Synchronizer of Dex clients with secrets in Vault
Project description
DEXUS VAULT
Synchronizer of Dex clients with secrets in Vault
Intro
Dexus Vault is utility designed to synchronize Dex client configurations with secrets stored in Hashicorp Vault. This tool simplifies the management of Dex clients by automating the process of keeping them in sync with Vault secrets.
How it works
when you run dexus_vault, it will connects to provided Vault via hvac library and collets secrets by provided path, then dexus_vault conncets to Dex Idp over GRPC and create/update clients.
Currently Dex don't have native "Update" method, so dexus_vault will recreate client(keep in mind)
How to install
from source
For VMs or local running recommended to create isolated env using python-venv or whatever you use
- Clone the project
git clone https://github.com/ifurs/dexus-vault.git
- Install package
python -m pip install --upgrade setuptools wheel
python3 -m pip install .
from PyPi
Not this time:)
Run dexus_vault
simply run
python3 -m dexus_vault
and it will start worker that syncs Dex clients with Vault secrets
Configuration
General
| variable | required | default | description |
|---|---|---|---|
| SYNC_INTERVAL | false | 60 | interval in seconds, dexus_vault will refresh in |
Dex client configuration
| variable | required | default | description |
|---|---|---|---|
| DEX_GRPC_URL | false | 127.0.0.1:5557 | url, with your dex grpc |
| CLIENT_CRT | false | - | path to Dex GRPC client certificate |
| CLIENT_KEY | false | - | path to Dex GRPC client certificate key |
| CA_CRT | false | - | path to Dex GRPC client certificate autority |
About Dex auth
if you not specified in dex certificates, simply skip them, and client will start insecure connection, also it is not required to use certificate authority when you specify client crt and client key.
Vault client configuration
| variable | required | default | description |
|---|---|---|---|
| VAULT_ADDR | false | http://127.0.0.1:8200 | vault adress |
| VAULT_CLIENTS_PATHS | true | - | path in vault where clients could be found |
| VAULT_MOUNT_POINT | false | - | vault mount point |
| VAULT_TOKEN | false | - | used to auth to Vault via token |
| VAULT_CERT | false | - | Vault client certificate path |
| VAULT_CERT_KEY | false | - | Vault client certificate key path |
| VAULT_CERT_CA | false | - | Vault certficate authority path or bool, false - do not validate, true - validate with internal trustore |
| VAULT_LDAP_USERNAME | false | - | LDAP username used to auth to Vault |
| VAULT_LDAP_PASSWORD | false | - | LDAP password used to auth to Vault |
| VAULT_APPROLE | false | - | bool value, used to identify to use APPROLE auth |
| VAULT_APPROLE_ROLE_ID | false | - | Vault approle role id |
| VAULT_APPROLE_SECRET_ID | false | - | Vault approle secret id |
| VAULT_APPROLE_PATH | false | - | Vault approle path, use it if agent mount approle file in other than default directory |
| VAULT_MAX_RETRIES | false | 20 | How many retries need to mark Vault unreacheble |
| VAULT_RETRY_WAIT | false | 3 | How many seconds need to wait before next retry |
About Vault auth
You can choose any of:
- token based
- ldap
- with cert
- using approle, for that you need simply set
VAULT_APPROLEto true, and when start, hvac will login to Vault via default maunted file by vault agent
Vault secret structure
This example shows all available params for client(same as proto message)
{
"id": "my-first-client",
"secret": "", // put here your client secret
"logo_url": "https://picsum.photos/200/300", // example logo, not recommended
"name": "My First Client",
"public": false,
"redirect_uris": ["http://127.0.0.1:5000/callback"],
"trusted_peers": ["my-second-client"]
}
In Vault config id and secret are required, and public has default value False that enforced on dexus_vault level.
Also you may ask, how to define lists for redirect_uris and trusted_peers, you can do it in 2 ways:
- native json list
["value1", "value2"]but this will disale in Vault UI non-json view for that secret - using string with comma as delimeter
"value1,value2"but it's not recommended and would be removed in future iterations
Local Testing
The docker/tests directory contains a docker-compose.yaml file. This file is configured to run Vault and Dex locally for testing purposes. Please note that this setup is not intended for production use.
For additional information, refer to the README in the docker/tests directory.
About Dex GRPC
All GRPC API methods dexus_vault use, defined in api.proto
and compiled with grpc_tools.protoc
Other notes
This projects uses pre-commit: https://pre-commit.com/
THANKS
- Hurlenko for references copied from your repos
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for dexus_vault-0.1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 3de3c0cc894cdd39aaa26061323978ea64c021583901510aa435ee5e6181384e |
|
| MD5 | 1bcd3992adfa4d79bf6bbd9902efad91 |
|
| BLAKE2b-256 | 689f1b9bb2b409785757d96591473b5e014f7c5ba82b6d0525c5c1cc96254679 |
