Categorygithub.com/migrx-io/vault-plugin-secrets-qdrant
repository
0.1.0
Repository: https://github.com/migrx-io/vault-plugin-secrets-qdrant.git
Documentation: pkg.go.dev
Overview
Dependencies
0
Dependents
0

# Packages

No description provided by the author
No description provided by the author

# README

HashiCorp Vault Secrets Engine - Qdrant plugin

vault-plugin-secrets-qdrant is a Hashicorp Vault plugin that extends Vault with a secrets engine for Qdrant for JWT auth.

It is capable of generating Qdrant credentials/JWT signed tokens with granular access control.

The roles are stored in Vault and can be revoked at any time.

The generated JWT tokens are ephemeral and stateless; they are not stored in a vault but can be bound to roles and invalidated when the role is deleted.

The plugin is also able to create/update/delete roles data to a Qdrant servers

Features

  • Support multi-instance configurations
  • Allow management of Token TTL per instance and/or role
  • Push role changes (create/update/delete) to Qdrant server
  • Generate and sign JWT tokens based on instance and role parameters
  • Allow provision of custom claims (access and filters) for roles
  • Support TLS and custom CA to connect to Qdrant server

Getting Started

The Qdrant secrets engine generates JWT credentials dynamically.

The plugin supports several resources, including: config, role and jwt.

Please read the official Qdrant documentation to understand the concepts of token and access as well as the authentication process.

A hand full of resources can be defined within the vault plugin:

Config

The resource of type config represent database instance configuration for secrets.

Entity pathDescriptionOperations
qdrant/configList instanceslist
qdrant/config/Manage instance configwrite, read, delete

Role

The resource of type role represent database roles configuration for secrets.

Entity pathDescriptionOperations
qdrant/role/List roles for list
qdrant/role//Manage instance role configwrite, read, delete

JWT

The resource of type jwt represent database JWT tokens.

Entity pathDescriptionOperations
qdrant/jwt//Generate token for roleread

⚙️ Configuration

There are arguments that can be passed to the paths for config/ (database instance), role/.

Config

KeyTypeRequiredExampleDescription
urlbooltrueqdrant:6334URL address of Qdrant instance (grpc protocol)
sig_keystringtruesecret-keySecret key to sign and verify(API-KEY server) tokens.
sig_algstringtrueHS256Algorithm to decode the tokens.
jwt_ttlstringtrue300sDefault TTL for instance tokens (can be overwritten in roles)
tlsboolfalsetrueIf set to true - vault will open tls grpc connection to Qdrant
castringfalseeyJhbGc...Base64 encoded custom CA cert for TLS

Note: When you delete an instance configuration, all associated roles will be automatically deleted from the Qdrant instance.

Role

KeyTypeRequiredExampleDescription
jwt_ttlstringfalse300sTTL for instance tokens
claimsjsontrueAccess and filters attributes (see Qdrant doc)

Note: Vault roles sync with Qdrant instance collection sys_roles automatically

claims example


{
    "claims":{
        "value_exists": {
            "collection": "sys_roles",
            "matches": [
            { "key": "role", "value": "write2" }
            ]
        },
        "access": [
            {
            "collection": "my_collection",
            "access": "r"
            }
        ]
    }
}

🎯 Installation and Setup

In order to use this plugin you need to register it with Vault. Configure your vault server to have a valid plugins_directory configuration.

Note: you might want to set api_addr to your listening address and disable_mlock to true in the vault configuration to be able to use the plugin.

Install from release

Download the latest stable release from the release page and put it into the plugins_directory of your vault server.

To use a vault plugin you need the plugin's sha256 sum.

Example how to register the plugin:

SHA256SUM=$(sha256sum vault-plugin-secrets-qdrant | cut -d' ' -f1)
vault plugin register -sha256 ${SHA256SUM} secret vault-plugin-secrets-qdrant
vault secrets enable -path=qdrant vault-plugin-secrets-qdrant

Note: you might use the -tls-skip-verify flag if you are using a self-signed certificate.

Development

Build locally

$ make

Setup enviroment (docker compose)

$ make setup-env

Run unit tests

$ make tests

Run end-to-end tests

$ make e2e

Teardown enviroment (docker compose)

$ make teardown-env

Clean up

$ make clean

🤝🏽 Contributing

Code contributions are very much welcome.

  1. Fork the Project
  2. Create your Branch (git checkout -b AmazingFeature)
  3. Commit your Changes (`git commit -m 'Add some AmazingFeature")
  4. Push to the Branch (git push origin AmazingFeature)
  5. Open a Pull Request targetting the main branch.