This secrets engine renews and revokes JSON Web Tokens (JWTs) for the HashiCorp demo application. It is shared here as supporting content for the Define Roles for the Secrets Engine tutorial.
- Target API with CRUD capabilities for secrets.
- Golang 1.16+
- Docker & Docker Compose 20.10+
- Terraform 1.0+
- Google Cloud Platform
-
Run
go mod init
. -
Build the secrets engine into a plugin using Go.
$ go build -o vault/plugins/vault-plugin-secrets-hashicups cmd/vault-plugin-secrets-hashicups/main.go
-
You can find the binary in
vault/plugins/
.$ ls vault/plugins/
-
Run a Vault server in
dev
mode to register and try out the plugin.$ vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins
The HashiCorp Demo Application includes a set of services that run an online coffee store. In this demo, we use two of these services:
- A products database, which stores information about coffee and user logins.
- A products API, which returns information about coffee, ingredients, and handles user logins.
-
Go to the
terraform
directory. It includes configuration files to create a Kubernetes cluster.cd terraform && terraform init && terraform apply
-
Start the HashiCorp Demo Application in Kubernetes.
kubectl apply -f kubernetes/
-
You should have started two containers.
$ kubectl get deployments NAME READY UP-TO-DATE AVAILABLE AGE postgres 1/1 1 1 91s product-api 1/1 1 1 90s
You can access the products API
on http://$(kubectl get service product-api -o jsonpath="{.status.loadBalancer.ingress[*].ip}"):9090
.
We'll be using specific API endpoints related to user logins in the products API.
PATH | METHOD | DESCRIPTION | HEADER | REQUEST | RESPONSE |
---|---|---|---|---|---|
/signup | POST | Create a new user with a password. | {"username": "user", "password": "pass"} |
{"UserID":1,"Username":"user","token":"<JWT>"} |
|
/signin | POST | Sign in an existing user and return an API token in the form of a JWT | {"username": "user", "password": "pass"} |
{"UserID":1,"Username":"user","token":"<JWT>"} |
|
/signout | POST | Sign out a user based on their API token | Authorization:<JWT> |
Signed out user |