Merka Vault
Merka Vault is a tool that simplifies the management of HashiCorp Vault, focusing on automating vault initialization, unsealing, and setting up PKI infrastructure. It provides both a CLI interface and a programmatic API.
Features
- Initialize and unseal Vault instances with optional recovery keys
- Configure Transit-based auto-unsealing between Vault instances
- Set up PKI secrets engine with hierarchical CA support
- Interactive setup wizard for guided configuration
- Web server with REST API and Socket.IO events for real-time monitoring
- SQLite database integration for credential storage and vault relationships
- Actor-based architecture for thread-safe operations
- Comprehensive error handling and validation
CLI Usage
# Initialize and unseal a Vault
# Setup PKI infrastructure
# Setup Transit-based auto-unsealing
# Use the setup wizard
# Start the web server
Programmatic Usage
use ;
use DatabaseManager;
use broadcast;
// Initialize database
let db_manager = new.unwrap;
// Create actor with database for thread-safe operations
let = channel;
let actor = new
.with_database;
let actor_addr = actor.start;
// Initialize the vault
let init_result = actor_addr.send.await??;
// Unseal the vault
let unseal_result = actor_addr.send.await??;
// Setup PKI
let pki_result = actor_addr.send.await??;
Web Server Integration
The project includes a complete web server implementation with REST API and WebSocket events, backed by SQLite storage.
# Start the vaults
# Run the web server
# Or run the example directly
# Run the test client
The web server includes:
- REST API for all vault operations
- Socket.IO for real-time event notifications
- SQLite storage for credentials and vault relationships
- Actix Actor system for concurrent operations
For more details, see the Examples Documentation.
Vault Initialization and Unsealing Process
The correct sequence for vault setup is:
- Initialize root vault (creates unseal keys and root token)
- Unseal the root vault (provide enough unseal keys to reach threshold)
- Setup transit engine (requires unsealed vault)
- Generate transit token (with permissions for auto-unsealing)
- Restart sub vault with transit token as
VAULT_TOKEN - Initialize sub vault with auto-unseal configuration
- Setup PKI in sub vault
For a comprehensive overview of the operations, see the Operations Documentation.
Development
# Install dependencies
# Run tests
# Run module-specific tests
# Run integration tests
# Run with logging
RUST_LOG=debug
# Build release version
Recent Changes
- Improved Testing: Migrated integration tests to module-specific tests for better organization and maintainability
- Test Utilities: Enhanced test_utils.rs to support container-based testing for all modules
- SQLite Integration: Replaced file-based credential storage with a robust SQLite database
- Web Server Improvements: Enhanced Socket.IO implementation with proper local task handling
- CLI Commands: Added new
servercommand for starting the web server - Database Schema: Added support for storing vault relationships
Documentation
Detailed documentation is available in the /docs directory:
- Auto-Unseal Documentation
- PKI Documentation
- Operations Overview
- Examples Documentation
- SQLite Database Integration
- Testing Guide
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.