-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HashiCorp Vault feature #613
Conversation
great feature, looking forward to see this PR reviewed and merged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a fantastic addition. Well done.
It looks like this is pulling in an old version of It also looks like there's a PR open to update Is the |
let's see if I get PR merged |
"hashicorp_vault" dependency is replaced with "ureq" - A simple, safe HTTP client. |
@soleinik-figment thanks, that eliminates the concern with the unmaintained dependency. I'll try to look at this in-depth soon. |
@tony-iqlusion is there anything that I can help with to get this PR merged? |
@soleinik-figment would be great to have TLS support for production systems. |
@helder-moreira configuring api_endpoint configuration property with https |
But a CA certificate is required. I have done it here. |
#[derive(Clone, Deserialize, Debug)] | ||
#[serde(deny_unknown_fields)] | ||
/// Hashicorp Vault signer configuration | ||
pub struct HashiCorpConfig { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to let the access_token
to be read from the file, for instance:
tmkms/src/config/provider/yubihsm.rs
Line 57 in ed24642
pub enum AuthConfig { |
@soleinik-figment are you still interested in landing this, and if so, can you rebase? |
(if no one is interested I am willing to rebase this) I think this is great feature |
Go ahead Mateusz... I wont be able to work on this |
I also think this is a great feature. I tried to do it myself but I don't know Rust enough. This was actually my first contact with Rust. I have a variation of this branch here if it helps somehow. Its the one we are using. It adds the option to specify a CA certificate, and replaces There are two additional things that I think would be a plus:
@mkaczanowski let me know if I can be of any help. |
okay, I'll rebase and add the feature to read access token from disk later this week |
thanks @helder-moreira I will definitely take a look |
(fyi) I have a rebased, cleaned up branch with integration tests here: (still WIP, as I am testing it out to address the connection issues) |
Closing in favor of #840 |
In brief
This change adds support for HashiCorp Vault, Transit Engine.
Currently there are few signing providers available - HSMs, SaaS and softsign. This change will add support for HashiCorp Vault - an identity-based secrets and encryption management system
What's the usecase?
Vault provides Encryption as a Service (EaaS) to enable security teams to fortify data during transit and at rest. So even if an intrusion occurs, your data is encrypted and the attacker would never get a hold of the raw data. In addition, Vault provides networked access, software based general purpose secure storage for any sensitive information, such as keys, password or certificates.