add gitlab connect

2022-08-12 17:14:42 +07:00
parent 365c7b2641
commit 79be75cccf
3 changed files with 115 additions and 0 deletions
--- a/docs/admin-policy.json
+++ b/docs/admin-policy.json
@@ -0,0 +1,59 @@
+# Read system health check
+path "sys/health"
+{
+  capabilities = ["read", "sudo"]
+}
+
+# Create and manage ACL policies broadly across Vault
+
+# List existing policies
+path "sys/policies/acl"
+{
+  capabilities = ["list"]
+}
+
+# Create and manage ACL policies
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Enable and manage authentication methods broadly across Vault
+
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# Enable and manage the key/value secrets engine at `secret/` path
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage secrets engines
+path "sys/mounts/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List existing secrets engines.
+path "sys/mounts"
+{
+  capabilities = ["read"]
+}
--- a/docs/gitlab-iodc.md
+++ b/docs/gitlab-iodc.md
@@ -0,0 +1,46 @@
+# Активируем доступ через oauth-Gitlab
+
+## со стороны GitLab
+
+1. https://gitlab.<domain>/admin/applications
+2. New application
+3. Заполняем данные
+
+* name = Vault
+* openid = check
+* Redirect Url =
+	http://localhost:8025/iodc/callback
+	https://vault.<domain>/ui/vault/auth/oidc/oidc/callback
+
+4. Забираем себе значения `your_application_id` и `your_secret`
+
+## Со стороны Vault
+
+0. Создаем админскую политику из файлика admin-policy.json
+1. `vault auth enable oidc`
+2. создаем конфигурацию
+
+```bash
+vault write auth/oidc/config oidc_discovery_url="http://gitlab.<domain>" oidc_client_id="your_application_id" oidc_client_secret="your_secret" default_role="<user-role>" bound_issuer="gitlab.<domain>"
+```
+
+3. Конфигурируем роль
+
+```bash
+vault write auth/oidc/role/<user-role> -<<EOF
+{
+   "user_claim": "sub",
+   "allowed_redirect_uris": "https://vault.<domain>/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback",
+   "bound_audiences": "<your_application_id>",
+   "oidc_scopes": "openid",
+   "role_type": "oidc",
+   "policies": "<user-policy>",
+   "ttl": "1h",
+   "bound_claims": { "groups": ["yourGroup/yourSubgrup"] }
+}
+EOF
+```
+
+4. Логин через консоль запускается так
+
+`vault login -method=oidc role=<user-role>`
--- a/docs/policy-example.md
+++ b/docs/policy-example.md
@@ -29,6 +29,16 @@ path "secret/+/team" {
  capabilities = ["list"]
 }

+## отрыть папку и дать list
+
+path "secret/metadata/team1/*" {
+ capabilities = ["list"]
+}
+
+path "secret/data/team1/*" {
+  capabilities = [, "create", "read", "update"]
+}
+
 # а вот так в KV работать не будет!
 path "secret/restricted" {
  capabilities = ["create"]