lmrc-vault 0.3.15

HashiCorp Vault management library for the LMRC Stack - comprehensive library for managing Vault installations and secrets on K3s/Kubernetes clusters
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

# lmrc-vault

HashiCorp Vault management library for the LMRC Stack - comprehensive library for managing Vault installations on Kubernetes/K3s clusters and interacting with the Vault API for secret management.

## Features

- **Vault Deployment**: Deploy Vault to K3s/Kubernetes clusters via Helm charts
- **Secret Operations**: Read, write, list, and delete secrets using KV v2 engine
- **Authentication**: Token-based and Kubernetes service account authentication
- **Initialization & Unsealing**: Initialize Vault clusters and manage unseal operations
- **Policy Management**: Create, read, list, and delete Vault policies
- **Builder Pattern API**: Fluent, type-safe configuration for both client and deployment
- **Error Handling**: Comprehensive error types with context

## Installation

Add this to your `Cargo.toml`:

```toml
[dependencies]
lmrc-vault = "0.1.0"
```

## Quick Start

### Using Vault Client for Secret Management

```rust
use lmrc_vault::{VaultClient, VaultConfig, SecretOperations};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create Vault client configuration
    let config = VaultConfig::builder()
        .address("https://vault.example.com:8200")
        .token("hvs.CAESIJ...")
        .build()?;

    // Create client
    let client = VaultClient::new(config)?;

    // Write a secret
    client.write_secret(
        "secret/data/myapp/config",
        &[("db_password", "secure_pass"), ("api_key", "key123")]
    ).await?;

    // Read a secret
    let secret = client.read_secret("secret/data/myapp/config").await?;
    println!("Database password: {}", secret.get("db_password").unwrap());

    Ok(())
}
```

### Deploying Vault to K3s

```rust
use lmrc_vault::{VaultDeployment, VaultDeploymentConfig};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Configure deployment
    let config = VaultDeploymentConfig::builder()
        .namespace("vault")
        .replicas(3)
        .storage_size("10Gi")
        .enable_ui(true)
        .build()?;

    // Create deployment manager
    let deployment = VaultDeployment::new(
        "192.168.1.100",
        "root",
        config
    );

    // Deploy Vault via Helm
    deployment.deploy()?;

    // Initialize Vault (generates root token and unseal keys)
    let init_result = deployment.initialize(5, 3)?;
    println!("Root token: {}", init_result.root_token);

    // Unseal Vault cluster
    deployment.unseal(&init_result.unseal_keys[0..3])?;

    Ok(())
}
```

## Usage

For detailed usage examples, configuration options, and best practices, see the [full documentation](https://docs.rs/lmrc-vault).

## Secret Path Format

The library uses Vault's KV v2 engine path format: `mount/data/secret-path`

Example: `secret/data/myapp/database/credentials`

## Security Considerations

1. Store root token securely and revoke after initial setup
2. Distribute unseal keys to multiple trusted parties
3. Always use TLS in production
4. Implement principle of least privilege with policies
5. Enable audit logging for security monitoring

## Development

```bash
# Build
cargo build -p lmrc-vault

# Test
cargo test -p lmrc-vault

# Lint
cargo clippy -p lmrc-vault -- -D warnings
```

## License

Dual licensed under MIT OR Apache-2.0

## Repository

https://gitlab.com/lemarco/lmrc-stack

## Author

Lemarc <lemarc.dev@gmail.com>