flywithu/community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated for 016 of secrets bridge (#293)

Browse Source
This commit is contained in:
Bill Maxwell 2016-09-22 17:25:26 -07:00 committed by GitHub
parent 2d4a62d559
commit f8bb75fe05
3 changed files with 4 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
templates/secrets-bridge-agents/0/docker-compose.yml
View File

@ -1,5 +1,5 @@
secrets-bridge: secrets-bridge:
image: rancher/secrets-bridge:v0.1.5 image: rancher/secrets-bridge:v0.1.6
command: agent --bridge-url ${BRIDGE_URL} command: agent --bridge-url ${BRIDGE_URL}
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock

50
templates/secrets-bridge-server/0/README.md
View File

@ -1,8 +1,4 @@
## Secrets Bridge Server (Experimental) ## Secrets Bridge Server (Beta)
---
###Status: Experimental POC (Read: Do NOT use for production)
Only works with Hashicorp Vault server in dev mode currently.
--- ---
#### Description: #### Description:
This is the server side component for the Vault Secrets bridge with Rancher. This service should *NOT* be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to *ALL* secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher. This is the server side component for the Vault Secrets bridge with Rancher. This service should *NOT* be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to *ALL* secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher.
@ -13,47 +9,3 @@ Only works with Hashicorp Vault server in dev mode currently.
See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md) See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md)
#### Pre-reqs:
A Vault server in Dev mode.
Create Vault Policies and Roles for at least the Issuing token.
Something like:
```
vault policy-write grantor-Default ./policies/grantor-Default
vault policy-write test1 ./policies/test1
vault policy-write test2 ./policies/test2
```
```
curl -s -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" -d '{"allowed_policies": "default,grantor,test1,test2"}' http://vault/v1/auth/token/roles/grantor-Default
```
#### Configure and Launch:
1. Create a token to be used to issue new tokens in the environment. As part of the "meta" on the token add a field called `configPath` and set that equal to a path in the secrets folder in Vault. (like `/secrets/secrets-bridge/Default`)
```
curl -s -X POST -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create/grantor-Default -d '{"policies": ["default", "grantor", "test1", "test2"], "ttl": "72h", "meta": {"configPath": "secret/secrets-bridge/Default"}}' | jq -r '.auth.client_token'
```
2. Create a temporary token with (2) uses.
```
curl -s -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create -d '{"policies": ["default"], "ttl": "15m", "num_uses": 2}'|jq -r '.auth.client_token'
```
3. Use the temporary token to put the issuing token into the Vault cubbyhole.
```
curl -X POST -H "X-Vault-Token: ${TEMP_TOKEN}" ${VAULT_URL}/v1/cubbyhole/Default -d "{\"permKey\": \"${PERM_TOKEN}\"}"
```
4. Create Cattle API keys for the environment this server will be handling. (Would recommend 1 server per environment)
5. Launch this app with all of the configs.

2
templates/secrets-bridge-server/0/docker-compose.yml
View File

@ -1,5 +1,5 @@
secrets-bridge: secrets-bridge:
image: rancher/secrets-bridge:v0.1.5 image: rancher/secrets-bridge:v0.1.6
environment: environment:
CATTLE_ACCESS_KEY: ${CATTLE_ACCESS_KEY} CATTLE_ACCESS_KEY: ${CATTLE_ACCESS_KEY}
CATTLE_SECRET_KEY: ${CATTLE_SECRET_KEY} CATTLE_SECRET_KEY: ${CATTLE_SECRET_KEY}