Harp is for Harpocrates (Ancient Greek: Ἁρποκράτης) the god of silence, secrets and confidentiality in the Hellenistic religion. - Wikipedia
This tool was initially developed while I was at Elastic, to be able to continue to maintain Harp without the upstream dependency, I decided to do a hard-fork of the Elastic repository.
I'm going to introduce breaking changes from the Elastic original version.
Harp is a tool set to operate secret management by contract. The objective is
to reduce the value centric management by handling secret data in a
reproducible way by providing a technical stack to describe how your value is
managed by contracts and pipelines. Furthermore, we know that naming thing is hard,
as a consequence a secret could be consistently associated to a predictable
secret identifier used as a key to refer to the secret value. Finally, the secret
can hold additional metadata (ownership, rotation period, leak severity, etc.)
which can be consumed during the pipeline executions.
These key/value associations (path ⇒ value) form a Bundle stored in an
immutable file named a Container. This Container acts as a pivot format to
allow Harp commands to communicate and create data management pipelines.
In addition to that, it provides a template engine used to generate various
confidence values (password, passphrase, crypto keys, etc.) and allow more
sophisticated rendering operations (configuration files, etc.).
Finally, it provides a SDK to allow developers to integrate Harp features
in their products, and/or extend the Harp pipeline features by creating new
plugins.
Developers should negotiate secret value for the secret consumer they are
currently developing, by the contract based on a path (reference to the secret)
and a value specification (for code contract) without the knowledge of the
final deployed value;Secret Operators use different set of tools to achieve secret
management operation which increases the error/secret exposure probability due to
tool count involved in the process (incompatibility, changes, etc.);Terraform for secret management, you have the cleartext value
stored in the state. To protect the state you have to deploy a complex infrastructure.
To simplify this we use harp for secret provisioning and use the secret reference
in the Terraform topology.single secret value and you are asking yourself
how to generate a strong password - Harp has a template engine with secret
value generation functions to allow you to generate such values.thousands secrets to handle to deploy your platform/customers
on multiple cloud providers with different secret storages - Harp will help you
to define consistent secret provisioning bundles and pipelines.ephemeral secret storage to bootstrap your long term cloud
secret storage - Harp will help you to create
secret containers that can be consumed on deployment.migrate massively your secrets from one secret storage to
another - Harp provides you a secret container to store these secrets while
they are going to be distributed in other secret storage implementations.alter/modifiy a secret (rotation/deprecation/renewal) - Harp
provides you a GitOps-able secret storage agnostic operation set, so that you
can define a specification to describe how your secret operation is going to
be applied offline on the secret container.
harp allows you to handle secrets using deterministic pipelines expressed
using an atomic series of CLI operations applied to a commonly shared container
immutable and standalone file system used to store secret collection (Bundle)
generated from a template engine via user specification, or external secret
value coming from files or external secret storage.
These pipelines use the immutable container file system as a data exchange
protocol and could be extended for new input, intermediary operation or output
via plugins created with the harp SDK.
Each applied transformation creates a container with transformed data inside. This will enforce container reproducibility by eliminating cumulative side effects applied to the same container.
The container handles for you the confidentiality and integrity protection applied to the secret collection stored inside and manipulated by copy during the pipeline execution.
New to harp, let's start with onboarding tutorial ! TL;DR - Features overview
Harp provides :
zntr.io/harp/v2/pkg/container;zntr.io/harp/v2/pkg/bundle;on-steroid template engine exposed as zntr.io/harp/v2/pkg/templatezntr.io/harp/v2/pkg/csoAnd allows :
BundleTemplate) to describe secret and their usages;Is it used internally at zntrio? - Yes. It is used to generate bootstrap secrets used to bootstrap the new region infrastructure components. #ChickenEggProblem
Harp is only supporting Vault? - No, it has been published with only vault
support built-in, but it supports many other secret storage implementations via
plugins.
What's the difference with Vault? - HashiCorp Vault is an encrypted highly
available K/V store with advanced authorization engine, it doesn't handle
secret provisioning for you. You can't ask Vault to generate secrets for your
application and store them using a defined logic. Harp is filling this
requirement.
harp artifacts and source code is released under Apache 2.0 Software License.
Download a release or build from source.
$ git clone git@github.com:zntrio/harp.git
$ export HARP_REPOSITORY=$(pwd)/harp
Install nix on your system, if not already installed.
$ sudo install -d -m755 -o $(id -u) -g $(id -g) /nix
$ curl -L https://nixos.org/nix/install | sh
More information? - https://nixos.wiki/wiki/Nix_Installation_Guide
$ cd $HARP_REPOSITORY
$ nix develop
Only last 2 minor versions of a major are supported.
Harp is compiled with :
$ go version
go version go1.21 linux/amd64
Simple go version manager - https://github.com/stefanmaric/g
Mage is an alternative to Make where language used is Go. You can install it using 2 different methods.
# Install mage
git clone https://github.com/magefile/mage
cd mage
go run bootstrap.go
# Go to tools submodule
cd $HARP_REPOSITORY/tools
# Resolve dependencies
go mod tidy
go mod vendor
# Pull tools sources, compile them and install executable in tools/bin
mage
❯ mage -l
Targets:
api:generate protobuf objects from proto definitions.
build* harp executable.
code:format source code and process imports.
code:generate SDK code (mocks, tests, etc.)
code:licenser apply copyright banner to source code.
code:lint code using golangci-lint.
compile harp code to create an executable.
docker:harp build harp docker image
docker:tools prepares docker images with go toolchain and project tools.
homebrew generates homebrew formula from compiled artifacts.
release harp version and cross-compile code to produce all artifacts.
releaser:harp releases harp artifacts using docker pipeline.
test:cli Test harp application.
test:unit Test harp application.
* default target
You can find more Harp feature extensions - https://github.com/zntrio/harp-plugins
Here is the list of external projects used as inspiration :
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Feross Aboukhadijeh joins TBPN to discuss Socket's $60M Series C, 500%+ ARR growth, AI's impact on open source, and the rise in supply chain attacks.
Security News
OSV withdrew 157 OSV malware reports after automated false positives incorrectly flagged trusted npm and PyPI packages, sending bad records into tools that rely on OSV data.
Research
/Security News
TrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.