vault.md 3.33 KB
Newer Older
Vincent Mazenod's avatar
Vincent Mazenod committed
1
# vault
Vincent Mazenod's avatar
Vincent Mazenod committed
2

Vincent Mazenod's avatar
Vincent Mazenod committed
3
4
![vault](images/vault.png "vault")<!-- .element width="30%" -->

Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
5
**By HashiCorp**
Vincent Mazenod's avatar
Vincent Mazenod committed
6
7


Vincent Mazenod's avatar
Vincent Mazenod committed
8
## Installation
Vincent Mazenod's avatar
Vincent Mazenod committed
9

Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
10
* téléchargement d'un binaire
Vincent Mazenod's avatar
Vincent Mazenod committed
11

Vincent Mazenod's avatar
Vincent Mazenod committed
12
13
14
15
  * https://releases.hashicorp.com/vault/
  * décompresser dans /usr/local/bin
  * configurer les permissions
  * créer un service systemd
Vincent Mazenod's avatar
Vincent Mazenod committed
16
17


Vincent Mazenod's avatar
Vincent Mazenod committed
18
## Configuration
Vincent Mazenod's avatar
Vincent Mazenod committed
19

Vincent Mazenod's avatar
Vincent Mazenod committed
20
* /etc/vault/vault.hcl
Vincent Mazenod's avatar
Vincent Mazenod committed
21
22

```
Vincent Mazenod's avatar
Vincent Mazenod committed
23
24
25
26
27
28
29
30
31
backend "file" {
  path = "/var/lib/vault"
}
ui = true
disable_mlock = true
listener "tcp" {
  address     = "10.0.0.1:8200"
  tls_disable = 1
}
Vincent Mazenod's avatar
Vincent Mazenod committed
32
33
```

Vincent Mazenod's avatar
Vincent Mazenod committed
34
35
36
37
38

## Secret engine


## KV2
Vincent Mazenod's avatar
Vincent Mazenod committed
39
40

```
Vincent Mazenod's avatar
Vincent Mazenod committed
41
42
43
vault login token=<root-token>
vault secrets enable -path=cri kv
vault kv enable-versioning cri/ # kv2
Vincent Mazenod's avatar
Vincent Mazenod committed
44
45
```

Vincent Mazenod's avatar
Vincent Mazenod committed
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
* les secrets sont versionnés
* il est possible d'utiliser PATCH et pas seulement PUT


## Authentification

* par token
  * root
  * d'application

* par ldap
  * en réalité génère un token dans ~/.vault-token contenant


## LDAP
Vincent Mazenod's avatar
Vincent Mazenod committed
61
62

```
Vincent Mazenod's avatar
Vincent Mazenod committed
63
64
65
66
67
68
69
70
71
72
73
$ vault write auth/ldap/config \
    url="ldaps://samantha.local.isima.fr" \
    userattr="sAMAccountName" \
    userdn="dc=local,dc=isima,dc=fr" \
    groupattr="cn" \
    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
    groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
    binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
    bindpass="secret" \
    insecure_tls="false" \
    starttls="true"
Vincent Mazenod's avatar
Vincent Mazenod committed
74
75
```

Vincent Mazenod's avatar
Vincent Mazenod committed
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

## Policy

/etc/vault/cri.hcl

```
# Write and manage secrets in key-value secret engine
path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# To enable secret engines
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

path "secret/data/cri/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "cubbyhole/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

```
Vincent Mazenod's avatar
Vincent Mazenod committed
101
102

```
Vincent Mazenod's avatar
Vincent Mazenod committed
103
$ vault policy write cri /etc/vault/cri.hcl
Vincent Mazenod's avatar
Vincent Mazenod committed
104
105
```

Vincent Mazenod's avatar
Vincent Mazenod committed
106
107

## Map policy and ldap group
Vincent Mazenod's avatar
Vincent Mazenod committed
108
109

```
Vincent Mazenod's avatar
Vincent Mazenod committed
110
$ vault write auth/ldap/groups/cri policies=cri
Vincent Mazenod's avatar
Vincent Mazenod committed
111
112
113
```


Vincent Mazenod's avatar
Vincent Mazenod committed
114
115
116
117
118
## Utilisation

* le même binaire à télécharger
  * cross plateforme
* deux variables d'environnement
Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
119
  * $VAULT_ADDR=https://vault.isima.fr
Vincent Mazenod's avatar
Vincent Mazenod committed
120
121
122
123
124
125
126
127
  * $VAULT_TOKEN
ou
* l'[api](https://www.vaultproject.io/api/overview)


## Workflow

```
Vincent Mazenod's avatar
devops    
Vincent Mazenod committed
128
129
130
131
132
133
134
135
136
137
138
$ vault login -method=ldap username=vimazeno
$ vault secrets list
$ vault list cri/
$ vault kv get  cri/tokens
$ vault kv get  cri/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
$ vault kv get  cri/tokens -format=json
$ vault kv get  cri/tokens -format=json | jq .data
$ vault kv get cri/tokens -format=json | jq .data.password
$ vault kv put cri/tokens root=pipo2
$ vault kv patch cri/tokens root1=pipo1
$ vault delete cri/tokens
Vincent Mazenod's avatar
Vincent Mazenod committed
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
```


## création de token

```
$ vault policy write vault/apps/my.hcl
$ vault token create -policy=my
```


## token et ci/cd

* on teste en local avec ses droits via ldaps
* on génère un token en variable de CI/CD pour autoriser l'appli à lire des secrets


## Générer un secret

Un secret robuste en ligne de commande se génère avec la commande `openssl` comme suit

```
$ openssl rand -base64 256
```

Stocker le secret directement dans hashicorp vault

```
$ vault kv put cri/tokens root=$(openssl rand -base64 25)
```

## SEE ALSO
Vincent Mazenod's avatar
Vincent Mazenod committed
171

Vincent Mazenod's avatar
Vincent Mazenod committed
172
* [cri/ansible-playbook-vault](https://gitlab.isima.fr/cri/ansible-playbook-vault)
Vincent Mazenod's avatar
Vincent Mazenod committed
173

Vincent Mazenod's avatar
Vincent Mazenod committed
174
* [Vault - Getting started](https://learn.hashicorp.com/vault/?track=getting-started#getting-started)
Vincent Mazenod's avatar
Vincent Mazenod committed
175

Vincent Mazenod's avatar
Vincent Mazenod committed
176
* [consul](https://www.consul.io/)