fix
This commit is contained in:
Vassiliy Yegorov
@@ -75,3 +75,8 @@ vault write auth/kubernetes/role/vault-test \
|
|||||||
1. `vault kv put kv/secret/vault-test username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
|
1. `vault kv put kv/secret/vault-test username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
|
||||||
2. `vault kv get -format=json kv/secret/vault-test | jq ".data.data"`
|
2. `vault kv get -format=json kv/secret/vault-test | jq ".data.data"`
|
||||||
3. `k apply -f k8s/vault-test.yaml`
|
3. `k apply -f k8s/vault-test.yaml`
|
||||||
|
|
||||||
|
|
||||||
|
### 5. Add-ons
|
||||||
|
|
||||||
|
1. [restore-root](docs/restore-root--token.md)
|
||||||
|
|||||||
11
docs/commands.md
Normal file
11
docs/commands.md
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
# частные команды
|
||||||
|
|
||||||
|
## Tokens
|
||||||
|
1. `vault token lookup`
|
||||||
|
2. `vault list auth/token/accessors`
|
||||||
|
3. `vault token revoke -accessor <id>`
|
||||||
|
|
||||||
|
# Polices
|
||||||
|
|
||||||
|
1. `vault read sys/policy`
|
||||||
|
2. `vault secrets enable -version=2 -path=secret kv`
|
||||||
67
docs/policy-example.md
Normal file
67
docs/policy-example.md
Normal file
@@ -0,0 +1,67 @@
|
|||||||
|
# Example policy
|
||||||
|
|
||||||
|
[!]
|
||||||
|
|
||||||
|
## открыть полный доступ на все под-пути
|
||||||
|
path "secret/*" {
|
||||||
|
capabilities = ["create", "read", "update", "patch", "delete", "list"]
|
||||||
|
}
|
||||||
|
|
||||||
|
## если давать полные права, но запрещать удаление
|
||||||
|
|
||||||
|
path "secrets/*" {
|
||||||
|
capabilities = ["create", "read", "update", "list"]
|
||||||
|
}
|
||||||
|
path "secrets/destroy/*" {
|
||||||
|
capabilities = ["deny"]
|
||||||
|
}
|
||||||
|
path "secrets/delete/*" {
|
||||||
|
capabilities = ["deny"]
|
||||||
|
}
|
||||||
|
|
||||||
|
## закрыть доступ к конкретному секрету
|
||||||
|
path "secret/super-secret" {
|
||||||
|
capabilities = ["deny"]
|
||||||
|
}
|
||||||
|
|
||||||
|
## открыть list на суб-путь
|
||||||
|
path "secret/+/team" {
|
||||||
|
capabilities = ["list"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# а вот так в KV работать не будет!
|
||||||
|
path "secret/restricted" {
|
||||||
|
capabilities = ["create"]
|
||||||
|
allowed_parameters = {
|
||||||
|
"foo" = []
|
||||||
|
"bar" = ["zip", "zap"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
## шаблоны
|
||||||
|
|
||||||
|
path "secret/data/{{identity.entity.id}}/*" {
|
||||||
|
capabilities = ["create", "update", "patch", "read", "delete"]
|
||||||
|
}
|
||||||
|
|
||||||
|
path "secret/metadata/{{identity.entity.id}}/*" {
|
||||||
|
capabilities = ["list"]
|
||||||
|
}
|
||||||
|
|
||||||
|
[подробнее](https://www.vaultproject.io/docs/concepts/policies#examples)
|
||||||
|
|
||||||
|
## задать обязательные переменные (в KV работать не будет!)
|
||||||
|
|
||||||
|
path "secret/profile" {
|
||||||
|
capabilities = ["create"]
|
||||||
|
required_parameters = ["name", "id"]
|
||||||
|
}
|
||||||
|
|
||||||
|
## или запретить какие-то из них (в KV работать не будет!)
|
||||||
|
|
||||||
|
path "auth/userpass/users/*" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
denied_parameters = {
|
||||||
|
"token_policies" = []
|
||||||
|
}
|
||||||
|
}
|
||||||
45
docs/policy-example.svg
Normal file
45
docs/policy-example.svg
Normal file
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 26 KiB |
6
docs/restore-root-token.md
Normal file
6
docs/restore-root-token.md
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
# восстанавливаем токен рута
|
||||||
|
|
||||||
|
1. `vault operator generate-root -generate-otp`
|
||||||
|
2. `vault operator generate-root -init -otp="<OTP Value>"`
|
||||||
|
3. `vault operator generate-root` X столько раз, сколько ключей для распечатывания
|
||||||
|
4. `vault operator generate-root -decode="b64-token-root" -otp="<OTP Value>"`
|
||||||
Reference in New Issue
Block a user