I’m using Packer for deploying Windows templates on VMware environments using “vsphere-iso”. This works great!
The usernames and passwords are in clear text which causes a security issue.
Vault can solve this problem.
I have Vault installed on a Windows server and configured kv secrets. How do I configure the Packer to interact with Vault? Does anybody have an example?
We don’t claim this is best practice and we only use http on the localhost, https should just be filling in the values for your setup.
export VAULT_ADDR=http://127.0.0.100:18200/
export VAULT_API_ADDR=http://127.0.0.100:18200/
export VAULT_CACERT=
export VAULT_CLIENT_CERT=
export VAULT_CLIENT_KEY=
export VAULT_USER=${VAULT_USER}
export VAULT_USER_TOKEN="$(secret-tool lookup vault your policy user|head)"
export VAULT_TOKEN="$(VAULT_TOKEN=${VAULT_USER_TOKEN} vault token create \
-format=json \
-policy="yours/packer" \
-period=2h | \
jq -r ".auth.client_token")"
packer build .....
In your packer template you would then use Packer’s vault function.
If you require that a secret be retrieved by some provisioning script, ansible, chef, puppet etc., then you have to make one of the following choices:
sensitive_variables list.You could also setup your builds so that secrets only get added at the time the image runs, rather than builds. However we don’t use that approach and I’ll leave others to elaborate on that use case.
Hope that helps?
Here’s a demo repo and README with a detailed tutorial: GitHub - SwampDragons/cool_new_features_demos: demo files used in my HashiTalk about newish Packer features
Thanks for the info!