flywithu/community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
community-catalog/templates/secrets-bridge-server/0
History
Bill Maxwell 1e281a0c72 updating to v0.0.3 (#233) 
The new version of the agent, can be launched via cattle and run in a k8s environment.
2016-07-28 17:35:44 -07:00
..
docker-compose.yml
updating to v0.0.3 (#233)
2016-07-28 17:35:44 -07:00
rancher-compose.yml
Addition of experimental secrets-bridge (#140)
2016-05-15 21:57:42 -07:00
README.md
updating to v0.0.3 (#233)
2016-07-28 17:35:44 -07:00

README.md

Secrets Bridge Server (Experimental)

###Status: Experimental POC (Read: Do NOT use for production) Only works with Hashicorp Vault server in dev mode currently.

Description:

This is the server side component for the Vault Secrets bridge with Rancher. This service should NOT be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to ALL secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher.

The reason this uses a temporary Cubbyhole token to start the service is that ENV variables do show up in the Rancher API and Docker inspect commands. That said, if this service fails, the issuing token will expire and all app tokens will also expire.

Pre-reqs:

A Vault server in Dev mode.

Create Vault Policies and Roles for at least the Issuing token. Something like:

  vault policy-write grantor-Default ./policies/grantor-Default
  vault policy-write test1 ./policies/test1
  vault policy-write test2 ./policies/test2

curl -s -X POST -H "X-Vault-Token: ${VAULT_TOKEN}" -d '{"allowed_policies": "default,grantor,test1,test2"}' http://vault/v1/auth/token/roles/grantor-Default

Configure and Launch:

  1. Create a token to be used to issue new tokens in the environment. As part of the "meta" on the token add a field called configPath and set that equal to a path in the secrets folder in Vault. (like /secrets/secrets-bridge/Default)
curl -s -X POST -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create/grantor-Default -d '{"policies": ["default", "grantor", "test1", "test2"], "ttl": "72h", "meta": {"configPath": "secret/secrets-bridge/Default"}}' | jq -r '.auth.client_token'
  1. Create a temporary token with (2) uses.
curl -s -H "X-Vault-Token: $ROOT_TOKEN" ${VAULT_URL}/v1/auth/token/create -d '{"policies": ["default"], "ttl": "15m", "num_uses": 2}'|jq -r '.auth.client_token'

  1. Use the temporary token to put the issuing token into the Vault cubbyhole.

curl -X POST -H "X-Vault-Token: ${TEMP_TOKEN}" ${VAULT_URL}/v1/cubbyhole/Default -d "{"permKey": "${PERM_TOKEN}"}" ```

  1. Create Cattle API keys for the environment this server will be handling. (Would recommend 1 server per environment)

  2. Launch this app with all of the configs.