What is vault?
Vault is an identity-based secrets and encryption management system. vault is used for store sensitive data it can be API encryption keys like tokens, access key, secret key, passwords, or certificates etc.
Ref Links: for integration vault with GitLab CICD
1. https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
2. https://holdmybeersecurity.com/2021/03/04/gitlab-ci-cd-pipeline-with-vault-secrets/
3. https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/ci/secrets/index.md
4. https://gitlab.com/edmond-demo/sandbox/hashicorp/vault_via_api/-/blob/master/.gitlab-ci.yml
Cheat sheets:
https://medium.com/@jagunathan22/hashicorp-vault-cheatsheet-8f13dc6a95a9
https://sites.google.com/site/mrxpalmeiras/vault-cheat-sheet
Unseal
the Vault-(Need to at least put 3 unseal key)
CMD- #vault operator unseal <unseal-key>
Vault Login:-
Initial Root Token: <paste token here>
CMD- #vault login
Enable outer access of Vault
Server by its IP address:-
To make it available to the other
nodes of the network need to change the configuration in the vault HCL file, It
may be at a home directory or /etc/vault.d/vault.hcl.
Example:
storage
"raft" {
path
= "./vault/data"
node_id = "node1"
}
listener
"tcp" {
address
= "ip:port"
tls_disable = "true"
}
mlock = "false"
api_addr =
"http://ip:port"
cluster_addr =
"https://ip:port"
ui = true
GitLab Integration with Vault:
Step 1:- Create a Gitlab project Repository.
Step 2:- Next step is to configure the vault:
A.
List, enable and disable vault
secret engine as per requirement :
a. vault secrets list
b. vault secrets enable -path=secret kv
c. vault secrets disable kv/
d. Ref. https://www.vaultproject.io/docs/secrets
e. Ref. https://learn.hashicorp.com/tutorials/vault/static-secrets
B.
Create, list and read Secret :
a. vault kv put secret/hello target=world
b. vault kv list secret/
c. vault kv get secret/hello
C.
To create policies and role first
need to enable authentication method for this case we are using JWT
authentication method :
a. CMD # vault auth enable jwt
b. Ref. https://www.vaultproject.io/api-docs/auth/jwt
D.
Create, list and read policy to
provide read, write access to secret:
a. vault policy write admin admin-policy.hcl (using hcl file)
b. $ vault policy write myproject-production - <<EOF
# Policy name:
myproject-production
#
# Read-only
permission on 'secret/data/myproject/production/*' path
path
"secret/data/myproject/production/*" {
capabilities = [ "read" ]
}
EOF
c. vault policy list
d. vault policy read admin
e. Ref. https://learn.hashicorp.com/tutorials/vault/getting-started-policies?in=vault/getting-started
E.
Create, list, read and delete role
to provide RBACK for the secret using policies:
a. $ vault write auth/jwt/role/myproject-production - <<EOF
{
"role_type": "jwt",
"policies":
["myproject-production"],
"token_explicit_max_ttl": 60,
"user_claim":
"user_email",
"bound_claims_type":
"glob",
"bound_claims": {
"project_id": "22",
"ref_protected":
"true",
"ref_type": "branch",
"ref": "auto-deploy-*"
}
}
EOF
b. $ vault list auth/role
c. $ vault read auth/role/myproject-production
d. $ vault delete auth/role/myproject-production
e. Ref. https://learn.hashicorp.com/tutorials/vault/getting-started-policies?in=vault/getting-started
F.
Access secrets from .gitlab-ci.yml
file
a. Ref. https://gitlab.com/edmond-demo/sandbox/hashicorp/vault_via_api/-/blob/master/.gitlab-ci.yml
stages:
- test
read_secrets:
stage: test
# image:
# name: alpine:latest
script:
# - apk add
--update curl jq
# Vault's address
can be provided here or as CI/CD variable
- export
VAULT_ADDR=http://<IP-Address:Port>
tags:
- ubuntu20
- awslightsail
No comments:
Post a Comment