secretumvault/justfiles/vault.just

# Vault operations recipes for SecretumVault

[doc("Show vault operations help")]
help:
    @echo "VAULT OPERATIONS COMMANDS"; \
    echo ""; \
    echo "Health & Status:"; \
    echo "  just vault::health              Check vault health"; \
    echo "  just vault::status              Get seal status"; \
    echo "  just vault::version             Show vault version"; \
    echo ""; \
    echo "Initialization:"; \
    echo "  just vault::init SHARES THRESH  Initialize with Shamir"; \
    echo "  just vault::init-default        Init with default (5 shares, 3 threshold)"; \
    echo ""; \
    echo "Unsealing:"; \
    echo "  just vault::unseal KEY          Unseal with key"; \
    echo "  just vault::unseal-status       Show unseal progress"; \
    echo ""; \
    echo "Token Operations:"; \
    echo "  just vault::create-token        Create auth token"; \
    echo "  just vault::revoke-token TOKEN  Revoke token"; \
    echo "  just vault::lookup-token TOKEN  Get token info"; \
    echo ""; \
    echo "Secrets:"; \
    echo "  just vault::list-secrets        List all secrets"; \
    echo "  just vault::read-secret PATH    Read secret"; \
    echo "  just vault::write-secret PATH   Write secret"; \
    echo "  just vault::delete-secret PATH  Delete secret"; \
    echo ""

# Variables
VAULT_ADDR := "http://localhost:8200"

# Health check
[doc("Check vault health")]
health:
    @curl -s {{ VAULT_ADDR }}/v1/sys/health | jq . || echo "Vault unreachable"

# Seal status
[doc("Get seal/unseal status")]
status:
    @curl -s {{ VAULT_ADDR }}/v1/sys/seal-status | jq .

# Version
[doc("Show vault version")]
version:
    @curl -s {{ VAULT_ADDR }}/v1/sys/health | jq '.version'

# Initialize vault (Shamir)
[doc("Initialize vault with Shamir Secret Sharing")]
init SHARES="5" THRESHOLD="3":
    @echo "Initializing vault with {{ SHARES }} shares, {{ THRESHOLD }} threshold..."
    @curl -X POST {{ VAULT_ADDR }}/v1/sys/init \
      -H "Content-Type: application/json" \
      -d "{ \"shares\": {{ SHARES }}, \"threshold\": {{ THRESHOLD }} }" | jq .

# Initialize with defaults
[doc("Initialize vault (5 shares, 3 threshold)")]
init-default:
    @just vault::init 5 3

# Unseal with key
[doc("Unseal vault with single key")]
unseal KEY:
    @curl -X POST {{ VAULT_ADDR }}/v1/sys/unseal \
      -H "Content-Type: application/json" \
      -d "{ \"key\": \"{{ KEY }}\" }" | jq .

# Show unseal progress
[doc("Show unseal progress")]
unseal-status:
    @curl -s {{ VAULT_ADDR }}/v1/sys/seal-status | jq '.{sealed, t, n, progress}'

# Create token
[doc("Create authentication token")]
create-token ROOT_TOKEN:
    @curl -X POST {{ VAULT_ADDR }}/v1/auth/token/create \
      -H "X-Vault-Token: {{ ROOT_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"policies": ["default"], "ttl": "24h"}' | jq '.auth'

# Revoke token
[doc("Revoke token")]
revoke-token ROOT_TOKEN TOKEN:
    @curl -X POST {{ VAULT_ADDR }}/v1/auth/token/revoke \
      -H "X-Vault-Token: {{ ROOT_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d "{ \"token\": \"{{ TOKEN }}\" }" | jq .

# Lookup token
[doc("Get token information")]
lookup-token TOKEN:
    @curl -s {{ VAULT_ADDR }}/v1/auth/token/self \
      -H "X-Vault-Token: {{ TOKEN }}" | jq '.auth'

# List all secrets
[doc("List all secrets in KV engine")]
list-secrets TOKEN:
    @curl -X LIST {{ VAULT_ADDR }}/v1/secret/metadata \
      -H "X-Vault-Token: {{ TOKEN }}" | jq '.data.keys'

# Read secret
[doc("Read secret (requires: TOKEN PATH)")]
read-secret TOKEN PATH:
    @curl -s {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \
      -H "X-Vault-Token: {{ TOKEN }}" | jq '.data.data'

# Write secret
[doc("Write secret (requires: TOKEN PATH DATA_JSON)")]
write-secret TOKEN PATH DATA:
    @curl -X POST {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \
      -H "X-Vault-Token: {{ TOKEN }}" \
      -H "Content-Type: application/json" \
      -d "{ \"data\": {{ DATA }} }" | jq .

# Delete secret
[doc("Delete secret")]
delete-secret TOKEN PATH:
    @curl -X DELETE {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \
      -H "X-Vault-Token: {{ TOKEN }}" | jq .

# Encrypt with transit
[doc("Encrypt data with Transit engine")]
encrypt TOKEN KEY PLAINTEXT:
    @ENCODED=$(echo -n "{{ PLAINTEXT }}" | base64) && \
    curl -X POST {{ VAULT_ADDR }}/v1/transit/encrypt/{{ KEY }} \
      -H "X-Vault-Token: {{ TOKEN }}" \
      -H "Content-Type: application/json" \
      -d "{ \"plaintext\": \"$ENCODED\" }" | jq '.data.ciphertext'

# Decrypt with transit
[doc("Decrypt data with Transit engine")]
decrypt TOKEN KEY CIPHERTEXT:
    @curl -X POST {{ VAULT_ADDR }}/v1/transit/decrypt/{{ KEY }} \
      -H "X-Vault-Token: {{ TOKEN }}" \
      -H "Content-Type: application/json" \
      -d "{ \"ciphertext\": \"{{ CIPHERTEXT }}\" }" | jq '.data.plaintext' | tr -d '"' | base64 -d && echo

# Get metrics
[doc("Get Prometheus metrics")]
metrics:
    @curl -s {{ VAULT_ADDR }}:9090/metrics | grep vault_ | head -20

# Full initialization workflow
[doc("Full initialization: init + display keys + instructions")]
init-workflow:
    @echo "=== SecretumVault Initialization Workflow ===" && echo
    @echo "1. Initializing vault..."
    @INIT_RESPONSE=$(curl -s -X POST {{ VAULT_ADDR }}/v1/sys/init \
      -H "Content-Type: application/json" \
      -d '{"shares": 5, "threshold": 3}')
    @echo "$INIT_RESPONSE" | jq '{keys: .keys, root_token: .root_token}' | tee init-response.json
    @echo ""
    @echo "2. ⚠️  CRITICAL: Save keys and root token to secure location!"
    @echo "   File saved: init-response.json"
    @echo ""
    @echo "3. To unseal vault:"
    @echo "   just vault::unseal <key1>"
    @echo "   just vault::unseal <key2>"
    @echo "   just vault::unseal <key3>"
    @echo ""
    @echo "4. Check unsealing progress:"
    @echo "   just vault::unseal-status"

# Kubernetes setup: init and unseal
[doc("K8s: Initialize vault in cluster")]
k8s-init:
    @echo "Initializing vault in Kubernetes..."
    @kubectl -n secretumvault port-forward svc/vault 8200:8200 &
    @sleep 2
    @just vault::init-workflow

# Kubernetes: display unsealing instructions
[doc("K8s: Show unsealing instructions")]
k8s-unseal-instructions:
    @echo "To unseal vault in Kubernetes:"
    @echo ""
    @echo "1. Port-forward to vault:"
    @echo "   kubectl -n secretumvault port-forward svc/vault 8200:8200 &"
    @echo ""
    @echo "2. Unseal with keys:"
    @echo "   just vault::unseal <key1>"
    @echo "   just vault::unseal <key2>"
    @echo "   just vault::unseal <key3>"
    @echo ""
    @echo "3. Verify unsealed:"
    @echo "   just vault::status"
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`# Vault operations recipes for SecretumVault`

			`[doc("Show vault operations help")]`
			`help:`
			`@echo "VAULT OPERATIONS COMMANDS"; \`
			`echo ""; \`
			`echo "Health & Status:"; \`
			`echo " just vault::health Check vault health"; \`
			`echo " just vault::status Get seal status"; \`
			`echo " just vault::version Show vault version"; \`
			`echo ""; \`
			`echo "Initialization:"; \`
			`echo " just vault::init SHARES THRESH Initialize with Shamir"; \`
			`echo " just vault::init-default Init with default (5 shares, 3 threshold)"; \`
			`echo ""; \`
			`echo "Unsealing:"; \`
			`echo " just vault::unseal KEY Unseal with key"; \`
			`echo " just vault::unseal-status Show unseal progress"; \`
			`echo ""; \`
			`echo "Token Operations:"; \`
			`echo " just vault::create-token Create auth token"; \`
			`echo " just vault::revoke-token TOKEN Revoke token"; \`
			`echo " just vault::lookup-token TOKEN Get token info"; \`
			`echo ""; \`
			`echo "Secrets:"; \`
			`echo " just vault::list-secrets List all secrets"; \`
			`echo " just vault::read-secret PATH Read secret"; \`
			`echo " just vault::write-secret PATH Write secret"; \`
			`echo " just vault::delete-secret PATH Delete secret"; \`
			`echo ""`

			`# Variables`
			`VAULT_ADDR := "http://localhost:8200"`

			`# Health check`
			`[doc("Check vault health")]`
			`health:`
			`@curl -s {{ VAULT_ADDR }}/v1/sys/health \| jq . \|\| echo "Vault unreachable"`

			`# Seal status`
			`[doc("Get seal/unseal status")]`
			`status:`
			`@curl -s {{ VAULT_ADDR }}/v1/sys/seal-status \| jq .`

			`# Version`
			`[doc("Show vault version")]`
			`version:`
			`@curl -s {{ VAULT_ADDR }}/v1/sys/health \| jq '.version'`

			`# Initialize vault (Shamir)`
			`[doc("Initialize vault with Shamir Secret Sharing")]`
			`init SHARES="5" THRESHOLD="3":`
			`@echo "Initializing vault with {{ SHARES }} shares, {{ THRESHOLD }} threshold..."`
			`@curl -X POST {{ VAULT_ADDR }}/v1/sys/init \`
			`-H "Content-Type: application/json" \`
			`-d "{ \"shares\": {{ SHARES }}, \"threshold\": {{ THRESHOLD }} }" \| jq .`

			`# Initialize with defaults`
			`[doc("Initialize vault (5 shares, 3 threshold)")]`
			`init-default:`
			`@just vault::init 5 3`

			`# Unseal with key`
			`[doc("Unseal vault with single key")]`
			`unseal KEY:`
			`@curl -X POST {{ VAULT_ADDR }}/v1/sys/unseal \`
			`-H "Content-Type: application/json" \`
			`-d "{ \"key\": \"{{ KEY }}\" }" \| jq .`

			`# Show unseal progress`
			`[doc("Show unseal progress")]`
			`unseal-status:`
			`@curl -s {{ VAULT_ADDR }}/v1/sys/seal-status \| jq '.{sealed, t, n, progress}'`

			`# Create token`
			`[doc("Create authentication token")]`
			`create-token ROOT_TOKEN:`
			`@curl -X POST {{ VAULT_ADDR }}/v1/auth/token/create \`
			`-H "X-Vault-Token: {{ ROOT_TOKEN }}" \`
			`-H "Content-Type: application/json" \`
			`-d '{"policies": ["default"], "ttl": "24h"}' \| jq '.auth'`

			`# Revoke token`
			`[doc("Revoke token")]`
			`revoke-token ROOT_TOKEN TOKEN:`
			`@curl -X POST {{ VAULT_ADDR }}/v1/auth/token/revoke \`
			`-H "X-Vault-Token: {{ ROOT_TOKEN }}" \`
			`-H "Content-Type: application/json" \`
			`-d "{ \"token\": \"{{ TOKEN }}\" }" \| jq .`

			`# Lookup token`
			`[doc("Get token information")]`
			`lookup-token TOKEN:`
			`@curl -s {{ VAULT_ADDR }}/v1/auth/token/self \`
			`-H "X-Vault-Token: {{ TOKEN }}" \| jq '.auth'`

			`# List all secrets`
			`[doc("List all secrets in KV engine")]`
			`list-secrets TOKEN:`
			`@curl -X LIST {{ VAULT_ADDR }}/v1/secret/metadata \`
			`-H "X-Vault-Token: {{ TOKEN }}" \| jq '.data.keys'`

			`# Read secret`
			`[doc("Read secret (requires: TOKEN PATH)")]`
			`read-secret TOKEN PATH:`
			`@curl -s {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \`
			`-H "X-Vault-Token: {{ TOKEN }}" \| jq '.data.data'`

			`# Write secret`
			`[doc("Write secret (requires: TOKEN PATH DATA_JSON)")]`
			`write-secret TOKEN PATH DATA:`
			`@curl -X POST {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \`
			`-H "X-Vault-Token: {{ TOKEN }}" \`
			`-H "Content-Type: application/json" \`
			`-d "{ \"data\": {{ DATA }} }" \| jq .`

			`# Delete secret`
			`[doc("Delete secret")]`
			`delete-secret TOKEN PATH:`
			`@curl -X DELETE {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \`
			`-H "X-Vault-Token: {{ TOKEN }}" \| jq .`

			`# Encrypt with transit`
			`[doc("Encrypt data with Transit engine")]`
			`encrypt TOKEN KEY PLAINTEXT:`
			`@ENCODED=$(echo -n "{{ PLAINTEXT }}" \| base64) && \`
			`curl -X POST {{ VAULT_ADDR }}/v1/transit/encrypt/{{ KEY }} \`
			`-H "X-Vault-Token: {{ TOKEN }}" \`
			`-H "Content-Type: application/json" \`
			`-d "{ \"plaintext\": \"$ENCODED\" }" \| jq '.data.ciphertext'`

			`# Decrypt with transit`
			`[doc("Decrypt data with Transit engine")]`
			`decrypt TOKEN KEY CIPHERTEXT:`
			`@curl -X POST {{ VAULT_ADDR }}/v1/transit/decrypt/{{ KEY }} \`
			`-H "X-Vault-Token: {{ TOKEN }}" \`
			`-H "Content-Type: application/json" \`
			`-d "{ \"ciphertext\": \"{{ CIPHERTEXT }}\" }" \| jq '.data.plaintext' \| tr -d '"' \| base64 -d && echo`

			`# Get metrics`
			`[doc("Get Prometheus metrics")]`
			`metrics:`
			`@curl -s {{ VAULT_ADDR }}:9090/metrics \| grep vault_ \| head -20`

			`# Full initialization workflow`
			`[doc("Full initialization: init + display keys + instructions")]`
			`init-workflow:`
			`@echo "=== SecretumVault Initialization Workflow ===" && echo`
			`@echo "1. Initializing vault..."`
			`@INIT_RESPONSE=$(curl -s -X POST {{ VAULT_ADDR }}/v1/sys/init \`
			`-H "Content-Type: application/json" \`
			`-d '{"shares": 5, "threshold": 3}')`
			`@echo "$INIT_RESPONSE" \| jq '{keys: .keys, root_token: .root_token}' \| tee init-response.json`
			`@echo ""`
			`@echo "2. ⚠️ CRITICAL: Save keys and root token to secure location!"`
			`@echo " File saved: init-response.json"`
			`@echo ""`
			`@echo "3. To unseal vault:"`
			`@echo " just vault::unseal <key1>"`
			`@echo " just vault::unseal <key2>"`
			`@echo " just vault::unseal <key3>"`
			`@echo ""`
			`@echo "4. Check unsealing progress:"`
			`@echo " just vault::unseal-status"`

			`# Kubernetes setup: init and unseal`
			`[doc("K8s: Initialize vault in cluster")]`
			`k8s-init:`
			`@echo "Initializing vault in Kubernetes..."`
			`@kubectl -n secretumvault port-forward svc/vault 8200:8200 &`
			`@sleep 2`
			`@just vault::init-workflow`

			`# Kubernetes: display unsealing instructions`
			`[doc("K8s: Show unsealing instructions")]`
			`k8s-unseal-instructions:`
			`@echo "To unseal vault in Kubernetes:"`
			`@echo ""`
			`@echo "1. Port-forward to vault:"`
			`@echo " kubectl -n secretumvault port-forward svc/vault 8200:8200 &"`
			`@echo ""`
			`@echo "2. Unseal with keys:"`
			`@echo " just vault::unseal <key1>"`
			`@echo " just vault::unseal <key2>"`
			`@echo " just vault::unseal <key3>"`
			`@echo ""`
			`@echo "3. Verify unsealed:"`
			`@echo " just vault::status"`