Vault: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(33 intermediate revisions by the same user not shown)
Line 47: Line 47:
|-
|-
|valign='top' style='width:50%'|
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
# Enabled approle auth method
vault auth enable approle
</syntaxhighlight>
|valign='top' style='width:50%'|
|-
|valign='top'|
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
# Enabled userpass auth method
# Enabled userpass auth method
Line 52: Line 60:
</syntaxhighlight>
</syntaxhighlight>


|valign='top' style='width:50%'|
|valign='top'|
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
# Enabled kubernetes auth method
# Enabled kubernetes auth method
Line 60: Line 68:
|valign='top' colspan='2'|
|valign='top' colspan='2'|
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
!scope='col' style='text-align:left' colspan='2'| Auth » Approle
Auth » Userpass
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
cat <<'INI' | vault policy write policy-shahed-ab-eso-app -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read policy-shahed-ab-eso-app
</syntaxhighlight>
<syntaxhighlight lang='bash'>
vault write    auth/approle/role/role-shahed-ab-eso-app \
    token_policies=policy-shahed-ab-eso-app token_ttl=1h token_max_ttl=3h
</syntaxhighlight>
 
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
vault policy  read            policy-shahed-ab-eso-app
vault read    auth/approle/role/role-shahed-ab-eso-app
vault read    auth/approle/role/role-shahed-ab-eso-app/role-id
</syntaxhighlight>
 
<syntaxhighlight lang='bash'>
vault list    auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write -f auth/approle/role/role-shahed-ab-eso-app/secret-id
</syntaxhighlight>
 
<syntaxhighlight lang='bash'>
vault list    auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write    auth/approle/role/role-shahed-ab-eso-app/secret-id/destroy \
secret_id=26701c33-1362-e744-6b2a-c28250b3ee64
</syntaxhighlight>
|}
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'| Auth » Userpass
|-
|-
|valign='top' style='width:50%'|
|valign='top' style='width:50%'|
Line 77: Line 121:
</syntaxhighlight>
</syntaxhighlight>
|}
|}
{|class='wikitable mw-collapsible mw-collapsed'
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left' colspan='2'|
!scope='col' style='text-align:left' colspan='2'| Auth » Kubernetes
Auth » Kubernetes
|-
|-
|valign='top' style='width:50%'|
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
 
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl get service kubernetes -n default
kubectl get service kubernetes -n default
kubectl cluster-info
kubectl cluster-info
Line 92: Line 135:
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
vault write auth/kubernetes/config \
vault write auth/kubernetes/config \
   kubernetes_host="https://kubernetes.default.svc"
   kubernetes_host='https://kubernetes.default.svc.cluster.local'


vault read  auth/kubernetes/config
vault read  auth/kubernetes/config
</syntaxhighlight>
|}
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'| Auth » Kubernetes » VSO
|-
|valign='top' style='width:50%'|
* [[Vault#Engine » KV|Skipped » Find More 👉 Vault » Engine » KV]]
----
* [[Helm/Vault Secrets Operator#Vault » Config|Skipped » Find More 👉 Vault » K8s » Config » VSO]]
|valign='top' style='width:50%'|
|-
!scope='col'| VSO » Policy
!scope='col'| VSO » Role
|-
|valign='top'|
<syntaxhighlight lang='bash'>
cat <<'INI' | vault policy write policy-shahed-ab-vso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read  policy-shahed-ab-vso
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n vault-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer
vault write auth/kubernetes/role/role-shahed-ab-vso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-vso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h
vault read  auth/kubernetes/role/role-shahed-ab-vso
</syntaxhighlight>
</syntaxhighlight>
|}
|}
{|class='wikitable mw-collapsible'
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left' colspan='2'|
!scope='col' style='text-align:left' colspan='2'| Auth » Kubernetes » ESO
Auth » Kubernetes » shahed-ab
|-
|valign='top' style='width:50%'|
* [[Vault#Engine » KV|Skipped » Find More 👉 Vault » Engine » KV]]
----
* [[Helm/External Secrets Operator#Vault » Config|Skipped » Find More 👉 Vault » K8s » Config » ESO]]
|valign='top' style='width:50%'|
|-
!scope='col'| ESO » Policy
!scope='col'| ESO » Role
|-
|valign='top'|
<syntaxhighlight lang='bash'>
cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
 
vault policy read  policy-shahed-ab-eso
</syntaxhighlight>
 
|valign='top'|
<syntaxhighlight lang='bash'>
vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer
 
vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h
 
vault read  auth/kubernetes/role/role-shahed-ab-eso
</syntaxhighlight>
|}
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'| Auth » Kubernetes » shahed-ab
|-
|-
|valign='top' style='width:50%'|
|valign='top' style='width:50%'|
Line 105: Line 223:
cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
  | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d
  | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d




export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl get service kubernetes -n default
kubectl get service kubernetes -n default
kubectl cluster-info
kubectl cluster-info
Line 119: Line 237:
cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
  | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d \
  | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d \
  | vault write auth/k8s/shahed/ab/config kubernetes_host="https://10.20.40.2:8443" \
  | vault write auth/k8s/shahed/ab/config kubernetes_host='https://10.20.40.2:8443' \
   kubernetes_ca_cert=@/dev/stdin disable_local_ca_jwt='true'
   kubernetes_ca_cert=@/dev/stdin disable_local_ca_jwt='true'


Line 243: Line 361:
<syntaxhighlight lang='yaml'>
<syntaxhighlight lang='yaml'>
echo && \
echo && \
yq -o=json <<'YML' | \
yq -o=json <<'YML' \
vault kv put shahed/academia/dev/audit @/dev/stdin
| vault kv put shahed/academia/dev/audit @/dev/stdin
---
---
spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev
spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev
Line 255: Line 373:
app.smtp.alias: no-reply@chorke.org
app.smtp.alias: no-reply@chorke.org
app.smtp.host: smtp.gmail.com
app.smtp.host: smtp.gmail.com
app.test.username: admin
app.test.password: m0sPn0YAPJD3x4X6
YML
YML
</syntaxhighlight>
</syntaxhighlight>
Line 264: Line 379:
vault kv get                                  shahed/academia/dev/audit
vault kv get                                  shahed/academia/dev/audit
vault kv get -field=app.smtp.password          shahed/academia/dev/audit
vault kv get -field=app.smtp.password          shahed/academia/dev/audit
vault kv get -field=app.test.password          shahed/academia/dev/audit
vault kv get -field=spring.datasource.password shahed/academia/dev/audit
vault kv get -field=spring.datasource.password shahed/academia/dev/audit
</syntaxhighlight>
</syntaxhighlight>
Line 276: Line 390:
vault kv get -format=yaml shahed/academia/dev/audit \
vault kv get -format=yaml shahed/academia/dev/audit \
  | yq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'
  | yq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'
</syntaxhighlight>
|-
!scope='col'| Properties
!scope='col'| Fetch
|-
|valign='top'|
<syntaxhighlight lang='yaml'>
echo && \
yq -o=json <<'YML' \
| jq -r 'to_entries|map({key:(.key|gsub("\\.";"_")|ascii_upcase),value:.value})|from_entries' \
| vault kv put shahed/academia/dev/audit @/dev/stdin
---
spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev
spring.datasource.password: DHJuWrvIqhZjvAWl
spring.datasource.username: academia
spring.datasource.platform: postgres
app.smtp.username: no-reply@shahed.biz
app.smtp.password: 3gT5WOAg6Ob0tFjC
app.smtp.alias: no-reply@chorke.org
app.smtp.host: smtp.gmail.com
YML
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang='bash'>
vault kv get                                  shahed/academia/dev/audit
vault kv get -field=APP_SMTP_PASSWORD          shahed/academia/dev/audit
vault kv get -field=SPRING_DATASOURCE_PASSWORD shahed/academia/dev/audit
</syntaxhighlight>
</syntaxhighlight>
|}
|}
Line 287: Line 429:
vault kv get -format=json shahed/academia/dev/audit \
vault kv get -format=json shahed/academia/dev/audit \
  | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
  | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
  | kubectl -n academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml
  | kubectl -n shahed-academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml
</syntaxhighlight>
</syntaxhighlight>
|-
|-
Line 294: Line 436:
vault kv get -format=json shahed/academia/dev/audit \
vault kv get -format=json shahed/academia/dev/audit \
  | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
  | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
  | kubectl -n academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
  | kubectl -n shahed-academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
  | yq '.metadata.labels += {
  | yq '.metadata.labels += {
     "app.kubernetes.io/name": "audit",
     "app.kubernetes.io/component": "secret-sync",
     "app.kubernetes.io/version": "1.0.0",
     "app.kubernetes.io/managed-by": "shahed-devops",
     "app.kubernetes.io/instance": "audit",
     "app.kubernetes.io/name": "vault-secrets-devops"
    "app.kubernetes.io/managed-by": "kubectl"
   }' \
   }'
| kubectl apply -f -
</syntaxhighlight>
</syntaxhighlight>
|-
|-
Line 309: Line 451:
vault kv get -format=json shahed/academia/dev/audit \
vault kv get -format=json shahed/academia/dev/audit \
  | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
  | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
  | kubectl -n academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml
  | kubectl -n shahed-academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml
</syntaxhighlight>
</syntaxhighlight>
|-
|-
Line 316: Line 458:
vault kv get -format=json shahed/academia/dev/audit \
vault kv get -format=json shahed/academia/dev/audit \
  | jq -r '.data.data | to_entries | map(.key + "=" + .value) | .[]' \
  | jq -r '.data.data | to_entries | map(.key + "=" + .value) | .[]' \
  | kubectl -n academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
  | kubectl -n shahed-academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
  | yq '.metadata.labels += {
  | yq '.metadata.labels += {
     "app.kubernetes.io/name": "audit",
     "app.kubernetes.io/component": "secret-sync",
     "app.kubernetes.io/version": "1.0.0",
     "app.kubernetes.io/managed-by": "shahed-devops",
     "app.kubernetes.io/instance": "audit",
     "app.kubernetes.io/name": "vault-secrets-devops"
    "app.kubernetes.io/managed-by": "kubectl"
   }' \
   }'
| kubectl apply -f -
</syntaxhighlight>
</syntaxhighlight>
|}
{|class='wikitable'
|valign='top' style='width:50%'|
* [[Vault#Auth|Skipped » Find More 👉 Vault » Auth]]
----
* [[Helm/Vault Secrets Operator#Vault » Config|Skipped » Find More 👉 Vault » K8s » Config » VSO]]
----
* [[Helm/External Secrets Operator#Vault » Config|Skipped » Find More 👉 Vault » K8s » Config » ESO]]
|valign='top' style='width:50%'|
|}
|}
|}
|}
Line 703: Line 854:
|valign='top' style='width:33%'|
|valign='top' style='width:33%'|
* [https://developer.hashicorp.com/vault/tutorials/secrets-management Vault » Docs » Secrets management]
* [https://developer.hashicorp.com/vault/tutorials/secrets-management Vault » Docs » Secrets management]
* [[Helm/Vault Secrets Operator|Vault » Helm » Secrets Operator]]
* [https://developer.hashicorp.com/vault/tutorials/pki/pki-engine Vault » Docs » Build your CA]
* [https://developer.hashicorp.com/vault/tutorials/pki/pki-engine Vault » Docs » Build your CA]
* [https://medium.com/@jagunathan22/hashicorp-vault-cheatsheet-8f13dc6a95a9 Vault » Docs » Cheatsheet]
* [https://medium.com/@jagunathan22/hashicorp-vault-cheatsheet-8f13dc6a95a9 Vault » Docs » Cheatsheet]

Latest revision as of 11:48, 24 January 2026

curl -fsSL https://apt.releases.hashicorp.com/gpg\
 | sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/hashicorp.asc]\
 https://apt.releases.hashicorp.com ${DISTRIBUTION} main
SRC

cat <<'EXE' | sudo bash
apt-get update && apt-get install -y vault
systemctl disable --now vault.service
systemctl stop          vault.service
systemctl mask          vault.service
systemctl status        vault.service
vault version
which vault
EXE

export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg'
export VAULT_ADDR='https://vault.shahed.biz.ops'
vault status

export VAULT_SKIP_VERIFY=true
export VAULT_FORMAT=yaml
vault login

Auth

Auth 

# Enabled approle auth method
vault auth enable approle

# Enabled userpass auth method
vault auth enable userpass

# Enabled kubernetes auth method
vault auth enable kubernetes
Auth » Approle 
cat <<'INI' | vault policy write policy-shahed-ab-eso-app -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
vault policy read policy-shahed-ab-eso-app

vault write    auth/approle/role/role-shahed-ab-eso-app \
    token_policies=policy-shahed-ab-eso-app token_ttl=1h token_max_ttl=3h

vault policy   read            policy-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app
vault read     auth/approle/role/role-shahed-ab-eso-app/role-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write -f auth/approle/role/role-shahed-ab-eso-app/secret-id

vault list     auth/approle/role/role-shahed-ab-eso-app/secret-id
vault write    auth/approle/role/role-shahed-ab-eso-app/secret-id/destroy \
 secret_id=26701c33-1362-e744-6b2a-c28250b3ee64
Auth » Userpass 
vault write auth/userpass/users/shahed password='sadaqah!'
vault list  auth/userpass/users
unset VAULT_TOKEN

vault login -method=userpass username=shahed
cat ~/.vault-token
rm  ~/.vault-token
Auth » Kubernetes 
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl get service kubernetes -n default
kubectl cluster-info

vault write auth/kubernetes/config \
  kubernetes_host='https://kubernetes.default.svc.cluster.local'

vault read  auth/kubernetes/config
Auth » Kubernetes » VSO
VSO » Policy VSO » Role 
cat <<'INI' | vault policy write policy-shahed-ab-vso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-vso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n vault-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-vso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-vso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-vso
Auth » Kubernetes » ESO
ESO » Policy ESO » Role 
cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-eso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-eso
Auth » Kubernetes » shahed-ab 
cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
 | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d


export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl get service kubernetes -n default
kubectl cluster-info

vault auth enable -path='k8s/shahed/ab' kubernetes

cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
 | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d \
 | vault write auth/k8s/shahed/ab/config kubernetes_host='https://10.20.40.2:8443' \
   kubernetes_ca_cert=@/dev/stdin disable_local_ca_jwt='true'

vault read auth/k8s/shahed/ab/config

vault auth disable userpass
vault auth list

vault auth disable k8s/shahed/ab
vault auth disable kubernetes

Engine » KV

Engine » KV

KV » V1
Enable Disable 
vault secrets enable -path=chorke/academia/prod kv
vault secrets enable -path=chorke/academia/uat  kv
vault secrets enable -path=chorke/academia/dev  kv

vault secrets disable chorke/academia/prod
vault secrets disable chorke/academia/uat
vault secrets disable chorke/academia/dev

vault kv put chorke/academia/dev/mariadb username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password chorke/academia/dev/mariadb
vault kv get chorke/academia/dev/mariadb

vault secrets disable chorke/academia/dev
vault kv get chorke/academia/dev/mariadb

vault secrets enable -path=chorke/academia/dev  kv
vault kv get chorke/academia/dev/mariadb
KV » V2
Enable Disable 
vault secrets enable -path=shahed/academia/prod kv-v2
vault secrets enable -path=shahed/academia/uat  kv-v2
vault secrets enable -path=shahed/academia/dev  kv-v2

vault secrets disable shahed/academia/prod
vault secrets disable shahed/academia/uat
vault secrets disable shahed/academia/dev
Create Update 
vault kv put shahed/academia/dev/pgsql username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password shahed/academia/dev/pgsql
vault kv get shahed/academia/dev/pgsql

vault kv get      -version  2 shahed/academia/dev/pgsql
vault kv get      -version  1 shahed/academia/dev/pgsql

vault kv put shahed/academia/dev/pgsql username='academia' password='26SJEnMWSjnXYrgs'
vault kv delete   -versions 2 shahed/academia/dev/pgsql
vault kv get -field=password  shahed/academia/dev/pgsql

vault kv rollback -version  1 shahed/academia/dev/pgsql
vault kv get -field=password  shahed/academia/dev/pgsql

vault secrets disable shahed/academia/dev
vault kv get shahed/academia/dev/pgsql

vault secrets enable -path=shahed/academia/dev  kv-v2
vault kv get shahed/academia/dev/pgsql
Properties Fetch 
echo && \
yq -o=json <<'YML' \
 | vault kv put shahed/academia/dev/audit @/dev/stdin
---
spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev
spring.datasource.password: DHJuWrvIqhZjvAWl
spring.datasource.username: academia
spring.datasource.platform: postgres

app.smtp.username: no-reply@shahed.biz
app.smtp.password: 3gT5WOAg6Ob0tFjC
app.smtp.alias: no-reply@chorke.org
app.smtp.host: smtp.gmail.com
YML

vault kv get                                   shahed/academia/dev/audit
vault kv get -field=app.smtp.password          shahed/academia/dev/audit
vault kv get -field=spring.datasource.password shahed/academia/dev/audit

echo ;\
vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'

echo ;\
vault kv get -format=yaml shahed/academia/dev/audit \
 | yq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'
Properties Fetch 
echo && \
yq -o=json <<'YML' \
 | jq -r 'to_entries|map({key:(.key|gsub("\\.";"_")|ascii_upcase),value:.value})|from_entries' \
 | vault kv put shahed/academia/dev/audit @/dev/stdin
---
spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev
spring.datasource.password: DHJuWrvIqhZjvAWl
spring.datasource.username: academia
spring.datasource.platform: postgres

app.smtp.username: no-reply@shahed.biz
app.smtp.password: 3gT5WOAg6Ob0tFjC
app.smtp.alias: no-reply@chorke.org
app.smtp.host: smtp.gmail.com
YML

vault kv get                                   shahed/academia/dev/audit
vault kv get -field=APP_SMTP_PASSWORD          shahed/academia/dev/audit
vault kv get -field=SPRING_DATASOURCE_PASSWORD shahed/academia/dev/audit
KV » K8s
K8s » Secret 
vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
 | kubectl -n shahed-academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml

vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
 | kubectl -n shahed-academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
 | yq '.metadata.labels += {
    "app.kubernetes.io/component": "secret-sync",
    "app.kubernetes.io/managed-by": "shahed-devops",
    "app.kubernetes.io/name": "vault-secrets-devops"
   }' \
 | kubectl apply -f -
K8s » ConfigMap 
vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
 | kubectl -n shahed-academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml

vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data | to_entries | map(.key + "=" + .value) | .[]' \
 | kubectl -n shahed-academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
 | yq '.metadata.labels += {
    "app.kubernetes.io/component": "secret-sync",
    "app.kubernetes.io/managed-by": "shahed-devops",
    "app.kubernetes.io/name": "vault-secrets-devops"
   }' \
 | kubectl apply -f -

Engine » DB

Engine » DB 

# Enabled the database secrets engine
vault secrets enable database

Database » PostgreSQL 

echo -n 'Password: ';read -s VAULT_PASSWORD;export VAULT_PASSWORD;echo
echo "${VAULT_PASSWORD}"

Password: sadaqah!

cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE shahed_ab_vault' 
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'shahed_ab_vault')\gexec
CREATE USER shahed_ab_vault WITH ENCRYPTED PASSWORD '${VAULT_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE shahed_ab_vault TO shahed_ab_vault;
ALTER DATABASE shahed_ab_vault OWNER TO shahed_ab_vault;
DDL

PostgreSQL » Setup 

vault write database/config/shahed-ab-psql \
  plugin_name='postgresql-database-plugin' allowed_roles='shahed-ab-psql-academia' \
  connection_url='postgresql://{{username}}:{{password}}@192.168.49.1:5432/shahed_ab_vault' \
  username='shahed_ab_vault' password='sadaqah!' \
  password_authentication='scram-sha-256'

vault read database/config/shahed-ab-psql

vault write database/roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

vault read database/roles/shahed-ab-psql-academia
vault read database/creds/shahed-ab-psql-academia

vault read         database/config/shahed-ab-psql
vault read         database/roles/shahed-ab-psql-academia
vault read         database/creds/shahed-ab-psql-academia

vault lease lookup database/creds/shahed-ab-psql-academia/ID
vault lease renew  database/creds/shahed-ab-psql-academia/ID
vault lease revoke database/creds/shahed-ab-psql-academia/ID

vault delete       database/roles/shahed-ab-psql-academia
vault delete       database/config/shahed-ab-psql

PostgreSQL » Static 

vault write database/config/shahed-ab-psql \
  plugin_name='postgresql-database-plugin' allowed_roles='shahed-ab-psql-academia' \
  connection_url='postgresql://{{username}}:{{password}}@192.168.49.1:5432/shahed_ab_vault' \
  self_managed=true

vault read database/config/shahed-ab-psql

vault write database/static-roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \
  username='shahed_ab_vault' self_managed_password='sadaqah!' \
  rotation_period='1h'

vault read database/static-roles/shahed-ab-psql-academia
vault read database/static-creds/shahed-ab-psql-academia

Database » MariaDB 

echo -n 'Password: ';read -s VAULT_PASSWORD;export VAULT_PASSWORD;echo
echo "${VAULT_PASSWORD}"

Password: sadaqah!

cat << DDL | sudo -i -u root mariadb
CREATE DATABASE IF NOT EXISTS shahed_ab_vault;
CREATE USER 'shahed_ab_vault'@'%' IDENTIFIED BY '${VAULT_PASSWORD}';
GRANT ALL PRIVILEGES ON shahed_ab_vault.* TO 'shahed_ab_vault'@'%';
FLUSH PRIVILEGES;
DDL

MariaDB » Setup 

vault write database/config/shahed-ab-mariadb \
  plugin_name='mysql-database-plugin' allowed_roles='shahed-ab-mariadb-academia' \
  connection_url="{{username}}:{{password}}@tcp(192.168.49.1:3306)/" \
  username='shahed_ab_vault' password='sadaqah!'

vault read database/config/shahed-ab-mariadb

vault write database/roles/shahed-ab-mariadb-academia db_name="shahed-ab-mariadb" \
  creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
  default_ttl='1h' max_ttl='24h'

vault read database/roles/shahed-ab-mariadb-academia
vault read database/creds/shahed-ab-mariadb-academia

vault read         database/config/shahed-ab-mariadb
vault read         database/roles/shahed-ab-mariadb-academia
vault read         database/creds/shahed-ab-mariadb-academia

vault lease lookup database/creds/shahed-ab-mariadb-academia/ID
vault lease renew  database/creds/shahed-ab-mariadb-academia/ID
vault lease revoke database/creds/shahed-ab-mariadb-academia/ID

vault delete       database/roles/shahed-ab-mariadb-academia
vault delete       database/config/shahed-ab-mariadb

MariaDB » Static 

vault write database/config/shahed-ab-mariadb \
  plugin_name='mysql-database-plugin' allowed_roles='shahed-ab-mariadb-academia' \
  connection_url="{{username}}:{{password}}@tcp(192.168.49.1:3306)/" \
  root_rotation_statements="SET PASSWORD = PASSWORD('{{password}}')" \
  username='shahed_ab_vault' password='sadaqah!'

vault read database/config/shahed-ab-mariadb

vault write database/roles/shahed-ab-mariadb-academia db_name="shahed-ab-mariadb" \
  creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OIGBzaGFoZWRfYWJfdmF1bHRgLiogVE8gJ3t7bmFtZX19J0AnJSc7" \
  default_ttl='1h' max_ttl='24h'

vault read database/roles/shahed-ab-mariadb-academia
vault read database/creds/shahed-ab-mariadb-academia

Database » Redis

Token » Init

Token » Init

Init » Root

OTP Decode 
vault operator generate-root -init
:'
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce         aea98c59-32f6-af94-ee89-d7344e9f0b37
Started       true
Progress      0/3
Complete      false
OTP           o4MnFIV3G4xUsibNjYkrOXhGrw2z
OTP Length    28
'

vault operator generate-root \
  -decode="ENCODED_TOKEN_HERE" \
  -otp="OTP_FROM_STEP_1_HERE"

vault operator generate-root \
  -decode="B0I+QHJ5N2ciBStgSy01BxktORl7OiAXFTJhHQ" \
  -otp="o4MnFIV3G4xUsibNjYkrOXhGrw2z"
:'
hvs.40aTe1S58DWIstRk4bHPgESg
'
Progress 1/3 Progress 2/3 
vault operator generate-root
:'
Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37
Unseal Key (will be hidden): 
Nonce       aea98c59-32f6-af94-ee89-d7344e9f0b37
Started     true
Progress    1/3
Complete    false
'

vault operator generate-root
:'
Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37
Unseal Key (will be hidden): 
Nonce       aea98c59-32f6-af94-ee89-d7344e9f0b37
Started     true
Progress    2/3
Complete    false
'
Progress 3/3 Status 
vault operator generate-root
:'
Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37
Unseal Key (will be hidden): 
Nonce            aea98c59-32f6-af94-ee89-d7344e9f0b37
Started          true
Progress         3/3
Complete         true
Encoded Token    B0I+QHJ5N2ciBStgSy01BxktORl7OiAXFTJhHQ
'

export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg'
export VAULT_ADDR='https://vault.shahed.biz.ops'






vault status
vault list   auth/userpass/users

Playground

Playground 

echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 40)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 20)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 16)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c  8)"

vault auth    list
vault audit   list
vault policy  list
vault secrets list

vault operator init -key-shares=5 -key-threshold=3
vault token lookup
vault status

vault operator unseal '/bvRmLPLF8MnfOQQWrhdqAmLBSKfNtSSkcyWY/uXZ0+F'
vault operator unseal 'Jh5mA+DwX/zlU+3jvxlgNarSzAOBRHvNcF3QOoGtzl/h'
vault operator unseal 'DqUWoe6MN6oDKi3bYoZuXSbT0ZpT0/Pbg0kpTkhkUfVP'

# self destructive or dangerous
vault token revoke -self

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Vault&oldid=16404"