User Tools
hashicorp_vault
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
hashicorp_vault [2026/02/08 13:22] val |
hashicorp_vault [2026/02/25 19:53] (current) val [Vault policy] |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| * [[https://habr.com/ru/articles/653927/|Используем Hashicorp Vault для хранения секретов]] | * [[https://habr.com/ru/articles/653927/|Используем Hashicorp Vault для хранения секретов]] | ||
| * [[https://developer.hashicorp.com/vault/docs/secrets/transit|Transit secrets engine]] | * [[https://developer.hashicorp.com/vault/docs/secrets/transit|Transit secrets engine]] | ||
| + | * [[https://penkovski.com/post/vault-dev-server-docker-compose/|Vault Dev Server in Docker Compose]] | ||
| ===== Установка и подключение ===== | ===== Установка и подключение ===== | ||
| + | |||
| + | * [[https://hub.docker.com/r/hashicorp/vault/tags]] | ||
| + | |||
| <code> | <code> | ||
| - | # docker run -d --name my-vault -p 8200:8200 hashicorp/vault:latest | + | # docker run -d --name my-vault -p 8200:8200 hashicorp/vault:1.21.3 |
| # docker logs my-vault | # docker logs my-vault | ||
| Line 30: | Line 34: | ||
| ===== KV secrets engine ===== | ===== KV secrets engine ===== | ||
| + | |||
| + | * [[https://discuss.hashicorp.com/t/store-ssl-certificates-in-vault/30180|Store ssl certificates in vault]] | ||
| + | |||
| <code> | <code> | ||
| / # vault secrets list | / # vault secrets list | ||
| / # vault kv put secret/ansible/openvpn1 \ | / # vault kv put secret/ansible/openvpn1 \ | ||
| - | username=student \ | + | username=vagrant \ |
| - | password=password | + | password=strongpassword |
| / # vault kv list secret/ansible/ | / # vault kv list secret/ansible/ | ||
| Line 43: | Line 50: | ||
| / # vault kv get secret/ansible/openvpn1 | / # vault kv get secret/ansible/openvpn1 | ||
| + | ======== Secret Path ======== | ||
| + | secret/data/ansible/openvpn1 | ||
| + | ... | ||
| + | version 1 | ||
| + | ... | ||
| + | |||
| / # ###vault kv delete secret/ansible/openvpn1 | / # ###vault kv delete secret/ansible/openvpn1 | ||
| Line 48: | Line 61: | ||
| ===== Transit secrets engine ===== | ===== Transit secrets engine ===== | ||
| + | |||
| + | * [[https://developer.hashicorp.com/vault/tutorials/encryption-as-a-service/eaas-transit|Encrypt data in transit with Vault]] | ||
| + | |||
| <code> | <code> | ||
| / # vault secrets enable transit | / # vault secrets enable transit | ||
| Line 62: | Line 78: | ||
| / # echo SGVsbG8gV29ybGQK | base64 -d | / # echo SGVsbG8gV29ybGQK | base64 -d | ||
| + | </code><code> | ||
| + | / # vault write transit/keys/my-pgcluster type=rsa-4096 | ||
| + | |||
| + | / # vault write transit/keys/my-keycloak type=rsa-4096 | ||
| </code> | </code> | ||
| ===== Vault policy ===== | ===== Vault policy ===== | ||
| + | |||
| + | * [[http://server.corpX.un:8200]] | ||
| + | |||
| <code> | <code> | ||
| / # vault policy write ansible-openvpn1 - <<EOF | / # vault policy write ansible-openvpn1 - <<EOF | ||
| Line 82: | Line 105: | ||
| / # ###vault policy delete ansible-openvpn1 | / # ###vault policy delete ansible-openvpn1 | ||
| + | </code><code> | ||
| + | / # vault policy write my-pgcluster - <<EOF | ||
| + | path "/transit/encrypt/my-pgcluster" { | ||
| + | capabilities = ["update"] | ||
| + | } | ||
| + | path "/transit/decrypt/my-pgcluster" { | ||
| + | capabilities = ["update"] | ||
| + | } | ||
| + | EOF | ||
| + | </code><code> | ||
| + | / # vault policy write my-keycloak - <<EOF | ||
| + | path "/transit/encrypt/my-keycloak" { | ||
| + | capabilities = ["update"] | ||
| + | } | ||
| + | path "/transit/decrypt/my-keycloak" { | ||
| + | capabilities = ["update"] | ||
| + | } | ||
| + | EOF | ||
| </code> | </code> | ||
| Line 126: | Line 167: | ||
| server|gate# VAULT_ADDR='http://server.corpX.un:8200' | server|gate# VAULT_ADDR='http://server.corpX.un:8200' | ||
| server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk | server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk | ||
| - | server|gate# export VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk | ||
| / # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.0/24" | / # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.0/24" | ||
| Line 134: | Line 174: | ||
| bound_cidrs [192.168.X.10] | bound_cidrs [192.168.X.10] | ||
| ... | ... | ||
| + | </code><code> | ||
| + | / # vault write auth/token/roles/my-pgcluster allowed_policies=my-pgcluster bound_cidrs="192.168.X.10, 192.168.X.221" | ||
| + | |||
| + | / # vault token create -role=my-pgcluster | ||
| + | </code><code> | ||
| + | / # vault write auth/token/roles/my-keycloak allowed_policies=my-keycloak bound_cidrs="192.168.X.10, 192.168.X.221" | ||
| + | |||
| + | / # vault token create -role=my-keycloak | ||
| </code> | </code> | ||
hashicorp_vault.1770546131.txt.gz · Last modified: 2026/02/08 13:22 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
