feat: Added sbx mixins for the secrets providers so users can also bootstrap those as well.
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
schemaVersion: "1"
|
||||
kind: mixin
|
||||
name: vault-aws-secrets-manager
|
||||
description: >
|
||||
Installs the AWS CLI v2 so the Coyote vault can read secrets from AWS
|
||||
Secrets Manager inside the sandbox. The AWS Rust SDK does not strictly
|
||||
require the CLI, but most users authenticate via `aws sso login` or
|
||||
`aws configure`, which need the CLI to be installed. After install, run
|
||||
the appropriate auth command in the sandbox; cached credentials persist
|
||||
for the lifetime of the sandbox.
|
||||
|
||||
network:
|
||||
allowedDomains:
|
||||
- "awscli.amazonaws.com:443"
|
||||
- "sts.amazonaws.com:443"
|
||||
- "*.sts.amazonaws.com:443"
|
||||
- "*.secretsmanager.amazonaws.com:443"
|
||||
- "*.amazonaws.com:443"
|
||||
- "*.awsapps.com:443"
|
||||
|
||||
commands:
|
||||
install:
|
||||
- command: |
|
||||
set -euo pipefail
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y unzip
|
||||
ARCH=$(uname -m)
|
||||
curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-${ARCH}.zip" -o /tmp/awscliv2.zip
|
||||
unzip -q /tmp/awscliv2.zip -d /tmp
|
||||
sudo /tmp/aws/install
|
||||
rm -rf /tmp/awscliv2.zip /tmp/aws
|
||||
user: "1000"
|
||||
description: Install AWS CLI v2 from the official installer
|
||||
@@ -0,0 +1,24 @@
|
||||
schemaVersion: "1"
|
||||
kind: mixin
|
||||
name: vault-azure-key-vault
|
||||
description: >
|
||||
Installs the Azure CLI (`az`) so the Coyote vault can read secrets from
|
||||
Azure Key Vault inside the sandbox. After install, run `az login` in the
|
||||
sandbox to authenticate; the session token persists for the lifetime of
|
||||
the sandbox.
|
||||
|
||||
network:
|
||||
allowedDomains:
|
||||
- "aka.ms:443"
|
||||
- "packages.microsoft.com:443"
|
||||
- "azurecliprod.blob.core.windows.net:443"
|
||||
- "login.microsoftonline.com:443"
|
||||
- "graph.microsoft.com:443"
|
||||
- "management.azure.com:443"
|
||||
- "*.vault.azure.net:443"
|
||||
|
||||
commands:
|
||||
install:
|
||||
- command: "curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"
|
||||
user: "1000"
|
||||
description: Install Azure CLI via Microsoft's official install script
|
||||
@@ -0,0 +1,34 @@
|
||||
schemaVersion: "1"
|
||||
kind: mixin
|
||||
name: vault-gcp-secret-manager
|
||||
description: >
|
||||
Installs the Google Cloud CLI (`gcloud`) so the Coyote vault can read
|
||||
secrets from GCP Secret Manager inside the sandbox. The GCP Rust SDK does
|
||||
not strictly require the CLI, but most users authenticate via
|
||||
`gcloud auth application-default login`, which needs the CLI to be
|
||||
installed. After install, run that command in the sandbox; the ADC file
|
||||
persists for the lifetime of the sandbox.
|
||||
|
||||
network:
|
||||
allowedDomains:
|
||||
- "packages.cloud.google.com:443"
|
||||
- "accounts.google.com:443"
|
||||
- "oauth2.googleapis.com:443"
|
||||
- "secretmanager.googleapis.com:443"
|
||||
- "cloudresourcemanager.googleapis.com:443"
|
||||
- "*.googleapis.com:443"
|
||||
|
||||
commands:
|
||||
install:
|
||||
- command: |
|
||||
set -euo pipefail
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y apt-transport-https ca-certificates gnupg
|
||||
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
|
||||
| sudo tee /etc/apt/sources.list.d/google-cloud-sdk.list >/dev/null
|
||||
curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
|
||||
| sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y google-cloud-cli
|
||||
user: "1000"
|
||||
description: Install gcloud CLI from Google's official apt repository
|
||||
@@ -0,0 +1,30 @@
|
||||
schemaVersion: "1"
|
||||
kind: mixin
|
||||
name: vault-gopass
|
||||
description: >
|
||||
Installs `gopass` and `gpg` so the Coyote vault can read secrets from a
|
||||
gopass store inside the sandbox. The store must be cloned manually
|
||||
(gopass walks a user-specific git remote, so v1 only allowlists github.com
|
||||
and gitlab.com; add other hosts via a user mixin if needed). After install,
|
||||
run `gopass setup` or `gopass clone <remote>` in the sandbox.
|
||||
|
||||
network:
|
||||
allowedDomains:
|
||||
- "github.com:443"
|
||||
- "api.github.com:443"
|
||||
- "objects.githubusercontent.com:443"
|
||||
- "gitlab.com:443"
|
||||
|
||||
commands:
|
||||
install:
|
||||
- command: |
|
||||
set -euo pipefail
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y gnupg2 git
|
||||
GOPASS_VERSION="1.15.13"
|
||||
ARCH=$(dpkg --print-architecture)
|
||||
curl -sSL "https://github.com/gopasspw/gopass/releases/download/v${GOPASS_VERSION}/gopass_${GOPASS_VERSION}_linux_${ARCH}.deb" -o /tmp/gopass.deb
|
||||
sudo dpkg -i /tmp/gopass.deb
|
||||
rm -f /tmp/gopass.deb
|
||||
user: "1000"
|
||||
description: Install gnupg2, git, and gopass from the official .deb release
|
||||
@@ -0,0 +1,31 @@
|
||||
schemaVersion: "1"
|
||||
kind: mixin
|
||||
name: vault-one-password
|
||||
description: >
|
||||
Installs the 1Password CLI (`op`) so the Coyote vault can decrypt secrets
|
||||
inside the sandbox. After install, run `op signin` in the sandbox to
|
||||
authenticate; credentials persist for the lifetime of the sandbox.
|
||||
|
||||
network:
|
||||
allowedDomains:
|
||||
- "downloads.1password.com:443"
|
||||
- "cache.agilebits.com:443"
|
||||
- "my.1password.com:443"
|
||||
- "my.1password.eu:443"
|
||||
- "my.1password.ca:443"
|
||||
- "events.1password.com:443"
|
||||
|
||||
commands:
|
||||
install:
|
||||
- command: |
|
||||
set -euo pipefail
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y unzip
|
||||
OP_VERSION="v2.30.3"
|
||||
ARCH=$(dpkg --print-architecture)
|
||||
curl -sSL "https://cache.agilebits.com/dist/1P/op2/pkg/${OP_VERSION}/op_linux_${ARCH}_${OP_VERSION}.zip" -o /tmp/op.zip
|
||||
sudo unzip -od /usr/local/bin /tmp/op.zip op
|
||||
sudo chmod +x /usr/local/bin/op
|
||||
rm -f /tmp/op.zip
|
||||
user: "1000"
|
||||
description: Install 1Password CLI from the official archive
|
||||
Reference in New Issue
Block a user