- it's necessary to depend on
gpgmeinstead of justgnupgfor the tool to work on MacOS by default
You can now pass partial templates for use in liquid and handlebars directly using the '--partials=templatepath...' flag in the 'substitute' subcommand.
- Assure writes to a single unique output file will overwrite its complete content during substitution.
- Previously, if you would write less than the original file size, parts of the previous content may still be present.
- upgrade all dependencies to the latest version
- upgrade all dependencies to the latest version
- upgrade all dependencies to the latest version
- add the '--no-stdin' flag to
sy process. It allows to prevent it from blocking on reading from stdin in certain situations. Previously, one would have to provide some stdin likeecho '{}' | sy process ....
This release contains some minor fixes and improvements, as well as a lot more documentation.
- Documentation for
- getting-started - a repository with all you need to start using a sheesy vault in teams.
When looking at helm it becomes evident how much more filters would be needed to effectively adjust yaml files.
Handlebars was a nice try, yet it only shows that filters are what makes a language powerful. Fortunately it's still time to change, so let's swap handlebars with liquid.
- add liquid
- add handlebars
- add base64 filter to liquid
Even though the main binary should by sy as before, the code should be structured to
provide cli versions of the respective subcommand, e.g. vault-cli.
That way, people can also use special-purpose sub-programs directly without having
a binary that contains all the other cruft.
This can be useful to make pass standins more approachable, and also build custom
sy binaries with just a sub-set of the functionality (for example, without pass
stand-in capability).
- binary for sheesy-
- hub
- vault
- process
- substitute
- extract
In order to get the project where it is supposed to be, it can't be in my user's space. We will have multiple repositories and hopefully some more contributors.
The new organization should have the following repositories:
- CLI - the 'sheesy' command-line interface
Having spend some time reading up on the issue, and having realized that there is a reason the 'Web of Trust' model as implemented by GPG/PGP are not particularly wide-spread for a reason, for adoption, there should be a way to turn it off and delegate trust checking to external sources (like keybase.io).
Also given the way the vault is typically used, we should disable it by default, and make enabling it optional to more advanced teams.
- Configure web-of-trust options on per-partition basis and use that when encrypting.
- Option to auto-import keys when encrypting resources, which is enabled by default.
- Don't fail when listing recipients whose keys are not in the keychain.
The extract capability makes it feasible to store secrets in structured files
like YAML or JSON, as it allows to extract pieces of data in various ways.
Think basic jq but with native support for YAML files.
The merge subcommand allows to combine JSON or YAML files.
This is useful to partition context and data according to your needs, yet use
all of the values in combination for substitution.
It is particularly useful if some of that content was just decrypted from a vault.
-
The merge sub-command
- with conflicts
- with overwrite rules
- move keys to root level before merging
- insert keys at given value while merging for
- object paths, e.g
a.b.cora/b/c - for array paths e.g.
a.0.c.1ora/0/c/1
- object paths, e.g
- merge complete environment into data, or whatever matches the given glob
- set individual values, simpy via 'a/b/c=42' or 'a.b.0=30'
-
control the escape characters to allow passwords to be escaped properly, as needed, depending on the output format. Otherwise there is the chance of producing invalid YAML.
-
improvements to substitute
-
--verify- try to decode substituted values and fail on error
-
-
general improvements
- Unify naming scheme of all deployables to make curling code easier
- find a better name for merge, given that merging is just a side-effect. With the action driven interface, it can do pretty much everything on the data it has so far. Some commands effect the merging, some pull out and/or print data. That way, extract is not a separate subcommand.
Make it easy to generate property-sets by merging structured files together, and
make said context available to a handlebars powered engine to perform substitutions.
This allows to bring together context owned by various entities into a single aggregated one, with the possibility for later contexts to override earlier ones.
With this capability, it's also possible to substitute secrets into files, for example
like this: sy sub base.json sub/ours.yaml <(sy vault show secret.yaml) < deployment.yml | kubectl apply -f -.
Read more in the documentation.
Partitions are just another vault with individual config, but operations on vaults are aware of partitions. This allows sharing of keys for example, and alters the way vaults are displayed when showing them.
- add partitions and remove them
- initialize new vaults with partitions in mind
- show recipients per partition
- Allow
sy vaultto operate anywhere with a.gpg-idfile, like pass. - Strong validation of the vault configuration to assure consistency
vault --vault-idis nowvault --select
Besides the many improvements, you will also find a complete book about the capabilities so far!
We also sign our binaries from here on, and make them available via homebrew.
vault listnow produces precise URLs.vault removecan remove resources from the vault.vault recipient addnow signs and re-exports added fingerprints to make recipient verification part of adding them, and help build a Web of Trust.vault recipients removeremoves recipients and re-encrypts the vaults content.vault recipient addalso adds recipients which are only in your gpg keychain. Previously it would always require an exported public key in the right spot.vault recipient add --verifiedallows to add any recipient by name, but requires you to assure you are able to encrypt for that recipient.vault addnow creates sub-directories automatically.vault editnow tries to encrypt before launching the editor.vault add :somethingwith a tty as standard input will open an editor automatically.
The breaking change requiring a major version increment is changes to the sy-vault.yml file.
- The
atfield is now calledsecrets recipientsandgpg-keyspaths are no relative to thesy-vault.ymlfile, not relative to thesecretsdirectory.- The '--at/-a' flag of
sy vaultis now--secrets-dir-dir/-s recipients addwill now require fingerprints unless--verifiedis specified.
These improvements make handling paths consistent and less suprising.
s3 now officially is sy on the command-line, and spelled sheesy. Crates
were renamed accordingly, too.
This is the first usable version, providing only the minimal amount of features. A lot of the value contained is a fully automated system for quality assurance and deployment, which will help keeping the releases coming.
- setup rust workspace for clear dependency separation
- setup CI for linux and OSX
- standalone deployables without additional dependencies for
- OSX (static binary) - just gettext is still dynamically linked :(
- MUSL Linux
- shell completions
- complete a happy journey with
- initialize a new vault
- add contents
- support for multiple vaults
- list vault contents
- decrypt vault contents
- edit vault contents
- add another user and re-encrypt vault content
- installable from crates.io
- release binaries generated by travis for tags