Skip to content
Snippets Groups Projects
Commit 9a3de193 authored by Vincent Mazenod's avatar Vincent Mazenod
Browse files

slides 4 isima

parent 8226de1f
No related branches found
No related tags found
No related merge requests found
Pipeline #4451 passed
Stage: build
Stage: deploy
Hide whitespace changes
Inline Side-by-side
content/slides/cri/ansible-role.html 0 → 100644
+ 59
0
View file @ 9a3de193
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>ansible rôle</title>
<link rel="stylesheet" href="../../node_modules/reveal.js/css/reveal.css">
<link rel="stylesheet" href="../../node_modules/reveal.js/css/theme/white.css">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="../../node_modules/reveal.js/lib/css/zenburn.css">
<link rel="stylesheet" href="../../node_modules/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="../main.css">
<!-- Printing and PDF exports -->
<script>
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match( /print-pdf/gi ) ? '../../node_modules/reveal.js/css/print/pdf.css' : '../../node_modules/reveal.js/css/print/paper.css';
document.getElementsByTagName( 'head' )[0].appendChild( link );
</script>
</head>
<body>
<div class="reveal">
<div class="slides">
<section data-markdown="md/ansible-role.md"
data-separator="^\n\n\n"
data-separator-vertical="^\n\n"
data-separator-notes="^Note:"
data-charset="utf-8">
</section>
</div>
</div>
<script src="../../node_modules/reveal.js/lib/js/head.min.js"></script>
<script src="../../node_modules/reveal.js/js/reveal.js"></script>
<script>
// More info about config & dependencies:
// - https://github.com/hakimel/reveal.js#configuration
// - https://github.com/hakimel/reveal.js#dependencies
Reveal.initialize({
controls: true,
progress: true,
history: true,
center: false,
dependencies: [
{ src: '../../node_modules/reveal.js/plugin/markdown/marked.js' },
{ src: '../../node_modules/reveal.js/plugin/markdown/markdown.js' },
{ src: '../../node_modules/reveal.js/plugin/notes/notes.js', async: true },
{ src: '../../node_modules/reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } }
]
});
</script>
</body>
</html>
content/slides/cri/md/ansible-role.md 0 → 100644
+ 49
0
View file @ 9a3de193
## boilerplate
[ansible-role-boilerplate](https://gitlab.isima.fr/cri/ansible-role-boilerplate)
* Tous les rôles dervaient se tester aussi simplement que ça, en standalone, sans avoir peur de rien casser
* En pratique il faut parfois y réfléchir un peu
* path vault
* point de montage
* dépendance à des services existants
## Directory Layout
[Directory Layout (ansible best practice)](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#directory-layout)
```shell
+ tasks/ #
- main.yml # <- tasks file can include smaller files if warranted
+ handlers/ #
- main.yml # <- handlers file
+ templates/ # <- files for use with the template resource
- ntp.conf.j2 # <- templates end in .j2
+ files/ #
- bar.txt # <- files for use with the copy resource
- foo.sh # <- script files for use with the script resource
+ vars/ #
- main.yml # <- variables associated with this role
+ defaults/ #
- main.yml # <- default lower priority variables for this role
+ meta/ #
- main.yml # <- role dependencies
+ library/ # roles can also include custom modules
+ module_utils/ # roles can also include custom module_utils
+ lookup_plugins/ # or other types of plugins, like lookup in this case
```
## Directory Layout Bonus
* Vagrantfile -> cross OS
* vagrant.rb
* role.yml
* .gitignore
* README.md
## TODO
pacakger les box vagrant de manière synchrone avec les templates pve
\ No newline at end of file
content/slides/cri/md/stack.md
+ 39
11
View file @ 9a3de193
......@@ -5,22 +5,50 @@
aka **B** rew **W** ired **S** tack
## requirement
## soyons honnête!
* proxmox aka pve
* ansible
* terraform
* [proxmox-provisionner](https://github.com/Telmate/terraform-provider-proxmox)
* [proxmox-api](https://github.com/Telmate/proxmox-api-go)
* du love <3
Tout repose sur
* [proxmox-provisionner - pulse](https://github.com/Telmate/terraform-provider-proxmox/pulse)
* [proxmox-api - pulse](https://github.com/Telmate/proxmox-api-go/pulse)
## soyons honnête
et sur les produits [HashiCorp](https://github.com/hashicorp)
Tous repose sur
* [proxmox-provisionner - pulse](https://github.com/Telmate/terraform-provider-proxmox/pulse)
* [proxmox-api - pulse](https://github.com/Telmate/proxmox-api-go/pulse)
## Directory Layout
[Directory Layout (ansible best practice)](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#directory-layout)
```shell
+ ansible/
- inventory.ini # inventory file for staging environment
+ group_vars/
- group1.yml # here we assign variables to particular groups
- group2.yml
+ host_vars/
- service1.yml # here we assign variables to particular systems
- service2.yml
+ library/ # if any custom modules, put them here (optional)
+ module_utils/ # if any custom module_utils to support modules, put them here (optional)
+ filter_plugins/ # if any custom filter plugins, put them here (optional)
+ playbooks/
+ cluster/
- service1.yml # master playbook
- service2.yml # playbook for dbserver tier
+ roles/ # empty folder remotes roles only
# inherited from ansible-boiler-plate
```
## How to
[https://gitlab.isima.fr/cri/stack](https://gitlab.isima.fr/cri/stack)
## PCA / PRA
content/slides/cri/md/vault.md
+ 59
227
View file @ 9a3de193
# vault
## Vault en bref!
![vault](images/vault.png "vault")<!-- .element width="30%" -->
![vault](../cri/images/vault.png "vault")<!-- .element width="30%" -->
**By HashiCorp**
#### Des secrets, des apps, des tokens, des équipes, un séquestre
## Installation
## Vault
* téléchargement d'un binaire
* By HashiCorp
* [écrit en go](https://github.com/hashicorp/hcl)
* cross plateform
* [hcl](https://github.com/hashicorp/hcl)
* intégration avec [consul](https://www.consul.io) & [terraform](https://www.terraform.io/)
* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
* [documenté](https://www.vaultproject.io/docs/)
* ... couteau suisse
* [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
* décompresser dans /usr/local/bin
* configurer les permissions
* serveur
* créer un service systemd
* cli
* `/usr/local/bin/vault `
## Vault
## Systemd
* Un binaire [vault](https://releases.hashicorp.com/vault/) qui fait
* serveur
* [<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
* UI web
* cli
```shell
setcap CAP_IPC_LOCK=+ep /usr/local/bin/vault
setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/vault
```
```ini
[Unit]
Description=a tool for managing secrets
Documentation=https://vaultproject.io/docs/
After=network.target
ConditionFileNotEmpty=/etc/vault/vault.hcl
[Service]
User=vault
Group=vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.hcl
ExecReload=/usr/local/bin/kill --signal HUP $MAINPID
[Install]
WantedBy=multi-user.target
$ export $VAULT_ADDR=https://10.0.0.1
```
......@@ -62,12 +49,11 @@ listener "tcp" {
```
## Initialisation
## initialisation SSS
### Shamir's Secret Sharing
```shell
export VAULT_ADDR=https://10.0.0.1
export VAULT_SKIP_VERIFY=True
vault operator init -key-shares=3 -key-threshold=2
$ vault operator init -key-shares=3 -key-threshold=2
```
```shell
......@@ -84,254 +70,100 @@ before it can start servicing requests.
Vault does not store the generated master key. Without at least 2 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
```
## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
!["secrets engines"](images/vault-secrets-engines.png "secrets engines")
<!--
* [<i class="fa fa-book" aria-hidden="true"></i> Secrets Engines - getting started](https://learn.hashicorp.com/vault/getting-started/dynamic-secrets)
* [<i class="fa fa-book" aria-hidden="true"></i> AWS Secrets Engine](https://www.vaultproject.io/docs/secrets/aws/index.html)
* [<i class="fa fa-book" aria-hidden="true"></i> Active Directory Secrets Engine](https://www.vaultproject.io/docs/secrets/aws/index.html)
* [<i class="fa fa-book" aria-hidden="true"></i> SSH Secrets Engine](https://www.vaultproject.io/docs/secrets/ssh/index.html)
* [<i class="fa fa-book" aria-hidden="true"></i> KV Secrets Engine](https://www.vaultproject.io/docs/secrets/kv/index.html)
-->
## KV
```shell
$ vault kv get cri/test
====== Data ======
Key Value
--- -----
password1 secret$
$ vault kv put cri/test password2=secret!
Success! Data written to: cri/test
$ vault kv get cri/test
====== Data ======
Key Value
--- -----
password2 secret!
```
## KV2
```shell
vault secrets enable -path=cri kv
vault kv enable-versioning cri/ # kv2
```
* les secrets sont versionnés
* il est possible d'utiliser PATCH et pas seulement PUT
```shell
$ vault kv patch cri/test password1=secret$
Success! Data written to: cri/test
$ vault kv get cri/test
====== Data ======
Key Value
--- -----
password1 secret$
password2 secret!
```
## Authentification
!["authentification"](images/vault-auth.png "authentification")
!["authentification"](../cri/images/vault-auth.png "authentification")
## Authentification
par token
```shell
vault login token=<root-token>
$ vault login token=<root-or-app-token>
```
* par token
* root
* d'application
equivalent à
```shell
$ vault login -method=ldap username=vimazeno
$ export VAULT_TOKEN token=<root-or-app-token>
```
* par ldap
* stocke le token d'authentificayion dans ~/.vault-token
## LDAP
par ldap
```shell
$ vault write auth/ldap/config \
url="ldaps://samantha.local.isima.fr" \
userattr="sAMAccountName" \
userdn="dc=local,dc=isima,dc=fr" \
groupattr="cn" \
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
bindpass="secret" \
insecure_tls="false" \
starttls="true"
$ vault login -method=ldap username=mazenovi
```
[<i class="fa fa-book" aria-hidden="true"></i> LDAP Auth Method](https://www.vaultproject.io/docs/auth/ldap.html)
stocke le token dans `~/.vault-token` et `$VAULT_TOKEN`
## Policy
/etc/vault/users/cri.hcl
## Policy (ACL)
```
# Write and manage secrets in key-value secret engine
path "cri/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# To enable secret engines
path "sys/mounts/*" {
capabilities = [ "create", "read", "update", "delete" ]
}
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
```
écriture
```shell
$ vault policy write cri /etc/vault/cri.hcl
$ vault policy write cri `/etc/vault/cri.hcl`
```
application à un groupe ldap
```shell
$ vault write auth/ldap/groups/cri policies=cri
```
## appliquer une policy à un groupe ldap
création de token à partir de la policy
```shell
$ vault write auth/ldap/groups/cri policies=cri
$ vault token create -policy=cri
```
## Utilisation
## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
* via la ligne de commande
* [binaire à télécharger](https://releases.hashicorp.com/vault/)
* cross plateform
* deux variables d'environnement
* $VAULT_ADDR=https://vault.isima.fr
* $VAULT_TOKEN ou authentification ldap
* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
!["secrets engines"](../cri/images/vault-secrets-engines.png "secrets engines")
## Workflow
## workflow
```shell
$ vault secrets list
$ vault kv list cri/
$ vault kv get cri/services/vault/tokens
$ vault kv get cri/services/vault/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
$ vault kv get -format=json cri/services/vault/tokens
$ vault kv get -format=json cri/services/vault/tokens | jq .data
$ vault kv get -format=json cri/services/vault/tokens | jq .data.data.root
$ vault kv put cri/test password2=$(date | sha256sum | cut -c -50)
$ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
$ vault kv get cri/test
$ vault kv get -format=json cri/test
$ vault kv get -format=json cri/test | jq .data
$ vault kv get -format=json cri/test | jq .data.data.root
$ vault kv put cri/test password2=$(date | sha256sum)
$ vault kv patch cri/test password1=$(date | sha256sum)
$ vault delete cri/test
```
## création de token
my.hcl
```
path "secret/data/cri/apps/my" {
capabilities = ["create", "read", "update", "delete", "list"]
}
```
```shell
$ vault policy write vault/hcl/apps/my.hcl
$ vault token create -policy=my
```
## vault/ci/cd
### en local
authentification ldap
### <i class="fa fa-gitlab" aria-hidden="true"></i> CI / CD
![vault CI](images/vault-ci.png)
## bin/setup
```bash
command -v "vault" >/dev/null 2>&1 || {
echo >&2 "I require vault to run see stack"
exit 1
}
if [[ -z "${VAULT_ADDR}" ]] ; then
export VAULT_ADDR=https://vault.isima.fr
fi
if [[ -z "${VAULT_TOKEN}" ]] ; then
if [[ -z "${VAULT_USERNAME}" ]] ; then
echo uca username
read username
export VAULT_USERNAME=${username}
fi
vault login -method=ldap username=$VAULT_USERNAME > /dev/null
echo " export VAULT_TOKEN=$(cat ~/.vault-token)"
else
vault login token=${VAULT_TOKEN} > /dev/null
fi
```
<!-- .element style="width: 100%;" -->
## bin/configure
```bash
# lecture des clés vault avec python: la sortie est une liste python UTF8 (u'value')
KV=$(vault read cri/my -format=json | python -c "import sys, json; print json.load(sys.stdin)['data'].keys()")
# converison de la liste python en liste bash
VAULT_KEYS=( $(echo ${KV} | sed -r "s/', u'/' '/g" | sed -r "s/\[u'/'/g" | sed -r "s/\]//g") )
# copie du template de configuration en fichier de configuration
cp config.sample.py config.py
# itération sur les clés vault
for i in "${VAULT_KEYS[@]}"
do
# enlève le permier '
i=${i%\'}
# enlève le dernier '
i=${i#\'}
sed -i "s|$i|$(vault read cri/my -format=json | jq -r .data.$i | sed -r "s/\n//g")|g" config.py 2>/dev/null
done
```
<!-- .element style="width: 100%;" -->
## avec ansible
* lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
* lecture uniquement
* pas de support natif pour kv2 à ce jour
* [patch maison](https://gitlab.isima.fr/cri/stack/blob/master/ansible/plugins/module_utils/vault.py)
* module "community" [hashivault](https://github.com/TerryHowe/ansible-modules-hashivault)
* Reading and Writing
* supporte kv2
* Initialization, Seal, and Unseal
* Policy
* User Management
* ...
\ No newline at end of file
## UI
!["UI"](../privacy/images/vault/web.png "UI")
!["carnets mots de passe"](../privacy/images/vault/password_management.jpg "carnets mots de passe")<!-- .element width="80%" -->
content/slides/index.html
+ 1
0
View file @ 9a3de193
......@@ -90,6 +90,7 @@
<li><a href="cri/vagrant.html">vagrant</a></li>
<li><a href="cri/ansible.html">ansible</a></li>
<li><a href="cri/vault.html">vault</a></li>
<li><a href="cri/ansible-role.html">ansible role</a></li>
<li><a href="cri/pve.html">pve</a></li>
<li><a href="cri/terraform.html">terraform</a></li>
<li><a href="cri/stack.html">stack</a></li>
......
content/slides/privacy/md/vault.md
+ 0
2
View file @ 9a3de193
......@@ -166,6 +166,4 @@ $ vault delete cri/test
!["UI"](images/vault/web.png "UI")
## Merci !!
!["carnets mots de passe"](images/vault/password_management.jpg "carnets mots de passe")<!-- .element width="80%" -->
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment