{"id":24638062,"url":"https://github.com/upbound/configuration-vault","last_synced_at":"2025-03-20T09:26:11.664Z","repository":{"id":219794895,"uuid":"741599036","full_name":"upbound/configuration-vault","owner":"upbound","description":null,"archived":false,"fork":false,"pushed_at":"2024-04-09T16:51:50.000Z","size":120,"stargazers_count":1,"open_issues_count":6,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-04-10T12:38:15.325Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/upbound.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-01-10T18:17:12.000Z","updated_at":"2024-04-23T12:48:13.953Z","dependencies_parsed_at":"2024-04-23T12:58:19.533Z","dependency_job_id":null,"html_url":"https://github.com/upbound/configuration-vault","commit_stats":null,"previous_names":["upbound/configuration-vault"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/upbound%2Fconfiguration-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/upbound%2Fconfiguration-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/upbound%2Fconfiguration-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/upbound%2Fconfiguration-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/upbound","download_url":"https://codeload.github.com/upbound/configuration-vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244584597,"owners_count":20476575,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-25T10:12:54.175Z","updated_at":"2025-03-20T09:26:11.626Z","avatar_url":"https://github.com/upbound.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# configuration-vault\nAutomate the management of Vault using Crossplane.\n\n## Personas\n\nThe scenario described in this reference configuration introduces the following personas:\n- admin is the organization-level administrator\n- student is a user allowed to write data to a path in vault\n\n## Scope\n\nA manual system administration can become a challenge as the scale of\ninfrastructure increases. Often, an organization must manage multiple\nVault environments (development, testing, staging, production, etc.).\nKeeping up with the increasing management demand soon becomes a\nchallenge without some sort of automation.\n\n## Solution\n\nCrossplane enables to automate the Vault configuration tasks such as the\ncreation of policies. Automation through codification allows operators\nto increase their productivity, move quicker, promote repeatable processes,\nand reduce human error.\n\nThis tutorial demonstrates techniques for creating Vault policies and configurations.\n\n## Prerequisites\n\n- A computer with a cloned copy of this git repository.\n- The Upbound CLI\n```\ncurl -sL https://cli.upbound.io | sh\n```\n- [kubectl and kind](https://kubernetes.io/docs/tasks/tools/)\n\n## Scenario\n\nVault administrators must manage multiple Vault environments.\nThe test servers get destroyed at the end of each test cycle\nand a new set of servers must be provisioned for the next test cycle.\nTo automate the Vault server configuration, we are going to use\nCrossplane to provision the following Vault resources.\n\n|Type         |Name       |Description\n|------------:|----------:|---------------------------------\n| ACL Policy  | admin     | Sets policies for the admin team\n| ACL Policy  | client    | Sets policies for clients to encrypt/decrypt data through transit secrets engine\n| auth method | userpass  | Enable and create a user, \"student\" with admins and eaas-client policies\n| secrets engine | transit | Enable transit secrets engine at transit\n| encryption key | payment | Encryption key to encrypt/decrypt data\n\nThe following steps are demonstrated:\n1. Examine Crossplane Compositions\n2. Run the Vault installation and configuration\n3. Verify the configuration\n4. Clean up\n\n## Examine Crossplane Compositions\n\n1. Clone or download the demo assets from the upbound/configuration-vault\nGithub repository to perform the steps described in this tutorial.\n```\ngit clone git@github.com:upbound/configuration-vault.git\n```\n\n2. Change the working directory to `configuration-vault`.\n```\ncd configuration-vault\n```\nThe directory contains the Crossplane compositions to setup and configure\nVault.\n```\ntree\n```\n\nThe Crossplane compositons are located in the `apis` directory.\nCrossplane compositions can be packaged up with information about\nthe package dependencies that are specified in `crossplane.yaml`.\nPlease take a look at the\n[Crossplane documentation](https://docs.crossplane.io/)\nfor concepts and a knowledge base if you are not yet familiar.\n\n3. Open the `apis/vault/composition.yaml` and examine its content.\nYou will notice that the composition implements an xvaults.sec.upbound.io\nAPI. It is layered and this file contains the top layer\ncreating the following composite resources:\n- XAuth\n- XPolicy\n- XSecret\n- XVaultInstall\n- XVaultUser\n\nEach of them composes next level resources within their respective\ncomposition files in the `apis/vault` subdirectories.\n\n4. Open the `apis/vault/definition.yaml`. It contains the API definition\nspecifying the parameters that the implementation in the composition can use.\nIndividual parameters may be required or optional. The API also known\nas composite resource definition uses the\n[openAPIV3Schema](https://swagger.io/specification/).\nAPI definitions can contain status fields that may be populated with\ninformation from the created resources by the composition(s) that\nimplement the API.\n\n5. Examine the next level of APIs and their implementation by opening\nthe following files:\n- XAuth composition: `apis/vault/auth/composition.yaml`\n- XAuth definition: `apis/vault/auth/definition.yaml`\n- XPolicy composition: `apis/vault/policy/composition.yaml`\n- XPolicy definition: `apis/vault/policy/definition.yaml`\n- XSecret composition: `apis/vault/secrets/composition.yaml`\n- XSecret definition: `apis/vault/secrets/definition.yaml`\n- XVaultInstall composition: `apis/vault/install/composition.yaml`\n- XVaultInstall definition: `apis/vault/install/definition.yaml`\n- XVaultUser composition: `apis/vault/user/composition.yaml`\n- XVaultUser definition: `apis/vault/user/definition.yaml`\n\n## Run the Vault installation and configuration\nUse either one of the following options to install and configure Vault.\n1. `make bootstrap` to create all the resources and validate the configuration.\n2. `make e2e` to create all the resources and run automated\n[KUTTL](https://kuttl.dev/) tests and then validating the configuration.\n\nResources can be seen using\n`crossplane beta trace vault.sec.upbound.io configuration-vault`.\nThis will produce an output like below. Note that there may be various\ninterim stages leading up to all resources being available.\n```\nNAME                                                                       SYNCED   READY   STATUS\nVault/configuration-vault (default)                                        True     True    Available\n└─ XVault/configuration-vault-r9xmg                                        True     True    Available\n   ├─ Usage/configuration-vault-r9xmg-77cpl                                -        True    Available\n   ├─ Usage/configuration-vault-r9xmg-qj2r2                                -        True    Available\n   ├─ Usage/configuration-vault-r9xmg-rxz68                                -        True    Available\n   ├─ Usage/configuration-vault-r9xmg-thxf7                                -        True    Available\n   ├─ Usage/configuration-vault-r9xmg-v8tf5                                -        True    Available\n   ├─ XAuth/configuration-vault-r9xmg-qswjv                                True     True    Available\n   │  ├─ Usage/configuration-vault-r9xmg-hh52k                             -        True    Available\n   │  ├─ Backend/configuration-vault-auth-backend-userpass                 True     True    Available\n   │  └─ Endpoint/configuration-vault-auth-generic-endpoint                True     True    Available\n   ├─ XPolicy/configuration-vault-r9xmg-ct8jb                              True     True    Available\n   │  ├─ Policy/configuration-vault-admin-policy                           True     True    Available\n   │  └─ Policy/configuration-vault-eaas-client-policy                     True     True    Available\n   ├─ XSecret/configuration-vault-r9xmg-f7tz2                              True     True    Available\n   │  ├─ SecretBackendKey/configuration-vault-transit-secret-backend-key   True     True    Available\n   │  ├─ Mount/configuration-vault-kv-v2-secret-mount                      True     True    Available\n   │  └─ Mount/configuration-vault-transit-secret-mount                    True     True    Available\n   ├─ XVaultInstall/configuration-vault-r9xmg-8x69p                        True     True    Available\n   │  ├─ Usage/configuration-vault-r9xmg-h9fbp                             -        True    Available\n   │  ├─ Release/configuration-vault-r9xmg-rptpw                           True     True    Available\n   │  ├─ Object/configuration-vault-r9xmg-kh4ss                            True     True    Available\n   │  ├─ Object/configuration-vault-r9xmg-kndvh                            True     True    Available\n   │  └─ Object/configuration-vault-r9xmg-t8qnp                            True     True    Available\n   └─ XVaultUser/configuration-vault-r9xmg-m8hlp                           True     True    Available\n      └─ Object/configuration-vault-r9xmg-xgkw2                            True     True    Available\n```\n\n## Verify the configuration\nThe Vault configuration may be verified using the following script.\n```\ntest/verify.sh\n```\nIt demonstrates how to list configured resources including\npolicies, secrets, and endpoints, and how the demo student\nuser can encrypt and decrypt information using a payment\nVault transit key.\n\n```\nexport VAULT_ADDR=\"http://127.0.0.1:8200\"\nexport VAULT_TOKEN=\"root\"\nvault login - \u003c\u003c\u003c $VAULT_TOKEN\n```\n```\nSuccess! You are now authenticated. The token information displayed below\nis already stored in the token helper. You do NOT need to run \"vault login\"\nagain. Future Vault requests will automatically use this token.\n\nKey                  Value\n---                  -----\ntoken                root\ntoken_accessor       s53hlBdiCUTMQn8WS6ECw4NP\ntoken_duration       ∞\ntoken_renewable      false\ntoken_policies       [\"root\"]\nidentity_policies    []\npolicies             [\"root\"]\n```\n\n```\nvault policy list\n```\n```\nadmin-policy\ndefault\neaas-client-policy\nroot\n```\n\n```\nvault secrets list\n```\n```\nPath          Type         Accessor              Description\n----          ----         --------              -----------\ncubbyhole/    cubbyhole    cubbyhole_769b3270    per-token private secret storage\nidentity/     identity     identity_d34ef982     identity store\nkv-v2/        kv           kv_fd07aac4           Crossplane created secret mount.\nsecret/       kv           kv_1771f5a7           key/value secret storage\nsys/          system       system_e90ffc6f       system endpoints used for control, policy and debugging\ntransit/      transit      transit_6ff2abac      Crossplane created secret mount.\n```\n\n```\nvault list transit/keys\n```\n```\nKeys\n----\npayment\n```\n\nLog in as student user, encrypt plain text with transit key, and decrypt.\nNote that the output shown, especially the tokens will be different for\nyou.\n```\nunset VAULT_TOKEN\n```\n\nBelow, use password: changeme\n```\nvault login -method=userpass username=student\n```\n\nSuccess! You are now authenticated. The token information displayed below\nis already stored in the token helper. You do NOT need to run \"vault login\"\nagain. Future Vault requests will automatically use this token.\n```\nKey                    Value\n---                    -----\ntoken                  hvs.CAESIBF-rSjSmFr43dZ8qgSK6U8FGJtKKGsk0O9Vv08zGG0SGh4KHGh2cy5Bbzduc2cwY0FON0hobzFnUzBaOUpFdUc\ntoken_accessor         39JtMXAEBKlqjAX0vd66QGC2\ntoken_duration         768h\ntoken_renewable        true\ntoken_policies         [\"admin-policy\" \"default\" \"eaas-client-policy\"]\nidentity_policies      []\npolicies               [\"admin-policy\" \"default\" \"eaas-client-policy\"]\ntoken_meta_username    student\n```\n\nEncrypt and store information.\n```\nvault write transit/encrypt/payment \\\n    plaintext=$(base64 \u003c\u003c\u003c \"1111-2222-3333-4444\")\n```\n```\nKey            Value\n---            -----\nciphertext     vault:v1:HmEcYSDI/dEHZgNQDC0EoQ58c/V2fNJUQIz3hfayywgriEpfhaqrtHLFqz7J/3Wt\nkey_version    1\n```\n\nDecrypt the information.\n```\nvault write transit/decrypt/payment \\\n    ciphertext=\"\u003cCOPY_THE_OUTPUT_CIPHER_FROM_ABOVE\u003e\"\n```\n```\nKey          Value\n---          -----\nplaintext    MTExMS0yMjIyLTMzMzMtNDQ0NAo=\n```\n\nDecode the base64 encoded plaintext.\n```\nbase64 --decode \u003c\u003c\u003c \"\u003cCOPY_THE_BASE64_ENCODED_PLAINTEXT_FROM_ABOVE\u003e\"\n```\n\n## Clean up\nUse the following command to delete the local demo cluster.\n```\nmake cleanup\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fupbound%2Fconfiguration-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fupbound%2Fconfiguration-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fupbound%2Fconfiguration-vault/lists"}