flywithu/community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
community-catalog/templates/secrets-bridge-server/0/README.md
Bill Maxwell 0e9fb0bc21 Addition of experimental secrets-bridge (#140) 
This is the basic service that enables bootstrapping keys to talk
with Vault.
2016-05-15 21:57:42 -07:00

56 lines
2.3 KiB
Markdown
Raw Blame History

## Secrets Bridge Server (Experimental)
---
###Status: Experimental POC (Read: Do NOT use for production)
Only works with Hashicorp Vault server in dev mode currently.
---
#### Description:
This is the server side component for the Vault Secrets bridge with Rancher. This service should *NOT* be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to *ALL* secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher.
The reason this uses a temporary Cubbyhole token to start the service is that ENV variables do show up in the Rancher API and Docker inspect commands.
#### Pre-reqs:
A Vault server in Dev mode.
Create Vault Policies and Roles for at least the Issuing token.
Something like:
```
vault policy-write grantor-Default ./policies/grantor-Default
vault policy-write test1 ./policies/test1
vault policy-write test2 ./policies/test2
```
```
curl -s -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" -d '{"allowed_policies": "default,grantor,test1,test2"}' http://vault/v1/auth/token/roles/grantor-Default
```
#### Configure and Launch:
1. Create a token to be used to issue new tokens in the environment. As part of the "meta" on the token add a field called `configPath` and set that equal to a path in the secrets folder in Vault. (like `/secrets/secrets-bridge/Default`)
```
curl -s -X POST -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create/grantor-Default -d '{"policies": ["default", "grantor", "test1", "test2"], "ttl": "72h", "meta": {"configPath": "secret/secrets-bridge/Default"}}' | jq -r '.auth.client_token'
```
2. Create a temporary token with (2) uses.
```
curl -s -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create -d '{"policies": ["default"], "ttl": "15m", "num_uses": 2}'|jq -r '.auth.client_token'
```
3. Use the temporary token to put the issuing token into the Vault cubbyhole.
```
curl -X POST -H "X-Vault-Token: ${TEMP_TOKEN}" ${VAULT_URL}/v1/cubbyhole/Default -d "{\"permKey\": \"${PERM_TOKEN}\"}"
```
4. Create Cattle API keys for the environment this server will be handling. (Would recommend 1 server per environment)
5. Launch this app with all of the configs.
Reference in New Issue View Git Blame Copy Permalink