Part 2: Docker & Vault Agent with Dynamic Secrets
Part 4: Docker, Vault Agent with Terraform
U prethodnim dijelovima smo pisali o statičkim (part 1) i dinamičkim (part 2) podacima i Vault Agentu te smo u svakom primjeru koristili Docker naredbe. Svi primjeri se nalaze u našem Github repozitoriju.
Preuzmimo ga:
$ git clone https://github.com/myros/docker-vault-agent.git
$ cd docker-vault-agent
Odmah možemo pokrenuti sve servise:
$ docker-compose up
Tijekom pokretanja, primjetiti ćemo da su svi servisi pokrenuti, baze kreirane, Vault inicijaliziran međutim, Vault Agent ima neke prigovore. Prvi među njima je
vault-agent-demo | 2023-04-12T17:42:31.585Z [INFO] auth.handler: authenticating
vault-agent-demo | 2023-04-12T17:42:31.585Z [ERROR] auth.handler: error getting path or data from method: error="no known role ID" backoff=14.49s
Otvorimo novi terminal prozor i izvršimo slijedeće naredbe redom a za to vrijeme možemo promatrati što se dešava sa Vault Agentom
Prvo postavimo VAULT varijable
export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=root
Omogućimo AppRole
vault auth enable approle
vault write auth/approle/role/agent token_policies="nginx-agent-policy"
vault read --field=role_id auth/approle/role/agent/role-id > ./agent/role-id
vault write --field=secret_id -f auth/approle/role/agent/secret-id > ./agent/secret-id
Kreirajmo Vault policu
vault policy write nginx-agent-policy ./vault/policy.hcl
i KV podatke
vault kv put secret/nginx/front-page foo=bar app=nginx username=user password=pass
Nakon ovog koraka, možemo primjetiti promjene u logu Vault Agenta te pojavu nove datoteke kv.html u mapi nginx. Istovremeno Vault Agent nas obavještava da još uvijek nedostaju neke informacije da bi uspješno kreirao sve datoteke
vault-agent-demo | 2023-04-12T18:01:11.138Z [INFO] (runner) rendered "/agent/kv.tmpl" => "/usr/share/nginx/html/kv.html"
vault-agent-demo | 2023-04-12T18:01:11.138Z [DEBUG] (runner) checking template 92087f9be1f3b34034e0f6af10a5f07b
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing dependency: vault.read(postgres/creds/nginx)
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) checking template 4fec320c7a9e54a636dd7cd9a290ced7
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing dependency: vault.read(mysql/creds/nginx)
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) checking template b673539710900e5bac04f2cc54143e51
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing dependency: vault.read(postgres/creds/nginx)
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) diffing and updating dependencies
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) vault.read(secret/data/nginx/front-page) is still needed
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) vault.read(postgres/creds/nginx) is still needed
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) vault.read(mysql/creds/nginx) is still needed
vault-agent-demo | 2023-04-12T18:01:11.139Z [DEBUG] (runner) watching 3 dependencies
Nastavimo sa izvršavanjem naredbi i kreirajmo dinamičke PostgreSQL i MySql secret engines
vault secrets enable -path=postgres database
vault write postgres/config/products \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/products?sslmode=disable" \
username="postgres" \
password="pass"
vault write postgres/roles/nginx \
db_name=products \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\"" \
default_ttl="30s" \
max_ttl="24h"
Nakon izvršenja, pričekamo koju minutu i primjetiti ćemo Vault Agent je kreirao 2 nove datoteke (./nginx/psql.html i ./nginx/rails.yaml)
Završimo sa zadnjim naredbama
vault secrets enable -path=mysql database
vault write mysql/config/items \
plugin_name=mysql-database-plugin \
connection_url="{{username}}:{{password}}@tcp(mysql:3306)/" \
allowed_roles="nginx" \
username="root" \
password="pass"
vault write mysql/roles/nginx \
db_name=items \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
Nakon izvršenja pogledajmo Vault Agent log i tamo se nalazi čarobna linija
vault-agent-demo | 2023-04-12T18:09:14.933Z [DEBUG] (runner) vault.read(secret/data/nginx/front-page) is still needed
vault-agent-demo | 2023-04-12T18:09:14.933Z [DEBUG] (runner) vault.read(postgres/creds/nginx) is still needed
vault-agent-demo | 2023-04-12T18:09:14.933Z [DEBUG] (runner) vault.read(mysql/creds/nginx) is still needed
vault-agent-demo | 2023-04-12T18:09:14.933Z [DEBUG] (runner) watching 3 dependencies
vault-agent-demo | 2023-04-12T18:09:14.933Z [DEBUG] (runner) all templates rendered
Provjerimo u nginx mapi i zaista, svih 5 datoteka je kreirano
$ ls -1 nginx
kv.html
mysql.html
psql.html
rails.yaml
Skripta
Ako se prisjetimo prvog dijela ove serije, Vault na početku nema aktivih autentikacijskih metoda i nema podataka. U ovom repozitoriju se nalazi i skripta vault.sh u kojoj se nalaze sve naredbe koje smo upotrebljavali u ovoj seriji. Pokrećemo je kao i svaku drugu shell skriptu
$ sh vault.sh
a nakon pokretanja terminal prozor će izgledati ovako:
===> Setting ENV variables
===> Setting AppRole auth method....
Success! Enabled approle auth method at: approle/
Success! Data written to: auth/approle/role/agent
===> Creating role-id and secret-id files....
===> Setting up some secrets...
======== Secret Path ========
secret/data/nginx/front-page
======= Metadata =======
Key Value
--- -----
created_time 2023-04-12T17:53:06.886310963Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
===> Importing nginx-agent policy...
Success! Uploaded policy: nginx-agent-policy
===> PostgreSQL database secret engine...
Success! Enabled the database secrets engine at: postgres/
Success! Data written to: postgres/config/products
Success! Data written to: postgres/roles/nginx
===> MySql database secret engine...
Success! Enabled the database secrets engine at: mysql/
Success! Data written to: mysql/config/items
Success! Data written to: mysql/roles/nginx
a Vault Agent će imati sve potrebne informacije da može kreirati datoteke:
...
vault-agent-demo | 2023-04-12T17:53:10.563Z [DEBUG] (runner) initiating run
vault-agent-demo | 2023-04-12T17:53:10.563Z [DEBUG] (runner) checking template f5f4aada75c2e0527ad98f60dadd331a
vault-agent-demo | 2023-04-12T17:53:10.563Z [DEBUG] (runner) rendering "/agent/kv.tmpl" => "/usr/share/nginx/html/kv.html"
vault-agent-demo | 2023-04-12T17:53:10.563Z [DEBUG] (runner) checking template 92087f9be1f3b34034e0f6af10a5f07b
vault-agent-demo | 2023-04-12T17:53:10.564Z [DEBUG] (runner) rendering "/agent/psql.tmpl" => "/usr/share/nginx/html/psql.html"
vault-agent-demo | 2023-04-12T17:53:10.564Z [DEBUG] (runner) checking template 4fec320c7a9e54a636dd7cd9a290ced7
vault-agent-demo | 2023-04-12T17:53:10.564Z [DEBUG] (runner) rendering "/agent/mysql.tmpl" => "/usr/share/nginx/html/mysql.html"
vault-agent-demo | 2023-04-12T17:53:10.566Z [INFO] (runner) rendered "/agent/mysql.tmpl" => "/usr/share/nginx/html/mysql.html"
vault-agent-demo | 2023-04-12T17:53:10.566Z [DEBUG] (runner) checking template b673539710900e5bac04f2cc54143e51
vault-agent-demo | 2023-04-12T17:53:10.566Z [DEBUG] (runner) rendering "/agent/rails.tmpl" => "/usr/share/nginx/html/rails.yaml"
vault-agent-demo | 2023-04-12T17:53:10.567Z [DEBUG] (runner) diffing and updating dependencies
vault-agent-demo | 2023-04-12T17:53:10.567Z [DEBUG] (runner) vault.read(mysql/creds/nginx) is still needed
vault-agent-demo | 2023-04-12T17:53:10.567Z [DEBUG] (runner) vault.read(secret/data/nginx/front-page) is still needed
vault-agent-demo | 2023-04-12T17:53:10.567Z [DEBUG] (runner) vault.read(postgres/creds/nginx) is still needed
vault-agent-demo | 2023-04-12T17:53:10.567Z [DEBUG] (runner) watching 3 dependencies
vault-agent-demo | 2023-04-12T17:53:10.567Z [DEBUG] (runner) all templates rendered
Dodatak:
Docker Compose: https://docs.docker.com/compose/