vault.md 5.8 KB
Newer Older
Vincent Mazenod's avatar
Vincent Mazenod committed
1
# vault
Vincent Mazenod's avatar
Vincent Mazenod committed
2

Vincent Mazenod's avatar
Vincent Mazenod committed
3
4
![vault](images/vault.png "vault")<!-- .element width="30%" -->

Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
5
**By HashiCorp**
Vincent Mazenod's avatar
Vincent Mazenod committed
6
7


Vincent Mazenod's avatar
Vincent Mazenod committed
8
## Installation
Vincent Mazenod's avatar
Vincent Mazenod committed
9

Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
10
* téléchargement d'un binaire
Vincent Mazenod's avatar
Vincent Mazenod committed
11

Vincent Mazenod's avatar
Vincent Mazenod committed
12
  * [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
Vincent Mazenod's avatar
Vincent Mazenod committed
13
14
  * décompresser dans /usr/local/bin
  * configurer les permissions
Vincent Mazenod's avatar
Vincent Mazenod committed
15
16
17
18
  * serveur
    * créer un service systemd
  * cli
    * `vault`
Vincent Mazenod's avatar
Vincent Mazenod committed
19
20


Vincent Mazenod's avatar
Vincent Mazenod committed
21
## Configuration
Vincent Mazenod's avatar
Vincent Mazenod committed
22

Vincent Mazenod's avatar
Vincent Mazenod committed
23
* /etc/vault/vault.hcl
Vincent Mazenod's avatar
Vincent Mazenod committed
24
25

```
Vincent Mazenod's avatar
Vincent Mazenod committed
26
27
28
29
30
31
32
33
34
backend "file" {
  path = "/var/lib/vault"
}
ui = true
disable_mlock = true
listener "tcp" {
  address     = "10.0.0.1:8200"
  tls_disable = 1
}
Vincent Mazenod's avatar
Vincent Mazenod committed
35
36
```

Vincent Mazenod's avatar
Vincent Mazenod committed
37

Vincent Mazenod's avatar
Vincent Mazenod committed
38
## [<i class="fa fa-book" aria-hidden="true"></i> Secret engine](https://www.vaultproject.io/docs/secrets/)
Vincent Mazenod's avatar
Vincent Mazenod committed
39

Vincent Mazenod's avatar
Vincent Mazenod committed
40
41
42
43
44
* [<i class="fa fa-book" aria-hidden="true"></i> Secrets Engines - getting started](https://learn.hashicorp.com/vault/getting-started/dynamic-secrets)
* [<i class="fa fa-book" aria-hidden="true"></i> AWS Secrets Engine](https://www.vaultproject.io/docs/secrets/aws/index.html)
* [<i class="fa fa-book" aria-hidden="true"></i> Active Directory Secrets Engine](https://www.vaultproject.io/docs/secrets/aws/index.html)
* [<i class="fa fa-book" aria-hidden="true"></i> SSH Secrets Engine](https://www.vaultproject.io/docs/secrets/ssh/index.html)
* [<i class="fa fa-book" aria-hidden="true"></i> KV Secrets Engine](https://www.vaultproject.io/docs/secrets/kv/index.html)
Vincent Mazenod's avatar
Vincent Mazenod committed
45

Vincent Mazenod's avatar
Vincent Mazenod committed
46

Vincent Mazenod's avatar
Vincent Mazenod committed
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
## KV

```shell
$ vault kv get secret/test
====== Data ======
Key          Value
---          -----
password1    secret$

$ vault kv put secret/test password2=secret!
Success! Data written to: secret/test

$ vault kv get secret/test
====== Data ======
Key          Value
---          -----
password2    secret!
Vincent Mazenod's avatar
Vincent Mazenod committed
64
```
Vincent Mazenod's avatar
Vincent Mazenod committed
65
66
67
68
69


## KV2

```shell
Vincent Mazenod's avatar
Vincent Mazenod committed
70
71
vault login token=<root-token>
vault secrets enable -path=cri kv
Vincent Mazenod's avatar
Vincent Mazenod committed
72
vault kv enable-versioning secret/ # kv2
Vincent Mazenod's avatar
Vincent Mazenod committed
73
74
```

Vincent Mazenod's avatar
Vincent Mazenod committed
75
* les secrets sont versionés
Vincent Mazenod's avatar
Vincent Mazenod committed
76
77
* il est possible d'utiliser PATCH et pas seulement PUT

Vincent Mazenod's avatar
Vincent Mazenod committed
78
79
80
81
82
83
84
85
86
87
88
89
```shell
$ vault kv patch secret/test password1=secret$
Success! Data written to: secret/test

$ vault kv get secret/test
====== Data ======
Key          Value
---          -----
password1    secret$
password2    secret!
```

Vincent Mazenod's avatar
Vincent Mazenod committed
90
91
92
93
94
95
96
97
98
99
100
101

## Authentification

* par token
  * root
  * d'application

* par ldap
  * en réalité génère un token dans ~/.vault-token contenant


## LDAP
Vincent Mazenod's avatar
Vincent Mazenod committed
102

Vincent Mazenod's avatar
Vincent Mazenod committed
103
```shell
Vincent Mazenod's avatar
Vincent Mazenod committed
104
105
106
107
108
109
110
111
112
113
114
$ vault write auth/ldap/config \
    url="ldaps://samantha.local.isima.fr" \
    userattr="sAMAccountName" \
    userdn="dc=local,dc=isima,dc=fr" \
    groupattr="cn" \
    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
    groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
    binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
    bindpass="secret" \
    insecure_tls="false" \
    starttls="true"
Vincent Mazenod's avatar
Vincent Mazenod committed
115
116
```

Vincent Mazenod's avatar
Vincent Mazenod committed
117
118
[<i class="fa fa-book" aria-hidden="true"></i> LDAP Auth Method](https://www.vaultproject.io/docs/auth/ldap.html)

Vincent Mazenod's avatar
Vincent Mazenod committed
119
120
121
122
123
124
125
126

## Policy

/etc/vault/cri.hcl

```
# Write and manage secrets in key-value secret engine
path "secret/*" {
Vincent Mazenod's avatar
Vincent Mazenod committed
127
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
Vincent Mazenod's avatar
Vincent Mazenod committed
128
129
130
131
132
133
134
135
136
137
138
139
}

# To enable secret engines
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

path "cubbyhole/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

```
Vincent Mazenod's avatar
Vincent Mazenod committed
140

Vincent Mazenod's avatar
Vincent Mazenod committed
141
```shell
Vincent Mazenod's avatar
Vincent Mazenod committed
142
$ vault policy write cri /etc/vault/cri.hcl
Vincent Mazenod's avatar
Vincent Mazenod committed
143
144
```

Vincent Mazenod's avatar
Vincent Mazenod committed
145

Vincent Mazenod's avatar
Vincent Mazenod committed
146
## appliquer une policy à un groupe ldap
Vincent Mazenod's avatar
Vincent Mazenod committed
147

Vincent Mazenod's avatar
Vincent Mazenod committed
148
```shell
Vincent Mazenod's avatar
Vincent Mazenod committed
149
$ vault write auth/ldap/groups/cri policies=cri
Vincent Mazenod's avatar
Vincent Mazenod committed
150
151
152
```


Vincent Mazenod's avatar
Vincent Mazenod committed
153
154
## Utilisation

Vincent Mazenod's avatar
Vincent Mazenod committed
155
156
157
158
159
* [binaire à télécharger](https://releases.hashicorp.com/vault/)
  * cross plateform
  * deux variables d'environnement
    * $VAULT_ADDR=https://vault.isima.fr
    * $VAULT_TOKEN ou authentification ldap
Vincent Mazenod's avatar
Vincent Mazenod committed
160
ou
Vincent Mazenod's avatar
Vincent Mazenod committed
161
* l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
Vincent Mazenod's avatar
Vincent Mazenod committed
162
163
164
165


## Workflow

Vincent Mazenod's avatar
Vincent Mazenod committed
166
```shell
Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
167
168
$ vault login -method=ldap username=vimazeno
$ vault secrets list
Vincent Mazenod's avatar
Vincent Mazenod committed
169
170
171
172
173
174
$ vault list secret/
$ vault kv get  secret/tokens
$ vault kv get  secret/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
$ vault kv get  secret/tokens -format=json
$ vault kv get  secret/tokens -format=json | jq .data
$ vault kv get secret/tokens -format=json | jq .data.password
Vincent Mazenod's avatar
Vincent Mazenod committed
175
176
$ vault kv put secret/tokens password2=$(date | sha256sum | cut -c -50)
$ vault kv patch secret/tokens password1=$(date | sha256sum | cut -c -50)
Vincent Mazenod's avatar
Vincent Mazenod committed
177
$ vault delete secret/tokens
Vincent Mazenod's avatar
Vincent Mazenod committed
178
179
180
181
182
```


## création de token

Vincent Mazenod's avatar
Vincent Mazenod committed
183
184
my.hcl

Vincent Mazenod's avatar
Vincent Mazenod committed
185
```
Vincent Mazenod's avatar
Vincent Mazenod committed
186
187
188
189
190
191
path "secret/data/cri/apps/my" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
```

```shell
Vincent Mazenod's avatar
Vincent Mazenod committed
192
193
194
195
196
$ vault policy write vault/apps/my.hcl
$ vault token create -policy=my
```


Vincent Mazenod's avatar
Vincent Mazenod committed
197
## vault/ci/cd
Vincent Mazenod's avatar
Vincent Mazenod committed
198

Vincent Mazenod's avatar
Vincent Mazenod committed
199
### en local
Vincent Mazenod's avatar
Vincent Mazenod committed
200

Vincent Mazenod's avatar
Vincent Mazenod committed
201
authentification ldap
Vincent Mazenod's avatar
Vincent Mazenod committed
202

Vincent Mazenod's avatar
Vincent Mazenod committed
203
### <i class="fa fa-gitlab" aria-hidden="true"></i> CI / CD
Vincent Mazenod's avatar
Vincent Mazenod committed
204

Vincent Mazenod's avatar
Vincent Mazenod committed
205
![vault CI](images/vault-ci.png)
Vincent Mazenod's avatar
Vincent Mazenod committed
206
207


Vincent Mazenod's avatar
Vincent Mazenod committed
208
## bin/setup
Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
209

Vincent Mazenod's avatar
Vincent Mazenod committed
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
<small>
```bash
command -v "vault" >/dev/null 2>&1 || {
  echo >&2 "I require vault to run see stack"
  exit 1
}
if [[ -z "${VAULT_ADDR}" ]] ; then
  export VAULT_ADDR=https://vault.isima.fr
fi
if [[ -z "${VAULT_TOKEN}" ]] ; then
  if [[ -z "${VAULT_USERNAME}" ]] ; then
    echo uca username
    read username
    export VAULT_USERNAME=${username}
  fi
  vault login -method=ldap username=$VAULT_USERNAME > /dev/null
  echo " export VAULT_TOKEN=$(cat ~/.vault-token)"
else
  vault login token=${VAULT_TOKEN} > /dev/null
fi
```
</small>


## bin/configure

<small>
```bash
# lecture des clés vault avec python: la sortie est une liste python UTF8 (u'value')
KV=$(vault read cri/my -format=json | python -c "import sys, json; print json.load(sys.stdin)['data'].keys()")
# converison de la liste python en liste bash
VAULT_KEYS=( $(echo ${KV} | sed -r "s/', u'/' '/g" | sed -r "s/\[u'/'/g" | sed -r "s/\]//g") )
# copie du ttemplatye de configuration en fichier de configuration
cp config.sample.py config.py
# itération sur les clés vault
for i in "${VAULT_KEYS[@]}"
do
  # enlève le permier '
  i=${i%\'}
  # enlève le dernier '
  i=${i#\'}
  sed -i "s|$i|$(vault read cri/my -format=json | jq -r .data.$i | sed -r "s/\n//g")|g" config.py 2>/dev/null
done
```
</small>