samples/customer-bundle/spec.yaml \
--values samples/customer-bundle/values.yaml \
--set quality=production \
| harp share put --ttl 15m --json | jq -r ".token"
s.UHd8E1h5UELiqjwC4CzaQ3l3On consumer side
$ harp share get --token=s.UHd8E1h5UELiqjwC4CzaQ3l3 | harp bundle dump --path-only
app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key
app/production/customer1/ece/v1.0.0/adminconsole/database/usage_credentials
...
platform/production/customer1/us-east-1/zookeeper/accounts/admin_credentials
product/ece/v1.0.0/artifact/signature/keyPrepare a secret bundle for an ephemeral worker
Prepare a list of secret paths required by the job (AdminConsole API Key Rotator)
app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key
app/production/customer1/ece/v1.0.0/adminconsole/mailing/sender/mailgun_api_keyPrepare the content to share
$ harp from vault --paths-from list.txt | harp bundle dump --content-only | jq
{
"app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key": {
"API_KEY": "okta-foo-api-123456789"
},
"app/production/customer1/ece/v1.0.0/adminconsole/mailing/sender/mailgun_api_key": {
"API_KEY": "mg-admin-9875s-sa"
}
}(OPTION) Encrypt the bundle before sharing it via Vault CubbyHole
Asymmetric encryption will be better suited for this use case, but it's not available yet.
$ export PSK=$(harp keygen chacha)
$ harp from vault --paths-from list.txt \
| harp bundle encrypt --key=$PSK \
| harp share put --ttl 15m
Token : s.R8SizZuS2oqCVKPGra2UieiG (Expires in 900 seconds)On consumer side
$ harp share get --token=s.R8SizZuS2oqCVKPGra2UieiG \
| harp bundle decrypt --key=$PSK \
| harp bundle dump --content-only \
| jq
{
"app/production/customer1/ece/v1.0.0/adminconsole/authentication/otp/okta_api_key": {
"API_KEY": "okta-foo-api-123456789"
},
"app/production/customer1/ece/v1.0.0/adminconsole/mailing/sender/mailgun_api_key": {
"API_KEY": "mg-admin-9875s-sa"
}
}It can be used to provision an EC2 bootstrap bundle pulled at the start time via the wrapped token.
cmd/harp/v0.1.15
cmd/harp/v0.1.15
This tag was signed with the committer’s verified signature.
Zenithar
Thibault NORMAND
Vault CubbyHole based secret sharing