Anchor | ||||
---|---|---|---|---|
|
Tip |
---|
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. In Our case we will be storing all the agent(tools) related secrets like username, password, accesstoken etc to vault and make sure it is not persisted anywhere other than vault. |
Note |
---|
If you are migrating from release_6.2 to release_6.3, please run following query in PostgreSQL "insights" database. update public.agent_configuration set is_vault_enable='FALSE'; |
Panel | |
---|---|
| |
Installation of Vault
- Vault is distributed as a binary package for all supported platforms and architectures which can be downloaded from https://www.vaultproject.io/downloads.html
- Vault runs as a single binary named
vault
- Unzip the downloaded folder and add it to PATH.
- Linux -
- ln -s <vault-binary-file-path> /usr/bin/vault
- ln -s <vault-binary-file-path> /usr/local/bin/vault
- Windows
- Add to Environment Variable PATH.
- Linux -
- Restart the command prompt and verify it by giving the command
vault
.
Configuring Vault
- Reference - https://www.vaultproject.io/docs/configuration/
- In order to run Vault in prodution mode we need to customize vault using hashicorp language.
- Below is the Insights Production minimal config file with .hcl extension that helps to bring vault in prod mode. We can add more configs based on the needs from the above referenced link.
ui = true - Enables vault UI
backend "file" {
path = "vault-prod" - stores all secrets as a file.
}#non-loopback interface
listener "tcp" {
address = "<ipaddress>:<port>" - starts the vault in the below ip and port
tls_disable = 1
}# Advertise the non-loopback interface
api_addr = "http://<ipaddress>:<port>"
cluster_addr="http://<ipaddress>:<port>"
View file | ||||
---|---|---|---|---|
|
Starting Vault
- Vault can be started in 2 modes
- Development mode
- This is useful for local development and all secrets are stored locally.
- Command -
- Development mode
vault server -dev
c. Starts the local vault in port 8200 . we can change the ip and port through the command -
vault server -dev -dev-listen-address=<ipaddress>:<port> -config=config.hcl
d. Check the status of vault with the command
vault status
2.Production mode
a. Command -
nohup vault server -config=config-prod.hcl > vault-prod.log &
b. Initialize and unseal vault using tokens.
vault operator init
vault operator unseal - Execute unseal command until the parameter "selead" become false.
c. Login using roottoken via command prompt
vault login <root-token>
d.Reference below for Insights prod setup.
View file | ||||
---|---|---|---|---|
|
Integration with Insights
- Configuration:
- Server-config.json
- "vault":
{
"vaultEndPoint": "http://localhost:8200/v1/", - Vault End point and its version.
"secretEngine": "secret", - Secret Engine Name
"vaultToken": "<root-token>" - Root token of vault.
} - Each Agent config.json is added with a new key called "agentSecretDetails" . This holds a array of secrets to be stored in vault.
- for eg - In git agent config.json we will have , agentSecretDetails :[ "accessToken"]
- In Jira agent config.json we will have , agentSecretDetails:["username","passwd"]
- Again the keys inside array are keys already present in config.json file. In future if we want to add few more keys to vault then we can simply edit the config.json add extra keys to it.For example , PivotalTracker currently has username,passwd as secrets if we need to add accesstoken to it we can do by agentSecretDetails:["username","passwd","accessToken]
- "vault":
- Server-config.json
- Usage:
- Registering Agent
- Make the slider ON for vault in other section and register the agent by giving the creds for the first time.
- If you try to edit the the fields mentioned in "agentSecretDetails" section in config.json, those fields will turn into **** hiding the creds which are stored in vault . But if you need to edit it we can override this content which will update the vault.
- Registering Agent
Vault API for Read/write
View file | ||||
---|---|---|---|---|
|
Permission and privilege to Vault
- Not everyone can access vault since the secrets details should be modified and not viewed by all.
- In Order to achieve this vault provides capabilities to create roles and policies.
- Step by step creation of policies and mapping it to roles are mentioned in attachment<Vault-Insights-Prod.txt>
Tip |
---|
Roles creation and policies are onetime setup . For testing purpose we need zero configuration and can be started in Dev mode. Reference links: https://learn.hashicorp.com/vault/operations/ops-deployment-guide https://learn.hashicorp.com/vault/getting-started/apis https://www.vaultproject.io/api/secret/kv/kv-v2.html https://www.vaultproject.io/docs/secrets/ https://www.vaultproject.io/docs/configuration/listener/tcp.html https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing Security - FIPS 140-2 & Cryptographic Compliance : https://www.hashicorp.com/products/vault/data-protection https://www.vaultproject.io/docs/concepts/policies.html#create |
Back to Top