pub/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-07-28 00:51:41 +07:00
parent c3ba7baa48
commit b38288eba7
8 changed files with 45 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,5 +1,6 @@
data/file/*
data/logs/*
.env
keys.json
!.gitkeep

26
README.md
View File

@@ -11,7 +11,9 @@
### 1. запуск vault в докере
1. docker compose up -d
1. `./start.sh`
2. `export VAULT_ADDR=https://vault.domain.com`
3. `vault login`
### 2. запуск heml-чарта
@@ -21,10 +23,11 @@
### 3. подключение из куба в vault
1. `vault auth enable kubernetes`
2. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
3. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
4. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
5. прописываем конфиг соединения
2. подсмотреть имя у VAULT_HELM_SECRET_NAME=vault-token-xxxxx
3. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
4. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
5. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
6. прописываем конфиг соединения
```bash
vault write auth/kubernetes/config \
@@ -34,17 +37,17 @@ vault write auth/kubernetes/config \
issuer="https://kubernetes.default.svc.cluster.local"
```
6. добавляем полиси доступа
7. добавляем полиси доступа
```bash
vault policy write vault-test - <<EOF
path "secret/data/vault-test/config" {
path "kv/secret/data/vault-test/config" {
capabilities = ["read"]
}
EOF
```
7. формируем роль доступа с куба в вольт
8. формируем роль доступа с куба в вольт
```bash
vault write auth/kubernetes/role/vault-test \
@@ -56,7 +59,6 @@ vault write auth/kubernetes/role/vault-test \
### 4. Запуск тестового деплоя
1. `vault login root`
2. `vault kv put secret/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
3. `vault kv get -format=json secret/vault-test/config | jq ".data.data"`
4. `k apply -f vault-test.yaml`
1. `vault kv put kv/secret/data/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
2. `vault kv get -format=json kv/secret/data/vault-test/config | jq ".data.data"`
3. `k apply -f vault-test.yaml`

56
data/helpers/admin-policy.hcl
View File

@@ -1,56 +0,0 @@
path "sys/health"
{
capabilities = ["read", "sudo"]
}
path "sys/policies/acl"
{
capabilities = ["list"]
}
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
path "sys/auth"
{
capabilities = ["read"]
}
path "kv/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/mounts"
{
capabilities = ["read"]
}

21
data/helpers/init.sh
View File

@@ -1,29 +1,28 @@
apk add jq curl
export VAULT_ADDR=http://localhost:8200
root_token=$(cat /helpers/keys.json | jq -r '.root_token')
unseal_vault() {
export VAULT_TOKEN=$root_token
vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
vault login token=$VAULT_TOKEN
export VAULT_TOKEN=$root_token
vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
vault login token=$VAULT_TOKEN
}
if [[ -n "$root_token" ]]
then
echo "Vault already initialized"
unseal_vault
else
echo "Vault not initialized"
curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:8200/v1/sys/init > /helpers/keys.json
curl -s --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://${VAULT_ADDR}/v1/sys/init > /helpers/keys.json
root_token=$(cat /helpers/keys.json | jq -r '.root_token')
unseal_vault
vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"
vault read -format=json auth/approle/role/dev-role/role-id \
| jq -r '.data.role_id' > /helpers/role_id
vault write -format=json -f auth/approle/role/dev-role/secret-id \
| jq -r '.data.secret_id' > /helpers/secret_id
vault auth enable kubernetes
fi
printf "\n\nVAULT_TOKEN=%s\n\n" $VAULT_TOKEN

33
data/helpers/vault-agent.hcl
View File

@@ -1,33 +0,0 @@
pid_file = "./pidfile"
vault {
address = "http://vault:8200"
retry {
num_retries = 5
}
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/helpers/role_id"
secret_id_file_path = "/helpers/secret_id"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "/helpers/sink_file"
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}

29
docker-compose.yaml
View File

@@ -1,6 +1,6 @@
version: '3.8'
services:
myvault:
vault:
image: hashicorp/vault
container_name: vault
restart: always
@@ -29,29 +29,16 @@ services:
retries: 12
start_period: 10s
timeout: 10s
expose:
- 8200
networks:
- vault_net
- webproxy
vault-agent:
container_name: vault-agent
image: hashicorp/vault
restart: always
environment:
VAULT_ADDR: "http://vault:8200"
entrypoint: "vault agent -log-level debug -config=/helpers/vault-agent.hcl"
depends_on:
vault:
condition: service_healthy
volumes:
- ./data/helpers:/helpers
# expose:
# - 8200
ports:
- "8200:8200"
networks:
- vault_net
# - webproxy
networks:
vault_net:
name: vault_net
webproxy:
name: webproxy
# webproxy:
# name: webproxy

6
vault-test.yaml → k8s/vault-test.yaml
View File

@@ -29,10 +29,10 @@ spec:
app: vault-test
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'devweb-app'
vault.hashicorp.com/agent-inject-secret-credentials.txt: 'secret/data/vault-test/config'
vault.hashicorp.com/role: 'vault-test'
vault.hashicorp.com/agent-inject-secret-credentials.txt: 'kv/secret/data/vault-test/config'
vault.hashicorp.com/agent-inject-template-credentials.txt: |
{{- with secret "secret/data/vault-test/config" -}}
{{- with secret "kv/secret/data/vault-test/config" -}}
postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.psqlhost }}:5432/{{ .Data.data.database }}
{{- end -}}
spec:

9
start.sh Executable file
View File

@@ -0,0 +1,9 @@
#!bin/bash
docker compose up -d
while [[ ! $(docker inspect -f {{.State.Health.Status}} vault) == "healthy" ]]; do
sleep 0.5;
done
docker exec vault /bin/sh -c "source /helpers/init.sh"