Crates.io | vault_client |
lib.rs | vault_client |
version | 0.3.2 |
source | src |
created_at | 2018-05-09 16:44:02.465494 |
updated_at | 2018-08-28 12:51:53.069511 |
description | A client library for HashiCorp Vault |
homepage | |
repository | https://github.com/Metaswitch/vault-client |
max_upload_size | |
id | 64570 |
size | 73,978 |
vault-client is a native client library for HashiCorp Vault written in Rust. It is an alternative to hashicorp_vault, a less featured client that covers a broader range of the Vault API.
It uses an autogenerated client library for talking to the Vault API. vault-client then talks to the Vault server to keep its own authentication up to date, as well as keeping any secrets it has previously issued up to date. All secrets issued are cached, so that the vault-client can continue providing limited service if the Vault server goes down.
At the moment, the token authentication backend and PKI secret backend are the only back-ends supported. However, vault-client is designed to be readily extensible - contributions of support for other backends are very welcome.
This crate has vault-api as a dependency, which provides a thin autogenerated client for the Vault API.
To add support for a new section of the Vault API, update the swagger specification to include the new endpoints. Then, run make
, checking the results in.
The CI pipeline for this crate will attempt to perform rustfmt, and will fail if it finds any differences. To avoid this, make sure to run ./run-in-docker.sh make rustfmt
before committing. (The reason for running in docker is to ensure that you use the same version of rustfmt
as the CI pipeline.)
To run a local vault server, follow the following instructions:
Generate the necessary SSL certificates
test/certificates
. To use, run echo 000a > certificates/serialfile
,
then touch certificates/certindex
. Then run sudo update-ca-trust enable
, copy certificates/root.cer
to
/etc/pki/ca-trust/source/anchors/ca.crt
, and then run sudo update-ca-trust extract
.Run vault: vault server -config=vault.config
, see the vault.config
file in this directory for example
configuration.
Now we're going to configure the Vault further. Set up some environment variables, which allow you to use the Vault CLI as a client of the Vault server. This can either be run from the Vault Server VM itself, or from elsewhere:
export VAULT_ADDR="https://127.0.0.1:8200"
export VAULT_CACERT="certificates/root.cer"
Note that the address used must agree with the Common Name (CN
) of the Vault's certificate. This may mean that you
can't talk to the Vault server over 127.0.0.1
, depending on the certificate.
Run vault init
and:
export VAULT_TOKEN="<initial root token, or a new one that you created from that>"
Then: vault unseal
three times (one for each key)
Mount the PKI backend. See docs or follow the instructions below.
vault mount pki
vault mount-tune -max-lease-ttl=87600h pki
vault write pki/root/generate/internal common_name=<this server's hostname/IP> ttl=87600h
vault write pki/config/urls issuing_certificates="https://<this server's IP>:8200/v1/pki/ca" crl_distribution_points="https://<this server's IP>:8200/v1/pki/crl"
vault write pki/roles/metaswitch allow_any_name="true" max_ttl="720h"
vault write pki/issue/metaswitch common_name=blah.example.com