cli: Add 'agent generate-config' sub-command

[averche]

Note: documentation will be added in a different PR

Background

This pull request implements a new sub-command agent generate-config. It is part of the larger effort to add environment variable support within Vault Agent (VLT-253).

The goal of this sub-command is to help new users with an easy on-boarding to Vault, specifically for integrating Vault into their applications. It will recurse through the Vault path tree for the given path(s) and produce an agent.hcl configuration file with token_file authentication method and default environment-variable-to-secret mappings. The file can then be used by Vault Agent in a process supervisor mode (will be implemented in future PRs).

For the first release of this template configuration helper, we will only support KV-V1 and KV-V2 secret types.

Example

$ vault agent generate-config \
       -type="env-template" \
       -exec="./my-app.sh" \
       -path="secret/test" \
       -path="secret/my-app/*"                                                           

Successfully generated "agent.hcl" configuration file!

agent.hcl:

auto_auth {

  method {
    type = "token_file"

    config {
      token_file_path = "/Users/avean/.vault-token"
    }
  }
}

template_config {
  static_secret_render_interval = "30s"
  exit_on_retry_failure         = true
}

vault {
  address = "http://localhost:8200"
}

env_template "TEST_PASSWORD" {
  contents             = "{{ with secret \"secret/data/test\" }}{{ .Data.data.password }}{{ end }}"
  error_on_missing_key = true
}
env_template "TEST_USER" {
  contents             = "{{ with secret \"secret/data/test\" }}{{ .Data.data.user }}{{ end }}"
  error_on_missing_key = true
}
env_template "API_KEY_VAL1" {
  contents             = "{{ with secret \"secret/data/my-app/api-key\" }}{{ .Data.data.val1 }}{{ end }}"
  error_on_missing_key = true
}
env_template "DATABASE_PASSWORD" {
  contents             = "{{ with secret \"secret/data/my-app/database\" }}{{ .Data.data.password }}{{ end }}"
  error_on_missing_key = true
}
env_template "DATABASE_USER" {
  contents             = "{{ with secret \"secret/data/my-app/database\" }}{{ .Data.data.user }}{{ end }}"
  error_on_missing_key = true
}
env_template "BAR_VAL1" {
  contents             = "{{ with secret \"secret/data/my-app/nested/bar\" }}{{ .Data.data.val1 }}{{ end }}"
  error_on_missing_key = true
}
env_template "BAR_VAL2" {
  contents             = "{{ with secret \"secret/data/my-app/nested/bar\" }}{{ .Data.data.val2 }}{{ end }}"
  error_on_missing_key = true
}
env_template "FOO_VAL1" {
  contents             = "{{ with secret \"secret/data/my-app/nested/foo\" }}{{ .Data.data.val1 }}{{ end }}"
  error_on_missing_key = true
}
env_template "FOO_VAL2" {
  contents             = "{{ with secret \"secret/data/my-app/nested/foo\" }}{{ .Data.data.val2 }}{{ end }}"
  error_on_missing_key = true
}

exec {
  command                   = ["./my-app.sh"]
  restart_on_secret_changes = "always"
  restart_stop_signal       = "SIGTERM"
}

Related pull requests

• Add walkSecretsTree helper function #20464
• Improve addPrefixToKVPath helper #20488

[dhuckins]

should the default be stdout?

[averche]

Maybe 🤷 We kind of want to give a warning about the token auto-auth method so I'm slightly leaning towards writing to a file. We could also require a file to be specified.

[dhuckins]

after we add the config, should add tests that the generated config should be readable

[averche]

Good call, we definitely should

[VioletHynes]

Looks great! Added some comments so far but broadly it looks fantastic. One thing I'm also interested in: we should add docs for this subcommand. I don't really mind if that's as part of a different PR or if it's part of this one, but we should make sure docs are added. I'm happy to review them all the same.

[averche]

Good call, we definitely should

[averche]

Looks great! Added some comments so far but broadly it looks fantastic. One thing I'm also interested in: we should add docs for this subcommand. I don't really mind if that's as part of a different PR or if it's part of this one, but we should make sure docs are added. I'm happy to review them all the same.

Thanks! Yes, docs is definitely next 👍 I will probably hold off on merging this till the docs PR is ready.

[VioletHynes]

Just to make sure we're not waiting on each other: I'm hoping to see the note about changing the auto_auth type and the additional tests for the other parts of generated config before I approve.

Once these are added, feel free to re-request me as a viewer to ping me!

[averche]

Just to make sure we're not waiting on each other: I'm hoping to see the note about changing the auto_auth type and the additional tests for the other parts of generated config before I approve.

Once these are added, feel free to re-request me as a viewer to ping me!

Thanks! I added both

[VioletHynes]

Looks great! Nice work.

[mladlow]

@averche could you please update this changelog file using the format for announcing a new feature? https://hashicorp.atlassian.net/wiki/spaces/VAULT/pages/1311244491/Changelog+Process#New-and-Major-Features

[dhuckins]

@mladlow should we also make that change for #20739 ?

[mladlow]

@dhuckins Are these two PRs the same or different "features"? If you scroll through historical changelog sections for major releases, you can see what's been called out in the "features" section. For the features section, it's expected that features will have multiple PRs and it doesn't always make sense to have a changelog entry for every PR that composes a major new feature.

[dhuckins]

gotcha, same feature (at least they are related). so just one should be fine. thanks!

[mladlow]

It looks like in the RC changelog this line is still showing up in the Features section - https://github.com/hashicorp/vault/pull/21077/files#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR43. Could someone update the file on the 1.14 release branch OR delete it on that branch please?