jonasvinther · badreddine2 · Dec 25, 2024 · Dec 29, 2024 · Jan 1, 2025 · Jan 1, 2025
diff --git a/README.md b/README.md
@@ -17,8 +17,11 @@
 - [How to use](#how-to-use)
   * [Setting up Medusa](#setting-up-medusa)
   * [Importing secrets](#importing-secrets)
+  * [Improved import secrets](#improved-import-secrets)
   * [Exporting secrets](#exporting-secrets)
   * [Deleting secrets](#deleting-secrets)
+  * [Copying secrets](#copying-secrets)
+  * [Moving secrets](#moving-secrets)
   * [Decrypt secrets](#decrypt-secrets)
   * [Kubernetes examples](docs/examples/kubernetes/cronjob/)
   * [Docker examples](docs/examples/docker/)
@@ -324,3 +327,131 @@ Flags:
 
 Use "medusa [command] --help" for more information about a command.
 ``` 
+### Copying secrets
+> Get help with `./medusa copy -h`
+
+The "copy" command allows users to export secrets from a source path in Vault and copy them to a target path.
+```
+Usage:
+  medusa copy [flags]
+
+Flags:
+  -m, --engine-type string   Specify the secret engine type [kv1|kv2] (default "kv2")
+  -h, --help                 help for copy
+
+Global Flags:
+  -a, --address string                Address of the Vault server
+  -k, --insecure                      Allow insecure server connections when using SSL
+      --kubernetes                    Authenticate using the Kubernetes JWT token
+      --kubernetes-auth-path string   Authentication mount point within Vault for Kubernetes
+  -n, --namespace string              Namespace within the Vault server (Enterprise only)
+  -r, --role string                   Vault role for Kubernetes JWT authentication
+  -t, --token string                  Vault authentication token
+```
+
+Example:
+```bash
+# Read from file
+./medusa copy secret/A/B A/C/B -a="http://vault:8201" -t="00000000-0000-0000-0000-000000000000" --insecure
+Extracted data has been saved to '/tmp/exported_secret.yaml'.
+Secret successfully written to Vault [http://vault:8201] using path [A/C/B/C/D]
+Secret successfully written to Vault [http://vault:8201] using path [A/C/B/C/D/Db]
+Secret successfully written to Vault [http://vault:8201] using path [A/C/B/E]
+Secrets from A/B have been successfully copied to A/C/B
+```
+The secrets on path secret/A/B are copied to secret/A/C/B
+
+### Moving secrets
+> Get help with `./medusa move -h`
+
+Move Vault secret from one path to another
+```
+Usage:
+  medusa move [flags]
+
+Flags:
+  -y, --auto-approve         Skip interactive approval of plan before deletion
+  -m, --engine-type string   Specify the secret engine type [kv1|kv2] (default "kv2")
+  -h, --help                 help for move
+
+Global Flags:
+  -a, --address string                Address of the Vault server
+  -k, --insecure                      Allow insecure server connections when using SSL
+      --kubernetes                    Authenticate using the Kubernetes JWT token
+      --kubernetes-auth-path string   Authentication mount point within Vault for Kubernetes
+  -n, --namespace string              Namespace within the Vault server (Enterprise only)
+  -r, --role string                   Vault role for Kubernetes JWT authentication
+  -t, --token string                  Vault authentication token
+```
+
+Example:
+```bash
+# Read from file
+./medusa move secret/A/B A/C/B -a="http://vault:8201" -t="00000000-0000-0000-0000-000000000000" --insecure
+
+Extracted data has been saved to '/tmp/exported_secret.yaml'.
+Secret successfully written to Vault [http://vault:8201] using path [A/C/B/C/D/Db]
+Secret successfully written to Vault [http://vault:8201] using path [A/C/B/E]
+Secret successfully written to Vault [http://vault:8201] using path [A/C/B/C/D]
+Deleting secret [secret/A/B/C/D]
+Deleting secret [secret/A/B/C/D/Db]
+Deleting secret [secret/A/B/E]
+Do you want to delete the 3 secrets listed above? Only 'y' will be accepted to approve.: y
+The secrets has now been deleted
+```
+The secrets on path secret/A/B are moved to secret/A/C/B
+
+### Improved import secrets
+Now it is possible to import one or multiple files with a single command. It is also possible to import an entire folder containing secret files. Medusa will first ensure that the files in the folder comply with the Vault secret format, then proceed to import them to the path specified in the command.
+
+> Get help with `./medusa import -h`
+
+Import yaml/json files or folder of secrets into a Vault instance
+```bash
+Usage:
+  medusa import [vault path] ['file1' 'file2' ... or '-' to read from stdin] [flags]
+
+Flags:
+  -d, --decrypt              Decrypt the Vault data before importing
+  -m, --engine-type string   Specify the secret engine type [kv1|kv2] (default "kv2")
+  -h, --help                 help for import
+  -p, --private-key string   Location of the RSA private key
+
+Global Flags:
+  -a, --address string                Address of the Vault server
+  -k, --insecure                      Allow insecure server connections when using SSL
+      --kubernetes                    Authenticate using the Kubernetes JWT token
+      --kubernetes-auth-path string   Authentication mount point within Vault for Kubernetes
+  -n, --namespace string              Namespace within the Vault server (Enterprise only)
+  -r, --role string                   Vault role for Kubernetes JWT authentication
+  -t, --token string                  Vault authentication token
+```
+Example for multiple files:
+```bash
+# Read from file
+./medusa import secret test/data/example-dev-prod-env.yaml test/data/example-different-datatypes.yaml -a="http://vault:8201" -t="00000000-0000-0000-0000-000000000000" --insecure
+
+Secret successfully written to Vault [http://vault:8201] using path [/production/env/platform/nats]
+Secret successfully written to Vault [http://vault:8201] using path [/production/users/cart/database/users/writeuser]
+Secret successfully written to Vault [http://vault:8201] using path [/production/users/user/database/users/readuser]
+Secret successfully written to Vault [http://vault:8201] using path [/production/users/user/database]
+Secret successfully written to Vault [http://vault:8201] using path [/production/env/platform/vault]
+Secret successfully written to Vault [http://vault:8201] using path [/dev/users/root]
+Secret successfully written to Vault [http://vault:8201] using path [/dev/users/user/database/users/readuser]
+Secret successfully written to Vault [http://vault:8201] using path [/production/users/cart/database/users/readuser]
+...
+```
+Example for secrets folder:
+```bash
+./medusa import secret test/data -a="http://vault:8201" -t="00000000-0000-0000-0000-000000000000" --insecure
+
+Secret successfully written to Vault [http://vault:8201] using path [/production/users/root]
+Secret successfully written to Vault [http://vault:8201] using path [/dev/users/ui/database/users/readuser]
+Secret successfully written to Vault [http://vault:8201] using path [/production/env/platform/vault]
+Secret successfully written to Vault [http://vault:8201] using path [/dev/users/user/database]
+Secret successfully written to Vault [http://vault:8201] using path [/dev/users/cart/database/users/writeuser]
+Secret successfully written to Vault [http://vault:8201] using path [/dev/users/root]
+Secret successfully written to Vault [http://vault:8201] using path [/production/users/cart/database/users/writeuser]
+Secret successfully written to Vault [http://vault:8201] using path [/production/users/user/database/users/readuser]
+...
+```
diff --git a/api/Dockerfile b/api/Dockerfile
@@ -0,0 +1,64 @@
+# Start with the Rocky Linux base image
+FROM rockylinux:8
+
+# Set environment variables for Go
+ENV GO_VERSION=1.21.0
+ENV GOPATH=/go
+ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
+
+# Set environment variables for Python
+ENV PYTHON_VERSION=3.9
+
+# Update the package list and install dependencies
+RUN dnf -y update && \
+    dnf -y install epel-release && \
+    dnf -y install wget git gcc make && \
+    dnf clean all
+
+RUN dnf -y groupinstall "Development Tools" && \
+    dnf -y install openssl-devel libffi-devel bzip2-devel sqlite-devel ncurses-devel readline-devel wget curl
+
+RUN wget https://www.python.org/ftp/python/3.9.10/Python-3.9.10.tgz && \
+    tar xvf Python-3.9.10.tgz && \
+    cd Python-3.9.10 && \
+    ./configure --enable-optimizations --enable-loadable-sqlite-extensions && \
+    make altinstall -j && \
+    cd .. && \
+    rm -rf Python-3.9.10*
+
+# Install Go
+RUN wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz && \
+    rm go${GO_VERSION}.linux-amd64.tar.gz
+
+# Set the working directory for the application
+WORKDIR /Medusa
+
+# Copy the local application files into the container
+COPY . /Medusa/
+
+# Install Poetry and set up virtual environment
+RUN curl -sSL https://install.python-poetry.org | python3.9 - && \
+    echo 'export PATH="/home/root/.dev/bin:$PATH"'
+
+# Install Python dependencies using Poetry
+RUN python3.9 -m venv /Medusa/venv && \
+    /Medusa/venv/bin/pip install --upgrade pip && \
+    /Medusa/venv/bin/pip install poetry && \
+    /Medusa/venv/bin/poetry install
+
+
+# Install FastAPI, Uvicorn, and python-multipart
+RUN /Medusa/venv/bin/pip install fastapi uvicorn python-multipart pyyaml
+
+# Download and tidy Go modules
+RUN go mod tidy
+
+# Build the Medusa binary
+RUN go build -o medusa .
+
+# Expose the necessary ports for FastAPI and Medusa
+EXPOSE 8080 8000
+
+# Set entrypoint to run Uvicorn with FastAPI app
+ENTRYPOINT ["/Medusa/venv/bin/uvicorn", "api.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"]