vault-plugin-secrets-openstack

command module

v1.3.31 Latest Latest Go to latest Published: Oct 17, 2023 License: Apache-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/opentelekomcloud/vault-plugin-secrets-openstack

README ¶

Vault Plugin: OpenStack Secrets Backend

This is a standalone backend plugin for use with Hashicorp Vault. This plugin generates revocable, time-limited Tokens and Users for OpenStack.

Quick Links

Getting Started

This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.

Otherwise, first read this guide on how to get started with Vault.

To learn specifically about how plugins work, see documentation on Vault plugins.

Setup

The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

Download and decompress the latest plugin binary from the Releases tab on GitHub. Alternatively you can compile the plugin from source.

Move the compiled plugin into Vault's configured plugin_directory:

$ mv vault-plugin-secrets-openstack /etc/vault/plugins/vault-plugin-secrets-openstack

Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-plugin-secrets-openstack" | cut -d' ' -f1)

$ vault write sys/plugins/catalog/vault-plugin-secrets-openstack \
    sha_256="${SHA256}" \
    command="vault-plugin-secrets-openstack"

Success! Data written to: sys/plugins/catalog/vault-plugin-secrets-openstack

Mount secrets engine:

$ vault secrets enable \
    -path="openstack" \
    -plugin-name="vault-plugin-secrets-openstack" plugin

Success! Enabled the vault-plugin-secrets-openstack secrets engine at: openstack/

Usage Guideline.

Firstly you have to define an admin credentials in a cloud.
```
$ vault write /openstack/clouds/example-cloud auth_url=https://127.0.0.1/v3/ username=admin password=admin user_domain_name=mydomain
Success! Data written to: openstack/clouds/example-cloud
```
NOTE: In the cloud you can specify additional parameters such as username_template and password_policy in order to follow conventions and security policies defined in your OpenStack cloud.

After that you need to create a role for the cloud.

$ vault write /openstack/roles/example-role cloud=example-cloud project_name=myproject domain_name=mydomain user_roles="member" root=false
Success! Data written to: openstack/roles/example-role

Now you can easily create a temporary user/token pair.

$ vault read /openstack/creds/example-role

Key                Value
---                -----
lease_id           openstack/creds/example-role/v7I5mxix3iCpkdGYDelNmKdo
lease_duration     24h
lease_renewable    false
auth               map[auth_url:https://127.0.0.1/v3/ project_domain_name:mydomain project_name:myproject token:MIIF-QYJKoZIhvcNAQcCoIIF7jCCBeoCAQExDTALBglghkgBZQMEAgEwggOCBgkqhkiG9w0BBwGgggNzBIIDb3sidG
9rZW4iOnsiZXhwaXJlc19hdCI6IjIwMjItMDUtMjRUMTc6MTU6NDQuNTI4MDAwWiIsIm1ldGhvZHMiOlsicGFzc3dvcmQiXSwiY2F0YWxvZyI6W10sInJvbGVzIjpbeyJuYW1lIjoic2VydmVyX2FkbSIsImlkIjoiMCJ9LHsibmFtZSI6InRlX2FkbWluIiwiaWQiOiIwIn0seyJuYW1lIjoib3BfZ2F0ZWRfY2
NlX3N3aXRjaCIsImlkIjoiMCJ9LHsibmFtZSIwiaWQiOiIwIn1dLCJwcm9qZWN0Ijp7ImRvbWFpbiI6eyJ4ZG9tYWluX3R5cGUiOiJUU0kiLCJuYW1lIjoiT1RDMDAwMDAwMDAwMDEwMDAwMDA0NDciLCJpZCI6ImZhZjcyZTg1MWMxZTQ4MzE5Mjk2ZjE4MTgxOGYxNzZhIiwieGRvbWFpbl9pZCI6IjAwMD
AwMDAwMDAxMDAwMDAwNDQ3In0sIm5hbWUiOiJlCwYDVQQHDARCb25uMRwwGgYDVQQKDBNEZXV0c2NoZSBUZWxla29tIEFHMTcwNQYDVQQLDC5ULVN5c3RlbXMgUFUgUHVibGljIENsb3VkIC0gT3BlbiBUZWxla29tIENsb3VkMRMwEQYDVQQDDApjYS5pYW0ucGtpAg
kAi0NlULiz2iIwCwYJYIZIAWUDBAIBMA0GCSqGSIb3DQEBAQUABIIBgBtmvHm0ChAl0kppzoaVJgYSovI0ujP6Srk7sDrDVO7auks+dQ-D1yb4Xh398mn1VNs0i4e98Bp-AQnwb3N-uZcUnbNHAUg2uRUoWUBmVs8oXszkGJYRK6Kf+BgGE5GqS4KgE2e8ob96xPGRQ5WdKMjYzb9nAz37sUsvy-jz70anyhKoWW
B55kYVDyCn4JYh7-ivKrfaHdNY9GSebskw0zqAeMr2Lr4DZyZcr6mor88p1MnT+kz028qcxkrHBKiHQ0wt8YWUfAFD7RV-b97ZkBBSeEMs3ai1zMbYWXtIzztAWZLn52l+vstKiae8hXoE4HIpkMOD+fTyj2z6gN7X6xfvfBIZC2mSOQ2PAiTls2JTrcDVEo3eCI1vgvKrFdY52yDGmb3lHBITPPya0ztvjFrdNv59Gdx8-rxf1fr1htXRhyaMOBiaPDGVkUtjwqC9Zjm3fve5Z5A6UQurBm8xDjtRWjnFB5kAQ708adpCUHJAdxand3Mf-Md4UysLVSf4Ug==]
auth_type          token

Developing

If you wish to work on this plugin, you'll first need Go installed on your machine (version 1.17+ is required).

For local dev first make sure Go is properly installed, including setting up a GOPATH. Next, clone this repository into $GOPATH/src/github.com/opentelekomcloud/vault-plugin-secrets-openstack.

To compile a development version of this plugin, run make and make install commands. This will put the plugin binary in the bin and $GOPATH/bin folders accordingly.

$ make
$ make install

Put the plugin binary into a location of your choice. This directory should be specified as the plugin_directory in the Vault config used to start the server.

...
plugin_directory = "path/to/plugin/directory"
...

Start a Vault server with this config file:

$ vault server -dev -dev-root-token-id=root -config=path/to/config.json

Once the server is started, register the plugin in the Vault server's plugin catalog:

$ vault write sys/plugins/catalog/vault-plugin-secrets-openstack \
        sha256=<expected SHA256 Hex value of the plugin binary> \
        command="vault-plugin-secrets-openstack"

Success! Data written to: sys/plugins/catalog/vault-plugin-secrets-openstack

Note you should generate a new sha256 checksum if you have made changes to the plugin. Example using openssl:

openssl dgst -sha256 $GOPATH/vault-plugin-secrets-openstack
...
SHA256(.../go/bin/vault-plugin-secrets-openstack)=896c13c0f2305daed381912a128322e02bc28a57d0c862a78cbc2ea66e8c6fa1

Enable the secrets' plugin backend using the secrets enable plugin command:

$ vault secrets enable -path=openstack -plugin-name=vault-plugin-secrets-openstack plugin
...
Successfully enabled the plugin-secrets-openstack secrets engine at: openstack/!

Tests

If you are developing this plugin and want to verify it is still functioning (and you haven't broken anything else), we recommend running the tests.

To run the tests, invoke make test:

$ make test

Acceptance Tests

Acceptance tests requires admin privileges in an OpenStack cloud.

$ export OS_CLIENT_CONFIG_FILE=<clouds.yaml path>
$ export OS_CLOUD=<cloud name>
$ make functional

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
openstack
common
fixtures
vars Package vars contains variables defined during the build	Package vars contains variables defined during the build

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL