atlas-hashicorp-vault
plugin lets you manage issue GlobalSign Atlas backed certificates in vault.
Before you can use the Plugin's API you will need to install the vault plugin:
(Note: We have automated most of these steps and user can directly navigate to atlas-hashicorp-vault
and run make
)
-
Create the directory where your Vault server will look for plugins
-
Download the latest
atlas-hashicorp-vault
plugin release package for your operating system. Note that the URL for the source binary file, referenced below, changes as new versions of the plugin are released.$ curl https://github.com/globalsign/atlas-hashicorp-vault/releases/latest/download/atlas-linux-amd64 -o /etc/vault/vault_plugins/atlas $ chmod +x /etc/vault/vault_plugins/atlas
note: the above binary works was built on an ubuntu base, if you want to are running in containers, you probably want to use this one https://github.com/globalsign/atlas-hashicorp-vault/releases/latest/download/atlas-linux-containers
These links above will get the latest binary, if you want to pin to a specific one, use a URL like to following
https://github.com/globalsign/atlas-hashicorp-vault/releases/download/v1.0/atlas-linux-amd64
-
Update the Vault server configuration to specify the plugin directory:
plugin_directory = "/etc/vault/vault_plugins"
-
Start your Vault using the server command.
-
Get the SHA-256 checksum of the
atlas-hashicorp-vault
plugin binary:$ PLUGIN_SHA256=$(sha256sum /etc/vault/vault_plugins/atlas-hashicorp-vault | cut -d' ' -f1)
-
Register the
atlas-hashicorp-vault
plugin in the Vault system catalog:$ vault write sys/plugins/catalog/secret/atlas \ sha_256="$PLUGIN_SHA256" command="atlas" Success! Data written to: sys/plugins/catalog/secret/atlas
To Configure the installed plugin refer to our Getting Started Guide
The Atlas secret engine plugin works with Kubernetes cert-manager. If you would like to try this locally, you can run ./scripts/test-cert-manager.sh
on an linux computer.
You can see it working here:
You can refer to our MicroK8s certificate manager tutorial if you would like to hookup GlobalSign Atlas to Kubernetes Certificate manager.
You can develop this plugin using the golang tool-chain and the provided Makefile.
By running make
your system will compile the current source, and start a vault server in dev mode.
For convince, we recommend running scripts/test-cli.sh
to actuate the plugins functionality. If you are doing this often we recommend setting development credentials as described below, it will reduce your iteration times.
If you are working with the Atlas Client library you will need to have development credentials configured, as it performs integration tests with the Atlas backend.
Integration test require GlobalSign Atlas credentials, by default these tests will prompt you for your credentials, it will additionally give you the option to persist them. You can manually engage this process by running the ./scripts/login.sh
in bash.
The development helpers will ask for plaintext API credentials and PEM formatted client mTLS credentials.
We expect changes to meet Hashicorp Vaults' style, to have tests, and to keep coverage above 70%.