Skip to content

mywordpress-io/caddy-vault-storage

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

bin

bin

 
 

localdev

localdev

 
 

.gitignore

.gitignore

 
 

Caddyfile.example

Caddyfile.example

 
 

Caddyfile.json

Caddyfile.json

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

main_suite_test.go

main_suite_test.go

 
 

main_test.go

main_test.go

 
 

Repository files navigation

caddy-vault-storage

This is a Storage backend for Caddy (CertMagic) which allows storing of TLS certificates managed by Caddy in HashiCorp's Vault.

This plugin can be pulled in via Caddy's build system--to review the CertMagic Storage implementation, review the associated repo here: https://github.com/mywordpress-io/certmagic-vault-storage

Usage

Build

Build Caddy using xcaddy with the vault storage plugins:

  • xcaddy build --output bin/caddy --with github.com/mywordpress-io/caddy-vault-storage@<tag> --with github.com/mywordpress-io/certmagic-vault-storage@<tag>

Config

Once built, use the following config block to communicate with Vault:

vault <address> {
    token <value>

    approle_login_path <value>
    approle_logout_path <value>
    approle_role_id <value>
    approle_secret_id <value>

    secrets_path <value>
    path_prefix <value>

    insecure_skip_verify <value>

    lock_timeout <value>
    lock_polling_interval <value>
}

For more information, review Caddyfile.example and Caddyfile.json.

Either 'address' + 'token' -OR- 'address' + 'approle_role_id'+'approle_secret_id' settings are required:

  • If using 'approle' authentication, short-lived tokens are managed on the fly.
  • If using 'token' authentication, management of the token (renewal, revocation, etc.) is up to the caller.
Name Type Required? Description Default
address url yes Vault address URL -
token string conditionally Vault static Token to authenticate (this or approle_role_id+approle_secret_id are required) -
approle_login_path string no Login path for approle authentication auth/approle/login
approle_logout_path string no Logout path for approle authentication auth/token/revoke-self
approle_role_id string conditionally Approle RoleID value for authentication (required if 'token' empty) -
approle_secret_id string conditionally Approle SecretID value for authentication (required if 'token' empty) -
secrets_path string yes Base path to secrets (KV-V2) mount in Vault -
path_prefix string no Prefix path in the KV-V2 mount in Vault -
insecure_skip_verify bool no Disable verification of TLS certificate when communicating with Vault false
lock_timeout duration no Storage lock timeout duration 5m
lock_polling_interval duration no Storage lock polling interval 5s

Additional Help

Report any problems or questions with the plugin using a GitHub issue.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 2

v0.1.1 Latest
Dec 24, 2023
+ 1 release

Packages

No packages published

Languages