Vault
Pillar verschlüsselt in Hashicorp Vault speichern
Hashicorp Vault ist ein flexibler verschlüsselter Speicher mit einem umfangreichen Rechte-Management.
HTTP ohne SSL! Die nachfolgende Anleitung ist nicht für den produktiven Einsatz geeignet, weil die Vault-HTTP-Kommunikation unverschlüsselt erfolgt. Im produktiven Betrieb sollte Vault HTTPS verwenden.
Vault installieren
VERSION="1.10.0"
cd /tmp
curl -LOs https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_linux_amd64.zip
unzip vault_${VERSION}_linux_amd64.zip -d /usr/local/bin/
useradd -r -m -U -s /bin/false -b /var/lib vault
mkdir /etc/vault
cat > /etc/vault/vault.hcl << EOF
ui = false
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
#tls_key_file = "/etc/vault/vault.local-key.pem"
#tls_cert_file = "/etc/vault/vault.local-crt.pem"
}
api_addr = "http://127.0.0.1:8200"
storage "file" {
path = "/var/lib/vault/data"
}
EOF
cat >/etc/systemd/system/vault.service << EOF
[Unit]
Description=Vault Manage Secrets and Protect Sensitive Data
Requires=network.target
[Service]
User=vault
Group=vault
WorkingDirectory=/var/lib/vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.hcl
Restart=on-failure
RestartSec=5
StandardOutput=null
AmbientCapabilities=CAP_IPC_LOCK
[Install]
WantedBy=multi-user.target
EOF
Vault Initialisieren
service vault start
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init -address=http://127.0.0.1:8200
vault operator unseal # Use unseal key 1
vault operator unseal # Use unseal key 2
vault operator unseal # Use unseal key 3
🔑 Die Unseal-Keys werden i.d.R. an fünf Personen im Unternehmen vergeben. Drei von fünf Personen müssen dann den Unseal-Prozess mit ihren Schlüsseln durchführen, damit der Vault entsperrt wird.

KV Secret-Storage anlegen
# Login with initial root token
root@master:~# vault login
Token (will be hidden): *****
root@master:~# vault secrets enable -path=secret kv
root@master:~# vault secrets list
Vault Policies anlegen
# Policy for reading and writing manually to the vault
vault policy write secret-rw -<<EOF
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
# Policy for the salt master
vault policy write salt-master -<<EOF
path "*" {
capabilities = ["read","list"]
}
path "auth/*" {
capabilities = ["read", "list", "sudo", "create", "update", "delete"]
}
EOF
# Policy for the minions
vault policy write saltstack/minions -<<EOF
path "secret/*" {
capabilities = ["read", "list"]
}
EOF
vault policy list
In den Vault schreiben und daraus lesen
User-Token generieren
root@master:~# vault token create -policy=secret-rw
# Log in with the create token
root@master:~# vault login
Token (will be hidden): *****
root@master:~# vault kv put secret/upstream-api user=susanne password=pwd__12345
Success! Data written to: secret/upstream-api
root@master:~# vault kv get secret/upstream-api
====== Data ======
Key Value
--- -----
password pwd__12345
user susanne
Salt-Master mit Vault verbinden
Token für den Salt-Master erzeugen
vault token create -policy=salt-master
Master Config erweitern
vault:
url: http://192.168.3.136:8200
auth:
method: token
token: *****
peer_run:
.*:
- vault.generate_token
Aus dem Vault lesen
root@master:~# salt master vault.read_secret "secret/upstream-api"
master:
----------
password:
pwd__12345
user:
susanne
#
# Read from vault
#
{% set credentials = salt['vault.read_secret']("secret/upstream-api") %}
/tmp/credentials.txt:
file.managed:
- contents: |
user = {{ credentials['user'] }}
pass = {{ credentials['password'] }}
Last updated