starlingx
/
docs
Code Issues Proposed changes

Improve securing of Vault Key Shards for unsealing Vault (stx 9.0, dsr8MR3) 

Initial draft
Resolve merge conflict

Story: 49622

Change-Id: Ied162cb87fb203fe4e1c3b7f719bac1b8cc3feaa
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
This commit is contained in:
Ron Stone 2024-02-26 13:01:59 +00:00 committed by Juanita-Balaraj
parent 814bfdf803
commit 1ffb13d2e6
3 changed files with 31 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/source/security/kubernetes/configure-vault-using-the-cli.rst
View File

@ -20,7 +20,8 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI.
.. code-block:: none
$ kubectl exec -n vault sva-vault-manager-0 -- cat /mnt/data/cluster_keys.json | grep -oP --color=never '(?<="root_token":")[^"]*'
$ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root \
-o jsonpath='{.data.strdata}' | base64 -d )"
#. Log in to the Vault server container.
@ -34,7 +35,7 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI.
.. code-block:: none
$ vault login
$ vault login -no-print
#. Enable the Kubernetes Auth method.
@ -46,7 +47,7 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI.
.. code-block:: none
$ vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
$ vault write auth/kubernetes/config kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
#. Verify the Kubernetes Auth method.
@ -123,7 +124,7 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI.
.. code-block:: none
$ vault write auth/kubernetes/role/basic-secret-role bound_service_account_names=basic-secret bound_service_account_namespaces=default policies=basic-secret-policy ttl=24h
$ vault write auth/kubernetes/role/basic-secret-role bound_service_account_names=basic-secret bound_service_account_namespaces=test policies=basic-secret-policy ttl=24h
#. Verify the policy.

15
doc/source/security/kubernetes/configure-vault.rst
View File

@ -26,11 +26,7 @@ The following steps use Vault's REST API and is run from controller-0.
.. code-block:: none
$ ROOT_TOKEN=$(kubectl exec -n vault sva-vault-manager-0 -- cat /mnt/data/cluster_keys.json | grep -oP --color=never '(?<="root_token":")[^"]*')
$ SA_CA_CERT=$(kubectl exec -n vault sva-vault-0 -- awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)
$ TOKEN_JWT=$(kubectl exec -n vault sva-vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)
$ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root -o jsonpath='{.data.strdata}' | base64 -d )"
$ KUBERNETES_PORT_443_TCP_ADDR=$(kubectl exec -n vault sva-vault-0 -- sh -c 'echo $KUBERNETES_PORT_443_TCP_ADDR')
@ -38,7 +34,8 @@ The following steps use Vault's REST API and is run from controller-0.
#. Enable the Kubernetes Auth method.
This allows Vault to use Kubernetes service accounts for authentication of Vault commands.
This allows Vault to use Kubernetes service accounts for authentication of
Vault commands.
For more information, see:
@ -57,7 +54,7 @@ The following steps use Vault's REST API and is run from controller-0.
.. code-block:: none
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{"kubernetes_host": "'"https://$KUBERNETES_PORT_443_TCP_ADDR:443"'", "kubernetes_ca_cert":"'"$SA_CA_CERT"'", "token_reviewer_jwt":"'"$TOKEN_JWT"'"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/config
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{"kubernetes_host": "'"https://$KUBERNETES_PORT_443_TCP_ADDR:443"'"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/config
#. Verify the Kubernetes Auth method.
@ -117,7 +114,7 @@ The following steps use Vault's REST API and is run from controller-0.
.. code-block:: none
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "pvtest", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "test", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role
#. Verify the role configuration.
@ -133,7 +130,7 @@ The following steps use Vault's REST API and is run from controller-0.
.. code-block:: none
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"username":"pvtest","password":"<password>"}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"data":{"password": "<password>", "username": "test"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld
#. Verify the secret.

49
doc/source/usertasks/kubernetes/vault-unaware.rst
View File

@ -32,13 +32,7 @@ pod can access these secrets as files.
.. code-block:: none
$ ROOT_TOKEN=$(kubectl exec -n vault sva-vault-manager-0 -- cat /mnt/data/cluster_keys.json | grep -oP --color=never '(?<="root_token":")[^"]*')
$ SA_CA_CERT=$(kubectl exec -n vault sva-vault-0 -- awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)
$ TOKEN_JWT=$(kubectl exec -n vault sva-vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)
$ KUBERNETES_PORT_443_TCP_ADDR=$(kubectl exec -n vault sva-vault-0 -- sh -c 'echo $KUBERNETES_PORT_443_TCP_ADDR')
$ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root -o jsonpath='{.data.strdata}' | base64 -d )"
$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca.pem
@ -52,13 +46,13 @@ pod can access these secrets as files.
.. code-block:: none
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "default", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "test", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role
#. Create the secret.
.. code-block:: none
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"username":"pvtest","password":"Li69nux*"}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld
$ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"data":{"password": "<password>", "username": "test"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld
#. Verify the secret.
@ -68,19 +62,14 @@ pod can access these secrets as files.
.. rubric:: |proc|
#. Copy the Vault certs to the default namespace.
.. code-block:: none
$ kubectl get secret vault-server-tls --namespace=vault --export -o yaml | kubectl apply --namespace=default -f-
#. Use the following vault-injector.yaml file to create a test namespace, an
example Vault-Unaware deployment, 'basic-secret', with vault annotations
#. Use the following ``helloworld.yaml`` file to create a test namespace,
an example Vault-Unaware deployment, 'basic-secret', with vault annotations
for creating the Vault Agent Injector sidecar container:
.. code-block:: yaml
cat <<EOF >> vault-injector.yaml
cat <<EOF >> helloworld.yaml
apiVersion: v1
kind: Namespace
metadata:
@ -101,17 +90,17 @@ pod can access these secrets as files.
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/agent-inject-secret-helloworld: "secret/data/basic-secret/helloworld"
vault.hashicorp.com/agent-inject-template-helloworld: |
{{- with secret "secret/data/basic-secret/helloworld" -}}
{
"username" : "{{ .Data.data.username }}",
"password" : "{{ .Data.data.password }}"
}
{{- end }}
vault.hashicorp.com/role: "basic-secret-role"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/agent-inject-secret-helloworld: "secret/data/basic-secret/helloworld"
vault.hashicorp.com/agent-inject-template-helloworld: |
{{- with secret "secret/data/basic-secret/helloworld" -}}
{
"username" : "{{ .Data.data.username }}",
"password" : "{{ .Data.data.password }}"
}
{{- end }}
vault.hashicorp.com/role: "basic-secret-role"
labels:
app: basic-secret
spec:
@ -126,6 +115,7 @@ pod can access these secrets as files.
name: basic-secret
labels:
app: basic-secret
namespace: test
EOF
#. Apply the application and verify the pod is running.
@ -138,7 +128,8 @@ pod can access these secrets as files.
.. code-block:: none
$ kubectl exec -n pvtest basic-secret-55d6c9bb6f-4whbp -- cat /vault/secrets/helloworld
$ POD="$( kubectl get pods -n test | cut -d' ' -f1 | grep basic-secret )"
$ kubectl exec -n test $POD -- cat /vault/secrets/helloworld
.. _vault-unaware-ul-jsf-dqm-4mb: