From f8bb75fe052e65fe23c56a75648328d402ca5655 Mon Sep 17 00:00:00 2001 From: Bill Maxwell Date: Thu, 22 Sep 2016 17:25:26 -0700 Subject: [PATCH] updated for 016 of secrets bridge (#293) --- .../0/docker-compose.yml | 2 +- templates/secrets-bridge-server/0/README.md | 52 +------------------ .../0/docker-compose.yml | 2 +- 3 files changed, 4 insertions(+), 52 deletions(-) diff --git a/templates/secrets-bridge-agents/0/docker-compose.yml b/templates/secrets-bridge-agents/0/docker-compose.yml index 5771ef8..ffc21fa 100644 --- a/templates/secrets-bridge-agents/0/docker-compose.yml +++ b/templates/secrets-bridge-agents/0/docker-compose.yml @@ -1,5 +1,5 @@ secrets-bridge: - image: rancher/secrets-bridge:v0.1.5 + image: rancher/secrets-bridge:v0.1.6 command: agent --bridge-url ${BRIDGE_URL} volumes: - /var/run/docker.sock:/var/run/docker.sock diff --git a/templates/secrets-bridge-server/0/README.md b/templates/secrets-bridge-server/0/README.md index 9882ca5..574beaf 100644 --- a/templates/secrets-bridge-server/0/README.md +++ b/templates/secrets-bridge-server/0/README.md @@ -1,59 +1,11 @@ -## Secrets Bridge Server (Experimental) ---- -###Status: Experimental POC (Read: Do NOT use for production) -Only works with Hashicorp Vault server in dev mode currently. - +## Secrets Bridge Server (Beta) --- #### Description: This is the server side component for the Vault Secrets bridge with Rancher. This service should *NOT* be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to *ALL* secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher. The reason this uses a temporary Cubbyhole token to start the service is that ENV variables do show up in the Rancher API and Docker inspect commands. That said, if this service fails, the issuing token will expire and all app tokens will also expire. - + #### Setup See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md) -#### Pre-reqs: - -A Vault server in Dev mode. - -Create Vault Policies and Roles for at least the Issuing token. -Something like: - -``` - vault policy-write grantor-Default ./policies/grantor-Default - vault policy-write test1 ./policies/test1 - vault policy-write test2 ./policies/test2 -``` - - -``` -curl -s -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" -d '{"allowed_policies": "default,grantor,test1,test2"}' http://vault/v1/auth/token/roles/grantor-Default -``` - -#### Configure and Launch: - 1. Create a token to be used to issue new tokens in the environment. As part of the "meta" on the token add a field called `configPath` and set that equal to a path in the secrets folder in Vault. (like `/secrets/secrets-bridge/Default`) - - - ``` -curl -s -X POST -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create/grantor-Default -d '{"policies": ["default", "grantor", "test1", "test2"], "ttl": "72h", "meta": {"configPath": "secret/secrets-bridge/Default"}}' | jq -r '.auth.client_token' - ``` - - - 2. Create a temporary token with (2) uses. - - ``` - curl -s -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create -d '{"policies": ["default"], "ttl": "15m", "num_uses": 2}'|jq -r '.auth.client_token' - ``` - - 3. Use the temporary token to put the issuing token into the Vault cubbyhole. - - ``` - curl -X POST -H "X-Vault-Token: ${TEMP_TOKEN}" ${VAULT_URL}/v1/cubbyhole/Default -d "{\"permKey\": \"${PERM_TOKEN}\"}" - ``` - - 4. Create Cattle API keys for the environment this server will be handling. (Would recommend 1 server per environment) - - 5. Launch this app with all of the configs. - - diff --git a/templates/secrets-bridge-server/0/docker-compose.yml b/templates/secrets-bridge-server/0/docker-compose.yml index d7549b7..1ae570c 100644 --- a/templates/secrets-bridge-server/0/docker-compose.yml +++ b/templates/secrets-bridge-server/0/docker-compose.yml @@ -1,5 +1,5 @@ secrets-bridge: - image: rancher/secrets-bridge:v0.1.5 + image: rancher/secrets-bridge:v0.1.6 environment: CATTLE_ACCESS_KEY: ${CATTLE_ACCESS_KEY} CATTLE_SECRET_KEY: ${CATTLE_SECRET_KEY}