updated for 016 of secrets bridge (#293)

2016-09-22 17:25:26 -07:00 · 2016-09-22 17:25:26 -07:00 · f8bb75fe05
commit f8bb75fe05
parent 2d4a62d559
3 changed files with 4 additions and 52 deletions
--- a/templates/secrets-bridge-agents/0/docker-compose.yml
+++ b/templates/secrets-bridge-agents/0/docker-compose.yml
@ -1,5 +1,5 @@
 secrets-bridge:
-    image: rancher/secrets-bridge:v0.1.5
+    image: rancher/secrets-bridge:v0.1.6
    command: agent --bridge-url ${BRIDGE_URL}
    volumes:
        - /var/run/docker.sock:/var/run/docker.sock
--- a/templates/secrets-bridge-server/0/README.md
+++ b/templates/secrets-bridge-server/0/README.md
@ -1,59 +1,11 @@
-## Secrets Bridge Server (Experimental)
---
-###Status: Experimental POC (Read: Do NOT use for production) 
-Only works with Hashicorp Vault server in dev mode currently.
-
+## Secrets Bridge Server (Beta)
 ---
 #### Description: 
  This is the server side component for the Vault Secrets bridge with Rancher. This service should *NOT* be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to *ALL* secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher.
  
  The reason this uses a temporary Cubbyhole token to start the service is that ENV variables do show up in the Rancher API and Docker inspect commands. That said, if this service fails, the issuing token will expire and all app tokens will also expire.
-
+  
 #### Setup

 See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md)
  
-#### Pre-reqs:
-
-A Vault server in Dev mode.
-
-Create Vault Policies and Roles for at least the Issuing token. 
-Something like:
-
-```
-  vault policy-write grantor-Default ./policies/grantor-Default
-  vault policy-write test1 ./policies/test1
-  vault policy-write test2 ./policies/test2
-```
-
-
-```
-curl -s -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" -d '{"allowed_policies": "default,grantor,test1,test2"}' http://vault/v1/auth/token/roles/grantor-Default
-```
-
-#### Configure and Launch:
- 1. Create a token to be used to issue new tokens in the environment. As part of the "meta" on the token add a field called `configPath` and set that equal to a path in the secrets folder in Vault. (like `/secrets/secrets-bridge/Default`)
-
-
-  ```
-curl -s -X POST -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create/grantor-Default -d '{"policies": ["default", "grantor", "test1", "test2"], "ttl": "72h", "meta": {"configPath": "secret/secrets-bridge/Default"}}' | jq -r '.auth.client_token'
-  ```
-
- 
- 2. Create a temporary token with (2) uses.
-
-  ```
-  curl -s -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create -d '{"policies": ["default"], "ttl": "15m", "num_uses": 2}'|jq -r '.auth.client_token'
-  ```
- 
- 3. Use the temporary token to put the issuing token into the Vault cubbyhole.
-
-    ```
- curl -X POST -H "X-Vault-Token: ${TEMP_TOKEN}" ${VAULT_URL}/v1/cubbyhole/Default -d "{\"permKey\": \"${PERM_TOKEN}\"}"
-    ```
- 
- 4. Create Cattle API keys for the environment this server will be handling. (Would recommend 1 server per environment)
- 
- 5. Launch this app with all of the configs.
- 
-
--- a/templates/secrets-bridge-server/0/docker-compose.yml
+++ b/templates/secrets-bridge-server/0/docker-compose.yml
@ -1,5 +1,5 @@
 secrets-bridge:
-    image: rancher/secrets-bridge:v0.1.5
+    image: rancher/secrets-bridge:v0.1.6
    environment:
        CATTLE_ACCESS_KEY: ${CATTLE_ACCESS_KEY}
        CATTLE_SECRET_KEY: ${CATTLE_SECRET_KEY}