This secrets engine renews and revokes JSON Web Tokens (JWTs)
for the HashiCorp demo application. It is shared here as
supporting content for the Define Roles for the Secrets Engine tutorial.
Prerequisites
Target API with CRUD capabilities for secrets.
Golang 1.16+
Docker & Docker Compose 20.10+
Terraform 1.0+
Google Cloud Platform
Install
Run go mod init.
Build the secrets engine into a plugin using Go.
$ go build -o vault/plugins/vault-plugin-secrets-hashicups cmd/vault-plugin-secrets-hashicups/main.go
You can find the binary in vault/plugins/.
$ ls vault/plugins/
Run a Vault server in dev mode to register and try out the plugin.
$ vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins
Start the HashiCorp Demo Application
The HashiCorp Demo Application
includes a set of services that run
an online coffee store. In this demo, we use two of these services:
A products database, which stores information about coffee and
user logins.
A products API, which returns information about coffee, ingredients,
and handles user logins.
Go to the terraform directory. It includes configuration files
to create a Kubernetes cluster.
cd terraform && terraform init && terraform apply
Start the HashiCorp Demo Application in Kubernetes.
kubectl apply -f kubernetes/
You should have started two containers.
$ kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
postgres 1/1 1 1 91s
product-api 1/1 1 1 90s
You can access the products API
on http://$(kubectl get service product-api -o jsonpath="{.status.loadBalancer.ingress[*].ip}"):9090.
We'll be using specific API endpoints related to user
logins in the products API.
PATH
METHOD
DESCRIPTION
HEADER
REQUEST
RESPONSE
/signup
POST
Create a new user with a password.
{"username": "user", "password": "pass"}
{"UserID":1,"Username":"user","token":"<JWT>"}
/signin
POST
Sign in an existing user and return an API token in the form of a JWT