search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.77k stars 4.16k forks source link

add pki operations to go client #15534

Open mstrYoda opened 2 years ago

mstrYoda commented 2 years ago

Describe the solution you'd like That would be useful to access vault pki operations (to generate certificates) by vault go client. Basically the commands used by cli can be exposed to use by vault client too.

Describe alternatives you've considered We have to use certutil & logical package to achieve this functionality or use vault cli/curl commands in go using exec.

cipherboy commented 2 years ago

Do you mind expanding on this, @mstrYoda?

To my understanding, the client.Logical() package is indeed the right way to go about interacting with Vault's API from Go. See e.g., our sample applications in Go [ref].

But what confuses me a little about your request is the mention to certutil :-) I'm not aware of any PKI-specific behavior in the existing Vault CLI, so I'm wondering what certutil is necessary for? :-) Our existing CLI (vault write &c) just maps onto client.Logical().Write(...) operations, translating the CLI parameters into API request parameters. So anything you can do in the CLI can be done with the Go client (and is actually done using that API, under the covers); there's no special CLI-specific PKI calls.

I guess restated, what behavior would you like to see, in Go, that the CLI makes easier? :-)

mstrYoda commented 2 years ago

Do you mind expanding on this, @mstrYoda?

To my understanding, the client.Logical() package is indeed the right way to go about interacting with Vault's API from Go. See e.g., our sample applications in Go [ref].

But what confuses me a little about your request is the mention to certutil :-) I'm not aware of any PKI-specific behavior in the existing Vault CLI, so I'm wondering what certutil is necessary for? :-) Our existing CLI (vault write &c) just maps onto client.Logical().Write(...) operations, translating the CLI parameters into API request parameters. So anything you can do in the CLI can be done with the Go client (and is actually done using that API, under the covers); there's no special CLI-specific PKI calls.

I guess restated, what behavior would you like to see, in Go, that the CLI makes easier? :-)

Sorry I could not explain what I would like to see. I mean it would not be nice to have a fluent API in client to make calls for pki?

Making parameterized functions that write calls specified for certificate creation on this tutorial: https://learn.hashicorp.com/tutorials/vault/pki-engine

I imagine something like the below:

client.PKI().CreateCert(CreateCertReq{"host", "ttl"}) Certificate

client.PKI().CreateIntermediateCert(CreateIntermediateCertReq{"root-cert", "ttl"}) IntermediateCertificate

I understand that not bringing this kind of utility in the client API which has already achieve with write API capabilities.

cipherboy commented 2 years ago

Ah, cool, this is clearer. Thank you!

Mercanuis commented 2 years ago

I was very curious about any updates on this issue?

mstrYoda commented 2 years ago

@cipherboy WDYT about implementing that utility functions? I can send a PR for this.