Vault integration with Agent management

Owned by Pooja Gupta (Unlicensed)
Last updated: Mar 01, 2022 by Abirami

­­Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. 

In Our case we will be storing all the agent(tools) related secrets like username, password, accesstoken etc to vault and make sure it is not persisted anywhere other than vault.

If you are migrating from release_6.2 to release_6.3, please run following query in PostgreSQL "insights" database.

   update public.agent_configuration set is_vault_enable='FALSE';



Installation of Vault

  • Vault is distributed as a binary package for all supported platforms and architectures which can be downloaded from https://www.vaultproject.io/downloads.html
  • Vault runs as a single binary named vault
  • Unzip the downloaded folder and add it to PATH.
    • Linux -
      • ln -s <vault-binary-file-path> /usr/bin/vault
      • ln -s <vault-binary-file-path> /usr/local/bin/vault
    • Windows
      • Add to Environment Variable PATH.
  • Restart the command prompt and verify it by giving the command vault.

Configuring Vault

  • Reference - https://www.vaultproject.io/docs/configuration/
  • In order to run Vault in prodution mode we need to customize vault using hashicorp language.
  • Below is the Insights Production minimal config file with .hcl extension that helps to bring vault in prod mode. We can add more configs based on the needs from the above referenced link.

    • ui = true                   -  Enables vault UI

      backend "file" {
      path = "vault-prod"  - stores all secrets as a file.
      }

      #non-loopback interface
      listener "tcp" {
      address = "<ipaddress>:<port>" - starts the vault in the below ip and port 
      tls_disable = 1
      }

      # Advertise the non-loopback interface
      api_addr = "http://<ipaddress>:<port>"
      cluster_addr="http://<ipaddress>:<port>"


Starting Vault

  • Vault can be started in 2 modes
    1. Development mode 
      1. This is useful for local development and all secrets are stored locally.
      2. Command -

                                                vault server -dev 

                           c. Starts the local vault in port 8200 . we can change the ip and port through the command -  

                                                vault server -dev -dev-listen-address=<ipaddress>:<port> -config=config.hcl

                           d. Check the status of vault with the command 

                                                vault status

                2.Production mode

                          a. Command - 

                                              nohup vault server -config=config-prod.hcl > vault-prod.log &
                          b. Initialize and unseal vault using tokens.
                                              vault operator init
                                              vault operator unseal - Execute unseal command until the parameter "selead" become false.
                          c. Login using roottoken via command prompt
                                              vault login <root-token>
                          d.Reference below for Insights prod setup.



Integration with Insights

  • Configuration:
    1. Server-config.json 
      1. "vault":
        {
             "vaultEndPoint": "http://localhost:8200/v1/",            - Vault End point and its version.
             "secretEngine": "secret",                                         - Secret Engine Name
             "vaultToken": "<root-token>"                                   - Root token of vault.
        }
      2. Each Agent config.json is added with a new key called "agentSecretDetails" . This holds a array of secrets to be stored in vault.
        1. for eg - In git agent config.json we will have , agentSecretDetails :[ "accessToken"
        2. In Jira agent config.json we will have , agentSecretDetails:["username","passwd"]
      3. Again the keys inside array are keys already present in config.json file. In future if we want to add few more keys to vault then we can simply edit the config.json add extra keys to it.For example , PivotalTracker currently has username,passwd as secrets if we need to add accesstoken to it we can do by agentSecretDetails:["username","passwd","accessToken]
  • Usage:
    • Registering Agent
      • Make the slider ON for vault in other section and register the agent by giving the creds for the first time.  
      • If you try to edit the the fields mentioned in "agentSecretDetails" section in config.json, those fields will turn into **** hiding the creds which are stored in vault . But if you need to edit it we can override this content which will update the vault.


                               

Vault API for Read/write



Permission and privilege to Vault

  • Not everyone can access vault since the secrets details should be modified and not viewed by all.
  • In Order to achieve this vault provides capabilities to create roles and policies.
  • Step by step creation of policies and mapping it to roles are mentioned in attachment<Vault-Insights-Prod.txt>


Roles creation and policies are onetime setup .

For testing purpose we need zero configuration and can be started in Dev mode.

Reference links:

https://learn.hashicorp.com/vault/operations/ops-deployment-guide

https://learn.hashicorp.com/vault/getting-started/apis

https://www.vaultproject.io/api/secret/kv/kv-v2.html

https://www.vaultproject.io/docs/secrets/

https://www.vaultproject.io/docs/configuration/listener/tcp.html

https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault

https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

Security - FIPS 140-2 & Cryptographic Compliance : https://www.hashicorp.com/products/vault/data-protection

https://www.vaultproject.io/docs/concepts/policies.html#create


Back to Top

©2021 Cognizant, all rights reserved. US Patent 10,410,152