secretsengine

vault-plugin-secrets-hashicups

This secrets engine renews and revokes JSON Web Tokens (JWTs) for the HashiCorp demo application. It is shared here as supporting content for the Define Roles for the Secrets Engine tutorial.

Prerequisites

1. Target API with CRUD capabilities for secrets.
2. Golang 1.16+
3. Docker & Docker Compose 20.10+
4. Terraform 1.0+
5. Google Cloud Platform

Install

1. Run go mod init.

2. Build the secrets engine into a plugin using Go.

   $ go build -o vault/plugins/vault-plugin-secrets-hashicups cmd/vault-plugin-secrets-hashicups/main.go
   

3. You can find the binary in vault/plugins/.

   $ ls vault/plugins/
   

4. Run a Vault server in dev mode to register and try out the plugin.

   $ vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins
   

Start the HashiCorp Demo Application

The HashiCorp Demo Application includes a set of services that run an online coffee store. In this demo, we use two of these services:

• A products database, which stores information about coffee and user logins.
• A products API, which returns information about coffee, ingredients, and handles user logins.

1. Go to the terraform directory. It includes configuration files to create a Kubernetes cluster.

   cd terraform && terraform init && terraform apply
   

2. Start the HashiCorp Demo Application in Kubernetes.

   kubectl apply -f kubernetes/
   

3. You should have started two containers.

   $ kubectl get deployments
   
   NAME          READY   UP-TO-DATE   AVAILABLE   AGE
   postgres      1/1     1            1           91s
   product-api   1/1     1            1           90s
   

You can access the products API on http://$(kubectl get service product-api -o jsonpath="{.status.loadBalancer.ingress[*].ip}"):9090.

We'll be using specific API endpoints related to user logins in the products API.

Additional references:

• Upgrading Plugins
• List of Vault Plugins