DevOps Security

Vault

Vault

https://github.com/hashicorp/vault

Install:

https://learn.hashicorp.com/tutorials/vault/getting-started-install

CLI

可以通过环境变量或者命令行参数指定server:

-address VAULT_ADDR
-namespace VAULT_NAMESPACE
vault [subcommand] -address="https://server:8200"

server:

// 启动vault
$ vault server -config=/etc/vault/config.hcl

agent:

$ vault agent

login:

// 跟据token登陆.
$ vault login

$vault login -token-only -method=oidc

operator:

// init生成keys和token.
$ vault operator init

// 通过keys  unseal
$ vault operator unseal

// 通过token seal
$ vault operator seal

auth:

// 查看auth
$ vault auth list

secrets

// 查看secrets engine
$ vault secrets list

// enable kv
$ vault secrets enable -path=<ns>/<name> kv
$ vault secrets enable kv

// disable kv
$ vault secrets disable kv

// 创建一个database engine
vault secrets enable -path <ns>/mysql database
// 创建rabbitmq engine
vault secrets enable -path <ns>/rabbitmq rabbitmq

policy

// 查看policy
$ vault policy list

// 创建policy
$ vault policy write <my-policy> ./my-policy.hcl

plugin:

$ vault plugin list database

read/write/delete/list:

$ vault read
$ vault write
$ vault write my-secret/my-app my-field=value
$ vault delete
$ vault list

API

https://www.vaultproject.io/api-docs

$ curl --header "X-Vault-Token: TOKEN" https://FQDN/v1/<engine-path>/data/<secret-path>
$ curl --header "X-Vault-Token: TOKEN" https://FQDN/v1/<engine-path>/data/<secret-path>?version=<version>

auth methods

https://www.vaultproject.io/docs/auth

secrets engine

https://www.vaultproject.io/docs/secrets

vault PKI

通过pki engine来生成和管理证书。

https://learn.hashicorp.com/tutorials/vault/pki-engine

generate:

vault write -format=json -namespace=<ns>  <pki_root>/issue/<role> \
common_name="canuxcheng.com" \
alt_names="canuxcheng.com,*.canuxcheng.com" \
ttl=8760h \
format=pem/der/pem_bundle \
| tee \
>(jq -r '.data.certificate' > canuxcheng.crt) \
>(jq -r '.data.private_key' > private.key)

list:

vault list -namespace=<ns> <pki_root>/certs

verify:

vault read -namespace=iac-phoenix/test it/pki/cert/<sn>

curl -s https://vault.canux.com/v1/<ns>/<pki_root>/cert/<serial-num> | jq -r '.data.certificate' | openssl x509 -in - -noout -text

revoke:

vault write <ns>/<pki_root>/revoke serial_number="******"

remove expired ca:

vault write <pki_root>/tidy tidy_cert_store=true tidy_revoked_certs=true

vault + k8s

vault提供两种方式在k8s中使用secret.

Vault Sidecar Agent Injector

https://www.vaultproject.io/docs/platform/k8s/injector

https://github.com/hashicorp/vault-k8s

mutating webhook of Bank-Vaults

https://banzaicloud.com/docs/bank-vaults/mutating-webhook/

https://github.com/banzaicloud/bank-vaults

https://banzaicloud.com/blog/inject-secrets-into-pods-vault-revisited/

Vault CSI Provider

https://www.vaultproject.io/docs/platform/k8s/csi

https://github.com/kubernetes-sigs/secrets-store-csi-driver

© 2013 - 2024 Morgoth
Designed by Canux