lmrc-vault 0.3.15

HashiCorp Vault management library for the LMRC Stack - comprehensive library for managing Vault installations and secrets on K3s/Kubernetes clusters
Documentation

lmrc-vault

HashiCorp Vault management library for the LMRC Stack - comprehensive library for managing Vault installations on Kubernetes/K3s clusters and interacting with the Vault API for secret management.

Features

  • Vault Deployment: Deploy Vault to K3s/Kubernetes clusters via Helm charts
  • Secret Operations: Read, write, list, and delete secrets using KV v2 engine
  • Authentication: Token-based and Kubernetes service account authentication
  • Initialization & Unsealing: Initialize Vault clusters and manage unseal operations
  • Policy Management: Create, read, list, and delete Vault policies
  • Builder Pattern API: Fluent, type-safe configuration for both client and deployment
  • Error Handling: Comprehensive error types with context

Installation

Add this to your Cargo.toml:

[dependencies]
lmrc-vault = "0.1.0"

Quick Start

Using Vault Client for Secret Management

use lmrc_vault::{VaultClient, VaultConfig, SecretOperations};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create Vault client configuration
    let config = VaultConfig::builder()
        .address("https://vault.example.com:8200")
        .token("hvs.CAESIJ...")
        .build()?;

    // Create client
    let client = VaultClient::new(config)?;

    // Write a secret
    client.write_secret(
        "secret/data/myapp/config",
        &[("db_password", "secure_pass"), ("api_key", "key123")]
    ).await?;

    // Read a secret
    let secret = client.read_secret("secret/data/myapp/config").await?;
    println!("Database password: {}", secret.get("db_password").unwrap());

    Ok(())
}

Deploying Vault to K3s

use lmrc_vault::{VaultDeployment, VaultDeploymentConfig};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Configure deployment
    let config = VaultDeploymentConfig::builder()
        .namespace("vault")
        .replicas(3)
        .storage_size("10Gi")
        .enable_ui(true)
        .build()?;

    // Create deployment manager
    let deployment = VaultDeployment::new(
        "192.168.1.100",
        "root",
        config
    );

    // Deploy Vault via Helm
    deployment.deploy()?;

    // Initialize Vault (generates root token and unseal keys)
    let init_result = deployment.initialize(5, 3)?;
    println!("Root token: {}", init_result.root_token);

    // Unseal Vault cluster
    deployment.unseal(&init_result.unseal_keys[0..3])?;

    Ok(())
}

Usage

For detailed usage examples, configuration options, and best practices, see the full documentation.

Secret Path Format

The library uses Vault's KV v2 engine path format: mount/data/secret-path

Example: secret/data/myapp/database/credentials

Security Considerations

  1. Store root token securely and revoke after initial setup
  2. Distribute unseal keys to multiple trusted parties
  3. Always use TLS in production
  4. Implement principle of least privilege with policies
  5. Enable audit logging for security monitoring

Development

# Build
cargo build -p lmrc-vault

# Test
cargo test -p lmrc-vault

# Lint
cargo clippy -p lmrc-vault -- -D warnings

License

Dual licensed under MIT OR Apache-2.0

Repository

https://gitlab.com/lemarco/lmrc-stack

Author

Lemarc lemarc.dev@gmail.com