vault-plugin-secrets-tendermint

This secrets engine renews and revokes JSON Web Tokens (JWTs) for the HashiCorp demo application.

Prerequisites

  1. Target API with CRUD capabilities for secrets.
  2. Golang 1.16+
  3. Docker & Docker Compose 20.10+
  4. Terraform 1.0+
  5. Google Cloud Platform

Install

  1. Run go mod init.

  2. Build the secrets engine into a plugin using Go.

    $ go build -o vault/plugins/vault-plugin-secrets-hashicups cmd/vault-plugin-secrets-hashicups/main.go
  3. You can find the binary in vault/plugins/.

    $ ls vault/plugins/
  4. Run a Vault server in dev mode to register and try out the plugin.

    $ vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins

Start the HashiCorp Demo Application

The HashiCorp Demo Application includes a set of services that run an online coffee store. In this demo, we use two of these services:

  • A products database, which stores information about coffee and user logins.
  • A products API, which returns information about coffee, ingredients, and handles user logins.
  1. Go to the terraform directory. It includes configuration files to create a Kubernetes cluster.

    cd terraform && terraform init && terraform apply
  2. Start the HashiCorp Demo Application in Kubernetes.

    kubectl apply -f kubernetes/
  3. You should have started two containers.

    $ kubectl get deployments
    
    NAME          READY   UP-TO-DATE   AVAILABLE   AGE
    postgres      1/1     1            1           91s
    product-api   1/1     1            1           90s

You can access the products API on http://$(kubectl get service product-api -o jsonpath="{.status.loadBalancer.ingress[*].ip}"):9090.

We’ll be using specific API endpoints related to user logins in the products API.

PATH METHOD DESCRIPTION HEADER REQUEST RESPONSE
/signup POST Create a new user with a password. {"username": "user", "password": "pass"} {"UserID":1,"Username":"user","token":"<JWT>"}
/signin POST Sign in an existing user and return an API token in the form of a JWT {"username": "user", "password": "pass"} {"UserID":1,"Username":"user","token":"<JWT>"}
/signout POST Sign out a user based on their API token Authorization:<JWT> Signed out user

Additional references:

GitHub

View Github