wip vault

7f17c786 · Vincent Mazenod · 1e73b750 · 7f17c786
Commit 7f17c786 authored 5 years ago by Vincent Mazenod
--- a/content/slides/privacy/md/vault.md
+++ b/content/slides/privacy/md/vault.md
-#### Des secrets, des apps, des tokens, une équipe, un séquestre 
+#### Des secrets, des apps, des tokens, des équipes, un séquestre 
 ## Vault en bref!
@@ -58,45 +58,15 @@
 * Un binaire: [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
-  * un serveur
+  * un serveur  
-    * une api
-    * une UI
  * un cli
+  * une [<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
+  * une UI web
 * [écrit en go](https://github.com/hashicorp/hcl)
 * [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
 * cross plateform
-## Utilisation
-* via la ligne de commande
-  * [binaire à télécharger](https://releases.hashicorp.com/vault/)
-    * cross plateform
-    * deux variables d'environnement
-      * $VAULT_ADDR=https://vault.isima.fr
-      * $VAULT_TOKEN ou authentification ldap
-* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
-## Configuration
-`/etc/vault/vault.hcl`
-```
-backend "file" {
-  path = "/var/lib/vault"
-}
-ui = true
-disable_mlock = true
-listener "tcp" {
-  address     = "10.0.0.1:443"
-  tls_cert_file = "/etc/certs/vault.crt"
-  tls_key_file  =  "/etc/certs/vault.key"
-  tls_disable   = 0
-}
-```
 ## Initialisation SSS (Shamir's Secret Sharing)
@@ -126,54 +96,6 @@ existing unseal keys shares. See "vault operator rekey" for more information.
 ```
-## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
-!["secrets engines"](../cri/images/vault-secrets-engines.png "secrets engines")
-## KV
-```shell
-$ vault kv get cri/test
-====== Data ======
-Key          Value
---          -----
-password1    secret$
-$ vault kv put cri/test password2=secret!
-Success! Data written to: cri/test
-$ vault kv get cri/test
-====== Data ======
-Key          Value
---          -----
-password2    secret!
-```
-## KV2
-```shell
-vault secrets enable -path=cri kv
-vault kv enable-versioning cri/ # kv2
-```
-* les secrets sont versionnés
-* il est possible d'utiliser PATCH et pas seulement PUT
-```shell
-$ vault kv patch cri/test password1=secret$
-Success! Data written to: cri/test
-$ vault kv get cri/test
-====== Data ======
-Key          Value
---          -----
-password1    secret$
-password2    secret!
-```
 ## Authentification
 !["authentification"](../cri/images/vault-auth.png "authentification")
@@ -202,7 +124,6 @@ $ vault login -method=ldap username=vimazeno
 description `/etc/vault/cri.hcl` ([hcl](https://github.com/hashicorp/hcl))
 ```
-# Write and manage secrets in key-value secret engine
 path "cri/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
 }
@@ -225,31 +146,83 @@ $ vault write auth/ldap/groups/cri policies=cri
 $ vault token create -policy=cri
 ```
+## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
+!["secrets engines"](../cri/images/vault-secrets-engines.png "secrets engines")
 ## Workflow
+* deux variables d'environnement
+  * $VAULT_ADDR=https://vault.isima.fr
+  * $VAULT_TOKEN ou authentification ldap
 ```shell
 $ vault secrets list
 $ vault kv list cri/
-$ vault kv get cri/services/vault/tokens
+$ vault kv get cri/test
-$ vault kv get cri/services/vault/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
+$ vault kv get -format=json cri/test
-$ vault kv get -format=json cri/services/vault/tokens
+$ vault kv get -format=json cri/test | jq .data
-$ vault kv get -format=json cri/services/vault/tokens | jq .data
+$ vault kv get -format=json cri/test | jq .data.data.root
-$ vault kv get -format=json cri/services/vault/tokens | jq .data.data.root
+$ vault kv put cri/test password2=$(date | sha256sum)
-$ vault kv put cri/test password2=$(date | sha256sum | cut -c -50)
+$ vault kv patch cri/test password1=$(date | sha256sum)
-$ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
 $ vault delete cri/test
 ```
+## KV
+```shell
+$ vault kv get cri/test
+====== Data ======
+Key          Value
+---          -----
+password1    secret$
+$ vault kv put cri/test password2=secret!
+Success! Data written to: cri/test
+$ vault kv get cri/test
+====== Data ======
+Key          Value
+---          -----
+password2    secret!
+```
+## KV2
+```shell
+vault secrets enable -path=cri kv
+vault kv enable-versioning cri/ # kv2
+```
+* les secrets sont versionnés
+* il est possible d'utiliser PATCH et pas seulement PUT
+```shell
+$ vault kv patch cri/test password1=secret$
+Success! Data written to: cri/test
+$ vault kv get cri/test
+====== Data ======
+Key          Value
+---          -----
+password1    secret$
+password2    secret!
+```
 ## avec ansible
 * lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
  * lecture uniquement
  * pas de support natif pour kv2 à ce jour
-  * [patch maison](https://gitlab.isima.fr/cri/stack/blob/master/ansible/plugins/module_utils/vault.py)
 * module "community" [hashivault](https://github.com/TerryHowe/ansible-modules-hashivault)
  * Reading and Writing
    * supporte kv2
  * Initialization, Seal, and Unseal
  * Policy
  * User Management
-  * ...
\ No newline at end of file
\ No newline at end of file