hashicorp-vault-proxy

README

hashicorp-vault-proxy

A small proxy server which implements the Nuts Storage API, forwarding calls to a Hashicorp Vault Server.

Running

To build the application and start it with a Vault server, run:

$ make build start

The proxy will be available on port 8210. The Vault server will run in development mode.

To stop the services, run:

$ make stop

To reset the services, effectively removing the Docker containers and volumes (including the stored private keys), run:

$ make reset

Configuring

You can configure the backing Vault by setting environment variables (e.g. VAULT_ADDR) for the Vault client. See https://github.com/hashicorp/vault/blob/main/api/client.go for the available options.

In addition, the following environment variables can be set:

• VAULT_PATHPREFIX: the path prefix to use for the Vault keys, which generally matches the secret store name (defaults to kv).
• VAULT_PATHNAME: the path name to use for the Vault keys, which generally matches the secret store name (defaults to nuts-private-keys).
• LOG_FORMAT: the log format to use, either json or text (defaults to text).

Backwards compatibility

The Vault proxy can be used as a drop-in replacement for the embedded Nuts node Vault secret storage engine. If you already have your keys in Hashicorp Vault and want to use the proxy, make sure to set the VAULT_PATHPREFIX to your nodes crypto.vault.pathprefix value of leave it empty for default and leave VAULT_PATHNAME empty.

Test suite

To run the test suite that tests compliance of the proxy with the Nuts Storage API, run:

$ make api-test

It starts the proxy, Vault and Postman in Docker and runs the test suite. If the process exits with a non-zero exit code, the test suite failed. See the Postman output for more information on the failure.

Note: to build the proxy before running the test suite, run:

$ make build api-test

Code Generation

Generating code:

To regenerate all code run the run-generators target:

$ make run-generators