{ "info": { "author": "Robert Vojcik", "author_email": "robert@vojcik.net", "bugtrack_url": null, "classifiers": [ "License :: OSI Approved :: GNU General Public License v3 (GPLv3)", "Operating System :: POSIX", "Operating System :: POSIX :: Linux", "Operating System :: Unix", "Programming Language :: Python", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Topic :: Database", "Topic :: Security", "Topic :: Security :: Cryptography" ], "description": "# vault-cert-deploy\n\nDeploy SSL certificates from HashiCorp's Vault secret server\nScript is able to deploy certificates from KV store of Vault.\n\nAs auth method is used [Approle](https://www.vaultproject.io/docs/auth/approle.html \"Vault Approle Doc\"), you need role and secret id\ndeployed to server from different systems/locations. More\nabout this in usecase section.\n\nOn the first look, it may be little bit strange combination of \nconfig file and cli options. You can combine them in different \nways to support various types of deployments to meet the basic\nsecurity concepts.\n\n## Why do I need Vault Server ?\n\nWe are using Let's Encrypt for almost all of our SSL/TLS certificates.\nWe also have complex infrastructure so we have to retrieve \ncertificates in central place and then we distribute them into \ndatacenters, clouds or any other applications.\n\n## How deploy work ?\n\nIt deploy certificates to specified directory and create\ntwo directories `certs` and `private`.\n\n* certs has mode 0644\n* private keys has mode 0640\n* it deploys all secret content from vault, keys as files with suitable extension .\n\n## Installation\n\n### Python PyPI\n```\npip install vault-cert-deploy\n```\n\n### Manual\nManual installation\n\n```\ngit clone https://github.com/rvojcik/vault-certificate-deploy\ncd vault-certificate-deploy\nsudo python ./setup.py install \n```\n\nIn the end \n```\nvault-cert-deploy --help\n```\n\n## Example configuration\nCan be found in `config.example`. \n\nRole and Secret id can be passed from script arguments.\nYou could combine `-n` and `--cert-list` parameters.\n\nIn `vault` section of configuration it is possible to \nset `mount_point` of secret in Vault. \nBy default it is `cert`.\nYou could also change this option in arguments\n\n# Vault Configuration\n\nScript uses [Approle](https://www.vaultproject.io/docs/auth/approle.html \"Vault Approle Doc\") auth.\n\nFirst enable AppRole auth if it's not\n```\nvault auth enable approle\n```\n\nYou have to create your policy first.\nUse Vault [documentation](https://www.vaultproject.io/docs/concepts/policies.html) around policies and then continue here.\n\nExample policy with basic medium security can be\n```\n# Cert Deploy Policy\n# Give ability to\n# - read all certificates\n# - don't permit list certificates\n#\npath \"/certs/*\" {\n capabilities = [\"read\"]\n}\n\n```\n\nConfigure your role\n```\nvault write auth/approle/role/my-role \\\nsecret_id_ttl=0 \\\ntoken_num_uses=0 \\\ntoken_ttl=20m \\\ntoken_max_ttl=30m \\\npolicies=\"my-policy,default\"\n```\n\nRetrieve your approle ID\n```\nvault read auth/approle/role/my-role/role-id\n```\n\nGet secret ID (onetime operation)\n```\nvault write -f auth/approle/role/my-role/secret-id\n```\n\n# Use Cases\nIt is important to don't have role-id and secret-id together\nin one repository or configuration management.\n\n## Puppet\nI deploy my servers with installer which create file `/etc/vault_role_id`\nwhich contain `role-id` of the approle.\n\nThen I have Puppet Configuration management which deploy this system with \nall files and `secret-id` in configuration file (`/etc/vault-deploy/config.conf`). \n\nPuppet create also file with certs/secret names `/etc/ssl-deploy-certs.conf`\n\nthen you can run deploy like this:\n```\nvault-certificate-deploy.py -c /etc/vault-deploy/config.conf \\\n --cert-list /etc/ssl-deploy-certs.conf \\\n --role-id $(cat /etc/vault_role_id)\n```\n\n### Why ?\nI store Puppet configuration in Git, and therefore I have not \nrole-id and secret-id together in my repository.\nI choose to deploy `secret-id` with puppet because when need to \nrotate secret-id it is automaticly deployed by puppet to infrastructure.\n\n# Security Best Practices\n* Never store your role-id and secret-id in your repository together\n* Deploy secret-id in way it's quick and easy for you to rotate/change\n* In production always use `verify_tls=yes`\n* when deploy secret-id and role-id in files/config, always set correct permissions (eg. `0400`, `0600`)\n* in vault set policy to your approle only for `read` capability, it's enough\n* for highest security set individual approle for every server and set individual policy for every server and certificate\n\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/rvojcik/vault-certificate-deploy", "keywords": "vault_certificate_deploy,vault_cert_deploy,certificate,vault-certificate-deploy,vault-cert-deploy,hashicorp,certificates", "license": "GPLv3", "maintainer": "", "maintainer_email": "", "name": "vault-certificate-deploy", "package_url": "https://pypi.org/project/vault-certificate-deploy/", "platform": "", "project_url": "https://pypi.org/project/vault-certificate-deploy/", "project_urls": { "Homepage": "https://github.com/rvojcik/vault-certificate-deploy" }, "release_url": "https://pypi.org/project/vault-certificate-deploy/1.0.3/", "requires_dist": [ "urllib3", "hvac (>=0.9.2)", "requests (>=2.1)", "configparser", "pyOpenSSL (>=17.0)" ], "requires_python": "", "summary": "System for deploying certificates from Hashicorp Vault server", "version": "1.0.3" }, "last_serial": 5462200, "releases": { "1.0.0": [ { "comment_text": "", "digests": { "md5": "bd62d015d5e63e5ea42504629ab3628b", "sha256": "ff1c80a41db954eaa186c50ab6af4463a4db81eeb05320940eb82d26b194ff14" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.0-py2.7.egg", "has_sig": false, "md5_digest": "bd62d015d5e63e5ea42504629ab3628b", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 7252, "upload_time": "2019-06-28T11:50:23", "url": "https://files.pythonhosted.org/packages/4e/79/abefa906cd6d2eac7c1b727082fce20205b029f4d71198dd0aae96057f51/vault_certificate_deploy-1.0.0-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "06b4df60f2bdad97975b02b0ea8313cd", "sha256": "b5863b1b1cdb57d78fbfeb4e94d32af4df793c6161ab181d16ca927889e1f1c3" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.0-py3.6.egg", "has_sig": false, "md5_digest": "06b4df60f2bdad97975b02b0ea8313cd", "packagetype": "bdist_egg", "python_version": "3.6", "requires_python": null, "size": 7290, "upload_time": "2019-06-28T11:50:24", "url": "https://files.pythonhosted.org/packages/3e/8a/48c6ca4f614773c82fddb4597c0025306c58376a3c97b05546cc68f65729/vault_certificate_deploy-1.0.0-py3.6.egg" }, { "comment_text": "", "digests": { "md5": "170a8e1a5e929732d3a3a052095ebca6", "sha256": "a07134ae87896332f1fb48eb60532a2c9d4fac6355afe1f6b8a9a9b23654e753" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.0-py3-none-any.whl", "has_sig": false, "md5_digest": "170a8e1a5e929732d3a3a052095ebca6", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 19534, "upload_time": "2019-06-28T11:50:21", "url": "https://files.pythonhosted.org/packages/ad/57/a269e703a0434b3b56e61c495e86c44658dfd99c204067123bacbaa891df/vault_certificate_deploy-1.0.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "27dc6416520fca0888f3d881ee8261e6", "sha256": "5cadeec6f47dbfe90a293e40044237fbb99732597a1fcf05b3cd6678f44133e6" }, "downloads": -1, "filename": "vault-certificate-deploy-1.0.0.tar.gz", "has_sig": false, "md5_digest": "27dc6416520fca0888f3d881ee8261e6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6912, "upload_time": "2019-06-28T11:50:25", "url": "https://files.pythonhosted.org/packages/36/82/4547c625e1a00ca97e7bce755110e8c1ccd146c4701daf69c9c9b7779be9/vault-certificate-deploy-1.0.0.tar.gz" } ], "1.0.1": [ { "comment_text": "", "digests": { "md5": "1da6e07e03e97979ab20e48f94dddf63", "sha256": "4fbb586513ccc15400e279edf2840f223073bbc90ffe48dc809ff72b0098c636" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.1-py2-none-any.whl", "has_sig": false, "md5_digest": "1da6e07e03e97979ab20e48f94dddf63", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 9311, "upload_time": "2019-06-28T13:49:20", "url": "https://files.pythonhosted.org/packages/d0/00/58d570635e2a9856910896e58db1cb041eac322b031bf98d2cc3bf0735ff/vault_certificate_deploy-1.0.1-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "d8edf96e73096717027b8e6e6ef83f96", "sha256": "f60f2b3a9c36e88737e52b7cba319b840f9a541832d18b2855223183915d65f4" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.1-py3-none-any.whl", "has_sig": false, "md5_digest": "d8edf96e73096717027b8e6e6ef83f96", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 21629, "upload_time": "2019-06-28T13:28:54", "url": "https://files.pythonhosted.org/packages/eb/af/c5d2e0f5f65fb575c54ea1eae2646954f6296cae2319b2f9e864a2f3a393/vault_certificate_deploy-1.0.1-py3-none-any.whl" } ], "1.0.2": [ { "comment_text": "", "digests": { "md5": "8a2571a0b12e1fcb8d1189352265952b", "sha256": "1b13f18a64bac097bd5c6e921b6c3d84f259493624453fe2dcf668acd6da1b69" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.2-py2-none-any.whl", "has_sig": false, "md5_digest": "8a2571a0b12e1fcb8d1189352265952b", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 9312, "upload_time": "2019-06-28T14:05:59", "url": "https://files.pythonhosted.org/packages/76/96/3fd38671807c3495e5c898ccd30fc40b07ca75f94d3103ac2cf868b79eb2/vault_certificate_deploy-1.0.2-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "554fb3732b989a1279d3357cd4bc86a9", "sha256": "e976a3eb5cd1d7558a9f943867f83f4846b964e150c37d86f8bd2219fc061b4e" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.2-py3-none-any.whl", "has_sig": false, "md5_digest": "554fb3732b989a1279d3357cd4bc86a9", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 21631, "upload_time": "2019-06-28T14:06:01", "url": "https://files.pythonhosted.org/packages/a2/63/88def7fc166d215257265f5ae0192eb0995a156a3d9d993be519ab72057c/vault_certificate_deploy-1.0.2-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "a07a876d9930b2bf5555d65fb17cbfb3", "sha256": "4f37f4a0c37cfc141a0c4f032a04ede6303188d3f1e7a0f0e3551f137897f93d" }, "downloads": -1, "filename": "vault-certificate-deploy-1.0.2.tar.gz", "has_sig": false, "md5_digest": "a07a876d9930b2bf5555d65fb17cbfb3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8752, "upload_time": "2019-06-28T14:06:02", "url": "https://files.pythonhosted.org/packages/21/54/ca3851d92aca12dd9a0806aa8530d5df50970c0971be3dbc6cc263e6e64e/vault-certificate-deploy-1.0.2.tar.gz" } ], "1.0.3": [ { "comment_text": "", "digests": { "md5": "a9b63d8eeeb22618f94f6e06982a4243", "sha256": "ff741365a99a99dd678b760d028f3f53701de23149fa97a00122d61874f245ba" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.3-py2-none-any.whl", "has_sig": false, "md5_digest": "a9b63d8eeeb22618f94f6e06982a4243", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 9329, "upload_time": "2019-06-28T15:18:33", "url": "https://files.pythonhosted.org/packages/f1/08/625a467493aafec5ed2d2154ce07e938ca644bdd06908fd33191762f67c4/vault_certificate_deploy-1.0.3-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "85eaa8b9003ea769b5954dffb6e3a6c9", "sha256": "b61330b10bee178b0d5dcdab82c97d05e29a8dc2444d99d604fe6f569875247c" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.3-py3-none-any.whl", "has_sig": false, "md5_digest": "85eaa8b9003ea769b5954dffb6e3a6c9", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 21652, "upload_time": "2019-06-28T15:18:34", "url": "https://files.pythonhosted.org/packages/b6/c7/09bb649a21ec5356b7dd00c9c9d9ca95dd444b1050cfdb280d4372c1ae80/vault_certificate_deploy-1.0.3-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "acc526aa14b3cb20e15a6249ec268e39", "sha256": "61be020cce06dcc2a75f8d0c8ed128f31a245999cd41dd22b2f5f9e8f3a0a671" }, "downloads": -1, "filename": "vault-certificate-deploy-1.0.3.tar.gz", "has_sig": false, "md5_digest": "acc526aa14b3cb20e15a6249ec268e39", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8766, "upload_time": "2019-06-28T15:18:36", "url": "https://files.pythonhosted.org/packages/e4/a5/0d450df06bbcac3fbc9f8896d934d1b6d930ebd5ac2694f63be27bc65b12/vault-certificate-deploy-1.0.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "a9b63d8eeeb22618f94f6e06982a4243", "sha256": "ff741365a99a99dd678b760d028f3f53701de23149fa97a00122d61874f245ba" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.3-py2-none-any.whl", "has_sig": false, "md5_digest": "a9b63d8eeeb22618f94f6e06982a4243", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 9329, "upload_time": "2019-06-28T15:18:33", "url": "https://files.pythonhosted.org/packages/f1/08/625a467493aafec5ed2d2154ce07e938ca644bdd06908fd33191762f67c4/vault_certificate_deploy-1.0.3-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "85eaa8b9003ea769b5954dffb6e3a6c9", "sha256": "b61330b10bee178b0d5dcdab82c97d05e29a8dc2444d99d604fe6f569875247c" }, "downloads": -1, "filename": "vault_certificate_deploy-1.0.3-py3-none-any.whl", "has_sig": false, "md5_digest": "85eaa8b9003ea769b5954dffb6e3a6c9", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 21652, "upload_time": "2019-06-28T15:18:34", "url": "https://files.pythonhosted.org/packages/b6/c7/09bb649a21ec5356b7dd00c9c9d9ca95dd444b1050cfdb280d4372c1ae80/vault_certificate_deploy-1.0.3-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "acc526aa14b3cb20e15a6249ec268e39", "sha256": "61be020cce06dcc2a75f8d0c8ed128f31a245999cd41dd22b2f5f9e8f3a0a671" }, "downloads": -1, "filename": "vault-certificate-deploy-1.0.3.tar.gz", "has_sig": false, "md5_digest": "acc526aa14b3cb20e15a6249ec268e39", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8766, "upload_time": "2019-06-28T15:18:36", "url": "https://files.pythonhosted.org/packages/e4/a5/0d450df06bbcac3fbc9f8896d934d1b6d930ebd5ac2694f63be27bc65b12/vault-certificate-deploy-1.0.3.tar.gz" } ] }