hashicorp vault support (#439)

* Implement Signatory vault interface for Hashicorp Vault

Signed-off-by: Dzianis Andreyenka <[email protected]>

* Add Hashicorp Vault config sample

Signed-off-by: Dzianis Andreyenka <[email protected]>

* Update README with Hashicorp Vault info

Signed-off-by: Dzianis Andreyenka <[email protected]>

* update website with Hashicorp Vault info

Signed-off-by: Dzianis Andreyenka <[email protected]>

* Docs fix

Signed-off-by: Dzianis Andreyenka <[email protected]>

* secret id without expiration

Signed-off-by: Dzianis Andreyenka <[email protected]>

* init HCP for signatory CLI

Signed-off-by: Dzianis Andreyenka <[email protected]>

* Remove unused vault interaction methods

Signed-off-by: Dzianis Andreyenka <[email protected]>

---------

Signed-off-by: Dzianis Andreyenka <[email protected]>

README.md

@@ -32,7 +32,7 @@ Signatory receives requests to sign Tezos operations. These operations may be co
 
 Signatory will inspect the operations and assert that the operation request is in line with Signatory's policy. If the operation passes the policy rules, Signatory will then have a signature produced using the appropriate backend system. 
 
-Signatory operators can choose from AWS, Azure or Google Cloud KMS systems, or self-hosted wallets such as the YubiHSM2 or a Ledger Hardware wallet.
+Signatory operators can choose from AWS, Azure or Google Cloud KMS systems, or self-hosted solutions such as the YubiHSM2, Hashicorp Vault or Ledger Hardware wallet.
 
 ### Observability
 
@@ -70,6 +70,7 @@ In the first year of the Tezos network operation, there was anecdotal evidence t
 | Google Cloud KMS               | ✅     |
 | AWS KMS                        | ✅     |
 | Ledger Nano S/S+ (Baking only) | ✅     |
+| Hashicorp Vault                | ✅     |
 
 ### Tezos Address Types
 
@@ -84,6 +85,7 @@ In Tezos, you can infer the signing algorithm from the first three characters of
 
 |                  | tz1 | tz2 | tz3 |
 | ---------------- | --- | --- | --- |
+| Hashicorp Vault  | ✅   | ❌   | ❌   |
 | Google Cloud KMS | ❌   | ❌   | ✅   |
 | AWS KMS          | ❌   | ✅   | ✅   |
 | Azure KMS        | ❌   | ✅   | ✅   |

cmd/signatory-cli/main.go

@@ -16,6 +16,7 @@ import (
 	_ "github.com/ecadlabs/signatory/pkg/vault/azure"
 	_ "github.com/ecadlabs/signatory/pkg/vault/cloudkms"
 	_ "github.com/ecadlabs/signatory/pkg/vault/file"
+	_ "github.com/ecadlabs/signatory/pkg/vault/hashicorp"
 	_ "github.com/ecadlabs/signatory/pkg/vault/ledger"
 	_ "github.com/ecadlabs/signatory/pkg/vault/mem"
 	_ "github.com/ecadlabs/signatory/pkg/vault/yubi"

cmd/signatory/main.go

@@ -15,6 +15,7 @@ import (
 	_ "github.com/ecadlabs/signatory/pkg/vault/azure"
 	_ "github.com/ecadlabs/signatory/pkg/vault/cloudkms"
 	_ "github.com/ecadlabs/signatory/pkg/vault/file"
+	_ "github.com/ecadlabs/signatory/pkg/vault/hashicorp"
 	_ "github.com/ecadlabs/signatory/pkg/vault/ledger"
 	_ "github.com/ecadlabs/signatory/pkg/vault/mem"
 	_ "github.com/ecadlabs/signatory/pkg/vault/yubi"

docs/hashicorp_vault.md

@@ -0,0 +1,115 @@
+---
+id: hashicorp_vault
+title: HashicorpVault
+---
+
+# Hashicorp Vault
+
+The goal of this guide is to configure Signatory to use an Hashicorp Vault as a signing backend.
+
+## **Vault setup**
+
+Run Vault server or use dedicated cloud instance (HCP Vault) for secrets management
+
+### **Install vault**
+
+https://developer.hashicorp.com/vault/downloads
+
+### **Run Dev Server**
+
+```sh
+docker run --cap-add=IPC_LOCK -d --name=dev-vault vault
+```
+
+### **Configure Vault Address and Token**
+
+Set the Vault address and obtain the root token provided when starting the Vault server.
+
+```sh
+export VAULT_ADDR=http://127.0.0.1:8200
+export VAULT_TOKEN={{root_token}}
+```
+
+### **Enable Transit Secrets Engine**
+
+Enable the Transit secrets engine which is used to manage cryptographic functions.
+
+```sh
+vault secrets enable transit
+```
+
+### **Create Transit Key**
+
+Create a new encryption key in the transit secrets engine.
+
+```sh
+vault write -f transit/keys/{{my-key}} type="ed25519"
+```
+
+### **Create Policy for Transit**
+
+Create a policy that allows reading and writing keys in the transit engine.
+
+```hcl
+# transit-policy.hcl
+path "transit/*" {
+  capabilities = ["read", "create", "update", "list"]
+}
+```
+
+### **Create AppRole Authentication**
+
+Enable and configure the AppRole authentication method.
+
+```sh
+vault auth enable approle
+```
+
+### **Create AppRole Role**
+
+Create a role for the AppRole authentication method. This role associates a set of policies with the AppRole.
+
+```sh
+vault write auth/approle/role/my-approle \
+  secret_id_ttl=0m \
+  token_ttl=20m \
+  token_max_ttl=30m \
+  token_policies="transit-policy"
+
+```
+
+### **Fetch Role ID and Secret ID**
+
+Fetch the Role ID and Secret ID of the AppRole.
+
+```sh
+vault read auth/approle/role/{{my-approle}}/role-id
+vault write -f auth/approle/role/{{my-approle}}/secret-id
+```
+
+## **Backend configuration**
+
+### **Configuration parameters**
+
+|||||
+|--- |--- |--- |--- |
+|Name|Type|Required|Description|
+|address|URL|✅|Vault URL|
+|roleID|UUID|✅|AppRole identifier|
+|secretID|UUID|✅|AppRole credential|
+|transitConfig.mountPoint|string|✅|Path to the transit secret engine|
+|tlsCaCert|string|OPTIONAL|tlsCaCert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.|
+|tlsClientCert|string|OPTIONAL|tlsClientCert is the path to the certificate for Vault communication|
+|tlsClientKey|string|OPTIONAL|tlsClientKey is the path to the private key for Vault communication|
+
+
+Example:
+
+```yaml
+address: "http://127.0.0.1:8200"
+roleID: "5970e31e-132b-d624-f3eb-10d1fcdd3fab"
+secretID: "aa9c4a24-c7f1-a278-a9db-bac58273fe7c"
+transitConfig:
+    mountPoint: "transit/"
+```
+

docs/start.md

@@ -8,13 +8,14 @@ sidebar_label: Getting Started
 [azure]: https://docs.microsoft.com/en-us/azure/key-vault/
 [gcp]: https://cloud.google.com/security-key-management
 [yubi]: https://www.yubico.com/products/hardware-security-module/
+[hashicorp]: https://developer.hashicorp.com/vault/docs/secrets/transit
 
 
 ## What is Signatory
 
 Signatory is a remote signing daemon that allows Tezos bakers to sign endorsement and baking operations with various key-management systems.
 
-Signatory currently supports [AWS KMS][aws], [Azure Key Vault][azure], [GCP Key Management][gcp], [YubiHSM][yubi], and for development/prototyping purposes, Signatory can sign with a [local private key](localsecret.md).
+Signatory currently supports [AWS KMS][aws], [Azure Key Vault][azure], [GCP Key Management][gcp], [YubiHSM][yubi], [Hashicorp Vault][hashicorp], and for development/prototyping purposes, Signatory can sign with a [local private key](localsecret.md).
 
 The goal of the Signatory service is to make key management as secure as possible in a Cloud and on-premise HSM context.
 
@@ -149,6 +150,7 @@ tezos:
 * [Azure Key Vault](azure_kms.md)
 * [GCP Key Management](gcp_kms.md)
 * [YubiHSM2](yubihsm.md)
+* [Hashicorp Vault](hashicorp_vault.md)
 
 ---
 

go.mod

@@ -12,6 +12,8 @@ require (
 	github.com/google/tink/go v1.7.0
 	github.com/google/uuid v1.3.1
 	github.com/gorilla/mux v1.8.0
+	github.com/hashicorp/vault/api v1.9.2
+	github.com/hashicorp/vault/api/auth/approle v0.4.1
 	github.com/karalabe/hid v1.0.0
 	github.com/prometheus/client_golang v1.16.0
 	github.com/segmentio/ksuid v1.0.4
@@ -29,13 +31,28 @@ require (
 	cloud.google.com/go/compute v1.23.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.2 // indirect
+	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/google/s2a-go v0.1.5 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
 	google.golang.org/genproto v0.0.0-20230807174057-1744710a1577 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230807174057-1744710a1577 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 // indirect