vault.md

backend "file" {
  path = "/var/lib/vault"
}
ui = true
disable_mlock = true
listener "tcp" {
  address     = "10.0.0.1:8200"
  tls_disable = 1
}
$ vault kv get cri/test
====== Data ======
Key          Value
---          -----
password1    secret$

$ vault kv put cri/test password2=secret!
Success! Data written to: cri/test

$ vault kv get cri/test
====== Data ======
Key          Value
---          -----
password2    secret!
vault secrets enable -path=cri kv
vault kv enable-versioning cri/ # kv2
$ vault kv patch cri/test password1=secret$
Success! Data written to: cri/test

$ vault kv get cri/test
====== Data ======
Key          Value
---          -----
password1    secret$
password2    secret!
vault login token=<root-token>
$ vault login -method=ldap username=vimazeno
$ vault write auth/ldap/config \
    url="ldaps://samantha.local.isima.fr" \
    userattr="sAMAccountName" \
    userdn="dc=local,dc=isima,dc=fr" \
    groupattr="cn" \
    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
    groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
    binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
    bindpass="secret" \
    insecure_tls="false" \
    starttls="true"
# Write and manage secrets in key-value secret engine
path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# To enable secret engines
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

path "cubbyhole/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

$ vault policy write cri /etc/vault/cri.hcl
$ vault write auth/ldap/groups/cri policies=cri
$ vault secrets list
$ vault kv list cri/
$ vault kv get cri/services/vault/tokens
$ vault kv get cri/services/vault/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
$ vault kv get -format=json cri/services/vault/tokens
$ vault kv get -format=json cri/services/vault/tokens | jq .data
$ vault kv get -format=json cri/services/vault/tokens | jq .data.data.root
$ vault kv put cri/test password2=$(date | sha256sum | cut -c -50)
$ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
$ vault delete cri/test
path "secret/data/cri/apps/my" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
$ vault policy write vault/hcl/apps/my.hcl
$ vault token create -policy=my
command -v "vault" >/dev/null 2>&1 || {
  echo >&2 "I require vault to run see stack"
  exit 1
}
if [[ -z "${VAULT_ADDR}" ]] ; then
  export VAULT_ADDR=https://vault.isima.fr
fi
if [[ -z "${VAULT_TOKEN}" ]] ; then
  if [[ -z "${VAULT_USERNAME}" ]] ; then
    echo uca username
    read username
    export VAULT_USERNAME=${username}
  fi
  vault login -method=ldap username=$VAULT_USERNAME > /dev/null
  echo " export VAULT_TOKEN=$(cat ~/.vault-token)"
else
  vault login token=${VAULT_TOKEN} > /dev/null
fi
# lecture des clés vault avec python: la sortie est une liste python UTF8 (u'value')
KV=$(vault read cri/my -format=json | python -c "import sys, json; print json.load(sys.stdin)['data'].keys()")
# converison de la liste python en liste bash
VAULT_KEYS=( $(echo ${KV} | sed -r "s/', u'/' '/g" | sed -r "s/\[u'/'/g" | sed -r "s/\]//g") )
# copie du ttemplatye de configuration en fichier de configuration
cp config.sample.py config.py
# itération sur les clés vault
for i in "${VAULT_KEYS[@]}"
do
  # enlève le permier '
  i=${i%\'}
  # enlève le dernier '
  i=${i#\'}
  sed -i "s|$i|$(vault read cri/my -format=json | jq -r .data.$i | sed -r "s/\n//g")|g" config.py 2>/dev/null
done