Vault: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 122: Line 122:
vault kv get shahed/academia/dev/pgsql
vault kv get shahed/academia/dev/pgsql
</syntaxhighlight>
</syntaxhighlight>
|}
|}
==Engine » Database==
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left' colspan='2'|
Engine » Database
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
# Enabled the database secrets engine
vault secrets enable database
</syntaxhighlight>
|valign='top' style='width:50%'|
|-
|valign='top' colspan='2'|
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left' colspan='2'|
Database » PostgreSQL
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
vault write database/config/shahed-ab-psql \
  plugin_name='postgresql-database-plugin' allowed_roles='vault' \
  connection_url='postgresql://{{username}}:{{password}}@192.168.49.2:5432/shahed' \
  username='shahed' password='sadaqah!' \
  password_authentication='scram-sha-256'
</syntaxhighlight>
|valign='top' style='width:50%'|
|-
|valign='top' colspan='2'|
<syntaxhighlight lang='bash'>
vault write database/roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"
</syntaxhighlight>
|}
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Database » MariaDB
|-
|valign='top' style='width:50%'|
|valign='top' style='width:50%'|
|}
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Database » Redis
|-
|valign='top' style='width:50%'|
|valign='top' style='width:50%'|
|}
|}
|}
|}

Revision as of 03:01, 21 January 2026

curl -fsSL https://apt.releases.hashicorp.com/gpg\
 | sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/hashicorp.asc]\
 https://apt.releases.hashicorp.com ${DISTRIBUTION} main
SRC

cat <<'EXE' | sudo bash
apt-get update && apt-get install -y vault
systemctl disable --now vault.service
systemctl stop          vault.service
systemctl mask          vault.service
systemctl status        vault.service
vault version
which vault
EXE

export VAULT_TOKEN='hvs.b613hrNQ25fJEkWqGB2KCWgl'
export VAULT_ADDR='https://vault.shahed.biz.ops'
vault status

export VAULT_SKIP_VERIFY=true
export VAULT_FORMAT=yaml
vault login

Engine » KV

Engine » KV

KV » V1 

vault secrets enable -path=chorke/academia/prod kv
vault secrets enable -path=chorke/academia/uat  kv
vault secrets enable -path=chorke/academia/dev  kv

vault secrets disable chorke/academia/prod
vault secrets disable chorke/academia/uat
vault secrets disable chorke/academia/dev

vault kv put chorke/academia/dev/mariadb username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password chorke/academia/dev/mariadb
vault kv get chorke/academia/dev/mariadb

vault secrets disable chorke/academia/dev
vault kv get chorke/academia/dev/mariadb

vault secrets enable -path=chorke/academia/dev  kv
vault kv get chorke/academia/dev/mariadb

KV » V2 

vault secrets enable -path=shahed/academia/prod kv-v2
vault secrets enable -path=shahed/academia/uat  kv-v2
vault secrets enable -path=shahed/academia/dev  kv-v2

vault secrets disable shahed/academia/prod
vault secrets disable shahed/academia/uat
vault secrets disable shahed/academia/dev

vault kv put shahed/academia/dev/pgsql username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password shahed/academia/dev/pgsql
vault kv get shahed/academia/dev/pgsql

vault kv get    -version  2 shahed/academia/dev/pgsql
vault kv delete -versions 2 shahed/academia/dev/pgsql
vault kv get    -version  1 shahed/academia/dev/pgsql

vault secrets disable shahed/academia/dev
vault kv get shahed/academia/dev/pgsql

vault secrets enable -path=shahed/academia/dev  kv-v2
vault kv get shahed/academia/dev/pgsql

Engine » Database

Engine » Database 

# Enabled the database secrets engine
vault secrets enable database

Database » PostgreSQL 

vault write database/config/shahed-ab-psql \
  plugin_name='postgresql-database-plugin' allowed_roles='vault' \
  connection_url='postgresql://{{username}}:{{password}}@192.168.49.2:5432/shahed' \
  username='shahed' password='sadaqah!' \
  password_authentication='scram-sha-256'

vault write database/roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

Database » MariaDB

Database » Redis

Playground

Playground 

echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 40)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 20)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 16)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c  8)"

vault auth    list
vault audit   list
vault policy  list
vault secrets list

vault operator init -key-shares=5 -key-threshold=3
vault token lookup
vault status

vault operator unseal '/bvRmLPLF8MnfOQQWrhdqAmLBSKfNtSSkcyWY/uXZ0+F'
vault operator unseal 'Jh5mA+DwX/zlU+3jvxlgNarSzAOBRHvNcF3QOoGtzl/h'
vault operator unseal 'DqUWoe6MN6oDKi3bYoZuXSbT0ZpT0/Pbg0kpTkhkUfVP'

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Vault&oldid=16249"