diff --git a/content/slides/privacy/md/vault.md b/content/slides/privacy/md/vault.md
index 211ac5e0ff0008bf666487e497ab1424bc85944e..ef809ee07ec5854b9c69788142cef4397bb50a5e 100644
--- a/content/slides/privacy/md/vault.md
+++ b/content/slides/privacy/md/vault.md
@@ -1,4 +1,4 @@
-#### Des secrets, des apps, des tokens, une équipe, un séquestre
+#### Des secrets, des apps, des tokens, des équipes, un séquestre
## Vault en bref!
@@ -58,45 +58,15 @@
* Un binaire: [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
- * un serveur
- * une api
- * une UI
+ * un serveur
* un cli
+ * une [<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
+ * une UI web
* [écrit en go](https://github.com/hashicorp/hcl)
* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
* cross plateform
-
-## Utilisation
-
-* via la ligne de commande
- * [binaire à télécharger](https://releases.hashicorp.com/vault/)
- * cross plateform
- * deux variables d'environnement
- * $VAULT_ADDR=https://vault.isima.fr
- * $VAULT_TOKEN ou authentification ldap
-* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
-
-
-## Configuration
-
-`/etc/vault/vault.hcl`
-
-```
-backend "file" {
- path = "/var/lib/vault"
-}
-ui = true
-disable_mlock = true
-listener "tcp" {
- address = "10.0.0.1:443"
- tls_cert_file = "/etc/certs/vault.crt"
- tls_key_file = "/etc/certs/vault.key"
- tls_disable = 0
-}
-```
-
## Initialisation SSS (Shamir's Secret Sharing)
@@ -126,54 +96,6 @@ existing unseal keys shares. See "vault operator rekey" for more information.
```
-## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
-
-
-
-
-## KV
-
-```shell
-$ vault kv get cri/test
-====== Data ======
-Key Value
---- -----
-password1 secret$
-
-$ vault kv put cri/test password2=secret!
-Success! Data written to: cri/test
-
-$ vault kv get cri/test
-====== Data ======
-Key Value
---- -----
-password2 secret!
-```
-
-
-## KV2
-
-```shell
-vault secrets enable -path=cri kv
-vault kv enable-versioning cri/ # kv2
-```
-
-* les secrets sont versionnés
-* il est possible d'utiliser PATCH et pas seulement PUT
-
-```shell
-$ vault kv patch cri/test password1=secret$
-Success! Data written to: cri/test
-
-$ vault kv get cri/test
-====== Data ======
-Key Value
---- -----
-password1 secret$
-password2 secret!
-```
-
-
## Authentification
@@ -202,7 +124,6 @@ $ vault login -method=ldap username=vimazeno
description `/etc/vault/cri.hcl` ([hcl](https://github.com/hashicorp/hcl))
```
-# Write and manage secrets in key-value secret engine
path "cri/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
@@ -225,31 +146,83 @@ $ vault write auth/ldap/groups/cri policies=cri
$ vault token create -policy=cri
```
+
+## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
+
+
+
+
## Workflow
+* deux variables d'environnement
+ * $VAULT_ADDR=https://vault.isima.fr
+ * $VAULT_TOKEN ou authentification ldap
+
```shell
$ vault secrets list
$ vault kv list cri/
-$ vault kv get cri/services/vault/tokens
-$ vault kv get cri/services/vault/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
-$ vault kv get -format=json cri/services/vault/tokens
-$ vault kv get -format=json cri/services/vault/tokens | jq .data
-$ vault kv get -format=json cri/services/vault/tokens | jq .data.data.root
-$ vault kv put cri/test password2=$(date | sha256sum | cut -c -50)
-$ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
+$ vault kv get cri/test
+$ vault kv get -format=json cri/test
+$ vault kv get -format=json cri/test | jq .data
+$ vault kv get -format=json cri/test | jq .data.data.root
+$ vault kv put cri/test password2=$(date | sha256sum)
+$ vault kv patch cri/test password1=$(date | sha256sum)
$ vault delete cri/test
```
+
+## KV
+
+```shell
+$ vault kv get cri/test
+====== Data ======
+Key Value
+--- -----
+password1 secret$
+
+$ vault kv put cri/test password2=secret!
+Success! Data written to: cri/test
+
+$ vault kv get cri/test
+====== Data ======
+Key Value
+--- -----
+password2 secret!
+```
+
+
+## KV2
+
+```shell
+vault secrets enable -path=cri kv
+vault kv enable-versioning cri/ # kv2
+```
+
+* les secrets sont versionnés
+* il est possible d'utiliser PATCH et pas seulement PUT
+
+```shell
+$ vault kv patch cri/test password1=secret$
+Success! Data written to: cri/test
+
+$ vault kv get cri/test
+====== Data ======
+Key Value
+--- -----
+password1 secret$
+password2 secret!
+```
+
+
## avec ansible
* lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
* lecture uniquement
* pas de support natif pour kv2 Ã ce jour
- * [patch maison](https://gitlab.isima.fr/cri/stack/blob/master/ansible/plugins/module_utils/vault.py)
+
* module "community" [hashivault](https://github.com/TerryHowe/ansible-modules-hashivault)
* Reading and Writing
* supporte kv2
* Initialization, Seal, and Unseal
* Policy
- * User Management
- * ...
\ No newline at end of file
+ * User Management
\ No newline at end of file