====== Hashicorp Vault ======
* [[https://tproger.ru/articles/nachalo-raboty-s-hashicorp-vault-i-sozdanie-pervogo-sekreta|Начало работы с Hashicorp Vault и создание первого секрета]]
* [[https://habr.com/ru/articles/653927/|Используем Hashicorp Vault для хранения секретов]]
* [[https://developer.hashicorp.com/vault/docs/secrets/transit|Transit secrets engine]]
* [[https://penkovski.com/post/vault-dev-server-docker-compose/|Vault Dev Server in Docker Compose]]
===== Установка и подключение =====
* [[https://hub.docker.com/r/hashicorp/vault/tags]]
# docker run -d --name my-vault -p 8200:8200 hashicorp/vault:1.21.3
# docker logs my-vault
...
Unseal Key: P0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN8=
Root Token: hMMMMMMMMMMMMMMMMMMMMMMMMMV
...
# docker exec -ti my-vault sh
/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # vault status
/ # vault login token=hMMMMMMMMMMMMMMMMMMMMMMMMMV
/ # vault secrets list
/ # ###rm ~/.vault-token
===== KV secrets engine =====
* [[https://discuss.hashicorp.com/t/store-ssl-certificates-in-vault/30180|Store ssl certificates in vault]]
/ # vault secrets list
/ # vault kv put secret/ansible/openvpn1 \
username=vagrant \
password=strongpassword
/ # vault kv list secret/ansible/
Keys
----
openvpn1
/ # vault kv get secret/ansible/openvpn1
======== Secret Path ========
secret/data/ansible/openvpn1
...
version 1
...
/ # ###vault kv delete secret/ansible/openvpn1
===== Transit secrets engine =====
* [[https://developer.hashicorp.com/vault/tutorials/encryption-as-a-service/eaas-transit|Encrypt data in transit with Vault]]
/ # vault secrets enable transit
/ # vault write transit/keys/ansible-openvpn1 type=rsa-4096
/ # vault list transit/keys/
/ # vault read transit/keys/ansible-openvpn1
/ # vault write transit/encrypt/ansible-openvpn1 plaintext="$(echo Hello World | base64)"
/ # vault write transit/decrypt/ansible-openvpn1 ciphertext="vault:v1:letsK..."
/ # echo SGVsbG8gV29ybGQK | base64 -d
/ # vault write transit/keys/my-pgcluster type=rsa-4096
/ # vault write transit/keys/my-keycloak type=rsa-4096
===== Vault policy =====
* [[http://server.corpX.un:8200]]
/ # vault policy write ansible-openvpn1 - <
/ # vault policy list
/ # vault policy read ansible-openvpn1
/ # ###vault policy delete ansible-openvpn1
/ # vault policy write my-pgcluster - <
/ # vault policy write my-keycloak - <
===== Vault token =====
/ # vault token create -policy="ansible-openvpn1"
Key Value
--- -----
token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU
token_accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp
...
/ # vault list auth/token/accessors
/ # vault token lookup -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp
/ # ###vault token revoke -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp
# VAULT_ADDR='http://server.corpX.un:8200'
# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU
# curl --header "X-Vault-Token: $VAULT_TOKEN" \
--request GET \
"$VAULT_ADDR/v1/secret/data/ansible/openvpn1" | jq
===== Vault auth token role =====
* [[https://support.hashicorp.com/hc/en-us/articles/40458024385939-Handling-Token-Role-Changes-and-Bound-CIDR-Restrictions-in-Vault|Handling Token Role Changes and Bound CIDR Restrictions in Vault]]
/ # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.10" #period=32d
/ # vault list auth/token/roles/
/ # vault read auth/token/roles/ansible-openvpn1-role
/ # vault token create -role=ansible-openvpn1-role
Key Value
--- -----
token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
token_accessor sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU
server|gate# VAULT_ADDR='http://server.corpX.un:8200'
server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
/ # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.0/24"
/ # vault token lookup -accessor sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU
...
bound_cidrs [192.168.X.10]
...
/ # vault write auth/token/roles/my-pgcluster allowed_policies=my-pgcluster bound_cidrs="192.168.X.10, 192.168.X.221"
/ # vault token create -role=my-pgcluster
/ # vault write auth/token/roles/my-keycloak allowed_policies=my-keycloak bound_cidrs="192.168.X.10, 192.168.X.221"
/ # vault token create -role=my-keycloak
===== Vault auth approle =====
/ # vault auth list
/ # vault auth enable approle
/ # vault write auth/approle/role/ansible-openvpn1-role \
token_policies="ansible-openvpn1" \
secret_id_bound_cidrs="192.168.X.10","127.0.0.0/8" \
token_bound_cidrs="192.168.X.10","127.0.0.0/8" \
policies="ansible-openvpn1"
/ # vault list auth/approle/role
/ # vault read auth/approle/role/ansible-openvpn1-role
...
/ # vault read auth/approle/role/ansible-openvpn1-role/role-id
Key Value
--- -----
role_id fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0
/ # vault write -force auth/approle/role/ansible-openvpn1-role/secret-id
Key Value
--- -----
secret_id 1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2
secret_id_accessor cUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDDc
secret_id_num_uses 0
secret_id_ttl 0s
/ # vault write auth/approle/login role_id="fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0" secret_id="
1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2"
Key Value
--- -----
token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE
token_accessor iPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPy
token_duration 768h
token_renewable true
token_policies ["ansible-openvpn1" "default"]
identity_policies []
policies ["ansible-openvpn1" "default"]
token_meta_role_name ansible-openvpn1-role
server|gate# VAULT_ADDR='http://server.corpX.un:8200'
server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE