Course git repo, this repo has useful Vault commands: https://github.com/ned1313/Getting-Started-Vault
My Vault vagrant demo: https://github.com/chengdol/InfraTree/tree/master/vagrant-vault
Questions
Vault vs K8s secrets? Examples of what Vault can do that k8s secrets cannot: With Vault you can rotate secrets and have secrets with short TTL With Vault you can access secrets across namespaces (or outside the k8s cluster) Vault can provide a PKI for signing certs (enabling for example automation of cert generation for mtls) Vault can use LDAP, oauth, IAM, etc as identity providers
Introduction
Vault web site: https://www.vaultproject.io/
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. 注意API的path,并不是和UI上的path一样!
Vault works well with Consul, for example, set Consul as storage backend.
Start a Vault server:
1 | ## same as consul in development mode, don't use this in production! |
Output as below:
1 | WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory |
unseal
key在production mode中用来解除对Vault server的封锁,否则无法login as root.
注意,这里VAULT_ADDR是本地的,vault server当然可以在其他地方,设置对应的地址即可.
1 | ## Vault API access |
Vault web UI access: http://localhost:8200
So, just like Consul, there are 3 ways to interact with Vault server: UI, API, CLI (actually running API under the hood).
secret
is a pre-existing secret engine folder in Vault storage path, you can see it in UI:
1 | #Write a secret |
marvin.json is as follow:
1 | { |
1 | #Get a secret |
Working with Secrets
Secret lifecycle:
- Create
- Read
- Update
- Delete (soft or hard unrecoverable)
- Destroy
There is version 1
and version 2
of secret engine server
, version 2
is more recoverable and versioning but less performance then version 1
if you need to scale. secret
folder 就是默认创建的secret engine, version 2
, 可以去UI 查看configuration.
Demo code about secrets lifecycle: https://github.com/ned1313/Getting-Started-Vault/blob/master/m3/m3-secretslifecycle.sh
Everytime you update the key, the version increment by 1:
1 | ## pick value by version |
If you delete version 3, you still can get version 1 or 2:
1 | vault kv delete secret/hg2g |
Destroy, can no longer undelete:
1 | #Destroy the secrets |
Create New Secret Engine
Demo about secret engine, 我这里就不贴出来了, 如果用API,还有一些配置用的json文件,见这个的上层目录中的比如dev-b.json
:
https://github.com/ned1313/Getting-Started-Vault/blob/master/m3/m3-secretengine.sh
Create Mysql DB Secret Engine
Vault official reference: https://www.vaultproject.io/docs/secrets
Vault在这里类似一个中间层,在user 和 Mysql instance之间,保存和传递credential和请求. 这个demo在AZure上spin up了一个bitnami Mysql instance,和本地的vault mysql secret engine关联,然后通过Vault联系Mysql 产生一个dynamic user,并授予这个临时user权限,我们通过这个临时user就可以操作Mysql 数据库了。
这个dynamic user lifecycle also managed by Vault, as well as the permission the user has. https://github.com/ned1313/Getting-Started-Vault/blob/master/m3/m3-mysqlengine.sh
Besides Mysql example, Vault secrets can be used for certificates, for SSH credentials, etc. Secrets engine make Vault extensible, there are different plugin to handle different needs.
Controlling Access
Similar to RBAC in K8s, authentication method to control login, policies to control what is able to do, managing client tokens.
Vault Auth Method
Vault has internal authentication (called userpass
) and support external, multiple authrntication methods.
https://github.com/ned1313/Getting-Started-Vault/blob/master/m4/m4-basicauth.sh
1 | ## list current auth methods |
You will see the changes in UI Access
section.
Once you create a user/password, then you can run for example:
1 | ## 这里使用的是user/password login,不是用token |
Token represents who you are and what you can do, for example, the user itself cannot update its password via its token:
1 | ## update password |
Can do this after export root token.
Delete auth:
1 | #Remove account |
这里介绍了2个新概念: LDAP
and Active Directory
What are the differences between LDAP and Active Directory?
Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment
LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.
Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.
见下面vault policy章节的例子.
Case: 在外部设置了AD
as authentication method, enable LDAP
auth in Vault. Then user login Vault with AD credentials against LDAP talk to AD, AD talk to Vault and determine the policy about what the user can do, then user will get the right token from vault to access the store.
Vault Policy
Similar to K8s role. https://github.com/ned1313/Getting-Started-Vault/blob/master/m4/m4-activedirectory.sh
这个例子,远程登录了一个Vault server, login as root, create devkv
store with key and value pair, then create policy dev
with HCL file for user to access the devkv
.
Enable LDAP auth, configure it with Active Directory remotely. Then assign the developers
group in LDAP with dev
policy.
Then user adent
login vault against ldap
method. The user is in the developers
group so it will get token with permission specified by dev
policy.
Client Token
https://www.vaultproject.io/docs/concepts/tokens
Wrapping Response
https://github.com/ned1313/Getting-Started-Vault/blob/master/m4/m4-tokenwrapping.sh
Operating Vaule Server
主要讲了production Vault server setup.
- Vault server architecture
- Storage backend options
- Vault server operations
这里例子用Consul作为 storage backend(不是说it’s not intended for this吗😂), 在Vault 主机上运行有Consul agent 和 远处的Consul server通信 (gossip tcp: 8301, RPC tcp: 8300) ,Consul server可以有多个以实现HA。Vault通过本地的Consul agent port 8500和其交互,外界访问Vault 用默认的port 8200: https://github.com/ned1313/Getting-Started-Vault/tree/master/m5
可以留意一下这里的Consul配置,之前用的一直是dev mode,这里是production mode了, 把Consul 包装成了一个service, run as daemon, in consul
folder:
- consul-deploy.sh
- consul.hcl
- server.hcl
- consul.service
注意把 .hcl
and .service
文件内容paste到 consul-deploy.sh
创建的文件中。script中的useradd
command也值得借鉴。consul keygen
是用来产生encrypt string的,用在server 和 client的 .hcl
中。
Consul agent setup:
- consul-deploy-agent.sh
- consul-agent.hcl
好了,这里引出一个有意思的东西: Create Custom Systemd Service,之前从来没有这么做过,原来systemd是可以自己配置的! https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6
Vault server Config, also set Vault as systemd service, in vault
folder:
- vault-deploy.sh
- vault.hcl
- vault.service
在 .hcl
中就配置了Consul 为storage backend,看上去本来就有这种特性,所以不需要过多的设置。
Server Operations
Operator command: https://www.vaultproject.io/docs/commands/operator
Setup production Vault server, sealed and need to unseal: https://github.com/ned1313/Getting-Started-Vault/blob/master/m5/m5-serveroperations.sh
Auditing
Everything is audited, sensitive data is hashed unless you explicitly set false. https://github.com/ned1313/Getting-Started-Vault/tree/master/m6
Auditing device type:
- File, JSON format
- Syslog
- Socket: TCP/UDP
1 | ## enable auditing device |