,

Docker & Vault Agent with Docker Compose (Part III)

Part 1: Docker & Vault Agent

Part 2: Docker & Vault Agent with Dynamic Secrets

Part 4: Docker, Vault Agent with Terraform

U prethodnim dijelovima smo pisali o statičkim (part 1) i dinamičkim (part 2) podacima i Vault Agentu te smo u svakom primjeru koristili Docker naredbe. Svi primjeri se nalaze u našem Github repozitoriju.

Preuzmimo ga:

$ git clone https://github.com/myros/docker-vault-agent.git
$ cd docker-vault-agent

Odmah možemo pokrenuti sve servise:

$ docker-compose up

Tijekom pokretanja, primjetiti ćemo da su svi servisi pokrenuti, baze kreirane, Vault inicijaliziran međutim, Vault Agent ima neke prigovore. Prvi među njima je 

vault-agent-demo               | 2023-04-12T17:42:31.585Z [INFO]  auth.handler: authenticating
vault-agent-demo               | 2023-04-12T17:42:31.585Z [ERROR] auth.handler: error getting path or data from method: error="no known role ID" backoff=14.49s

Otvorimo novi terminal prozor i izvršimo slijedeće naredbe redom a za to vrijeme možemo promatrati što se dešava sa Vault Agentom

Prvo postavimo VAULT varijable

export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=root

Omogućimo AppRole

vault auth enable approle
vault write auth/approle/role/agent token_policies="nginx-agent-policy"
vault read --field=role_id auth/approle/role/agent/role-id > ./agent/role-id
vault write --field=secret_id -f auth/approle/role/agent/secret-id > ./agent/secret-id

Kreirajmo Vault policu

vault policy write nginx-agent-policy ./vault/policy.hcl

i KV podatke

vault kv put secret/nginx/front-page foo=bar app=nginx username=user password=pass

Nakon ovog koraka, možemo primjetiti promjene u logu Vault Agenta te pojavu nove datoteke kv.html u mapi nginx. Istovremeno Vault Agent nas obavještava da još uvijek nedostaju neke informacije da bi uspješno kreirao sve datoteke

vault-agent-demo               | 2023-04-12T18:01:11.138Z [INFO] (runner) rendered "/agent/kv.tmpl" => "/usr/share/nginx/html/kv.html"
vault-agent-demo               | 2023-04-12T18:01:11.138Z [DEBUG] (runner) checking template 92087f9be1f3b34034e0f6af10a5f07b
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing dependency: vault.read(postgres/creds/nginx)
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) checking template 4fec320c7a9e54a636dd7cd9a290ced7
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing dependency: vault.read(mysql/creds/nginx)
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) checking template b673539710900e5bac04f2cc54143e51
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing dependency: vault.read(postgres/creds/nginx)
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) missing data for 1 dependencies
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) diffing and updating dependencies
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) vault.read(secret/data/nginx/front-page) is still needed
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) vault.read(postgres/creds/nginx) is still needed
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) vault.read(mysql/creds/nginx) is still needed
vault-agent-demo               | 2023-04-12T18:01:11.139Z [DEBUG] (runner) watching 3 dependencies

Nastavimo sa izvršavanjem naredbi i kreirajmo dinamičke PostgreSQL i MySql secret engines

vault secrets enable -path=postgres database
vault write postgres/config/products \
    plugin_name=postgresql-database-plugin \
    allowed_roles="*" \
    connection_url="postgresql://{{username}}:{{password}}@postgres:5432/products?sslmode=disable" \
    username="postgres" \
    password="pass"
vault write postgres/roles/nginx \
  db_name=products \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
  GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\"" \
  default_ttl="30s" \
  max_ttl="24h"

Nakon izvršenja, pričekamo koju minutu i primjetiti ćemo Vault Agent je kreirao 2 nove datoteke (./nginx/psql.html i ./nginx/rails.yaml)

Završimo sa zadnjim naredbama

vault secrets enable -path=mysql database
vault write mysql/config/items \
    plugin_name=mysql-database-plugin \
    connection_url="{{username}}:{{password}}@tcp(mysql:3306)/" \
    allowed_roles="nginx" \
    username="root" \
    password="pass"
vault write mysql/roles/nginx \
    db_name=items \
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
    default_ttl="1h" \
    max_ttl="24h"

Nakon izvršenja pogledajmo Vault Agent log i tamo se nalazi čarobna linija

vault-agent-demo               | 2023-04-12T18:09:14.933Z [DEBUG] (runner) vault.read(secret/data/nginx/front-page) is still needed
vault-agent-demo               | 2023-04-12T18:09:14.933Z [DEBUG] (runner) vault.read(postgres/creds/nginx) is still needed
vault-agent-demo               | 2023-04-12T18:09:14.933Z [DEBUG] (runner) vault.read(mysql/creds/nginx) is still needed
vault-agent-demo               | 2023-04-12T18:09:14.933Z [DEBUG] (runner) watching 3 dependencies
vault-agent-demo               | 2023-04-12T18:09:14.933Z [DEBUG] (runner) all templates rendered

Provjerimo u nginx mapi i zaista, svih 5 datoteka je kreirano

$ ls -1 nginx
kv.html
mysql.html
psql.html
rails.yaml

Skripta

Ako se prisjetimo prvog dijela ove serije, Vault na početku nema aktivih autentikacijskih metoda i nema podataka. U ovom repozitoriju se nalazi i skripta vault.sh u kojoj se nalaze sve naredbe koje smo upotrebljavali u ovoj seriji. Pokrećemo je kao i svaku drugu shell skriptu

$ sh vault.sh

a nakon pokretanja terminal prozor će izgledati ovako:

===> Setting ENV variables
===> Setting AppRole auth method....
Success! Enabled approle auth method at: approle/
Success! Data written to: auth/approle/role/agent
===> Creating role-id and secret-id files....
===> Setting up some secrets...
======== Secret Path ========
secret/data/nginx/front-page

======= Metadata =======
Key                Value
---                -----
created_time       2023-04-12T17:53:06.886310963Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1
===> Importing nginx-agent policy...
Success! Uploaded policy: nginx-agent-policy
===> PostgreSQL database secret engine...
Success! Enabled the database secrets engine at: postgres/
Success! Data written to: postgres/config/products
Success! Data written to: postgres/roles/nginx
===> MySql database secret engine...
Success! Enabled the database secrets engine at: mysql/
Success! Data written to: mysql/config/items
Success! Data written to: mysql/roles/nginx

a Vault Agent će imati sve potrebne informacije da može kreirati datoteke:

...
vault-agent-demo               | 2023-04-12T17:53:10.563Z [DEBUG] (runner) initiating run
vault-agent-demo               | 2023-04-12T17:53:10.563Z [DEBUG] (runner) checking template f5f4aada75c2e0527ad98f60dadd331a
vault-agent-demo               | 2023-04-12T17:53:10.563Z [DEBUG] (runner) rendering "/agent/kv.tmpl" => "/usr/share/nginx/html/kv.html"
vault-agent-demo               | 2023-04-12T17:53:10.563Z [DEBUG] (runner) checking template 92087f9be1f3b34034e0f6af10a5f07b
vault-agent-demo               | 2023-04-12T17:53:10.564Z [DEBUG] (runner) rendering "/agent/psql.tmpl" => "/usr/share/nginx/html/psql.html"
vault-agent-demo               | 2023-04-12T17:53:10.564Z [DEBUG] (runner) checking template 4fec320c7a9e54a636dd7cd9a290ced7
vault-agent-demo               | 2023-04-12T17:53:10.564Z [DEBUG] (runner) rendering "/agent/mysql.tmpl" => "/usr/share/nginx/html/mysql.html"
vault-agent-demo               | 2023-04-12T17:53:10.566Z [INFO] (runner) rendered "/agent/mysql.tmpl" => "/usr/share/nginx/html/mysql.html"
vault-agent-demo               | 2023-04-12T17:53:10.566Z [DEBUG] (runner) checking template b673539710900e5bac04f2cc54143e51
vault-agent-demo               | 2023-04-12T17:53:10.566Z [DEBUG] (runner) rendering "/agent/rails.tmpl" => "/usr/share/nginx/html/rails.yaml"
vault-agent-demo               | 2023-04-12T17:53:10.567Z [DEBUG] (runner) diffing and updating dependencies
vault-agent-demo               | 2023-04-12T17:53:10.567Z [DEBUG] (runner) vault.read(mysql/creds/nginx) is still needed
vault-agent-demo               | 2023-04-12T17:53:10.567Z [DEBUG] (runner) vault.read(secret/data/nginx/front-page) is still needed
vault-agent-demo               | 2023-04-12T17:53:10.567Z [DEBUG] (runner) vault.read(postgres/creds/nginx) is still needed
vault-agent-demo               | 2023-04-12T17:53:10.567Z [DEBUG] (runner) watching 3 dependencies
vault-agent-demo               | 2023-04-12T17:53:10.567Z [DEBUG] (runner) all templates rendered

Dodatak:

Docker Compose: https://docs.docker.com/compose/

/by
You might also like
Docker & Vault Agent with Terraform (Part IV)
Docker, Vault Agent & Dynamic Secrets (Part II)
Hashicorp Vault: Kako promijeniti TTL vrijednost tokena
Docker & Vault Agent (Part I)