diff --git a/README.md b/README.md index ae5a21b..c87befb 100644 --- a/README.md +++ b/README.md @@ -37,12 +37,47 @@ Modification des labels pour traefik docker compose logs -f ~~~ +On se connecte sur le docker ~~~bash docker exec -it vault-app /bin/sh ~~~ +Nous ajoutons les paquets manquant ~~~bash - vault operator init + apk add jq curl +~~~ + +Nous lancons initialitation +~~~bash + vault operator init -key-shares=5 -key-threshold=3 -format=json > /vault/file/unseal.json +~~~ + +~~~bash + vault operator unseal $(jq -r '.unseal_keys_b64[0]' /vault/file/unseal.json) +~~~ + +~~~bash + export VAULT_TOKEN=$(jq -r '.root_token' /vault/file/unseal.json) +~~~ + +~~~bash + vault secrets enable -version=2 -path=secret kv +~~~ + +~~~bash + vault policy write readwrite /vault/policy/secrets-readwrite.hcl +~~~ + +~~~bash + vault policy write readonly /vault/policy/secrets-read.hcl +~~~ + +~~~bash + vault policy write terraform /vault/policy/secrets-terraform.hcl +~~~ + +~~~bash +vault write auth/approle/role/terraform secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m secret_id_num_uses=40 token_policies=terraform ~~~ # Buy me a coffe diff --git a/file/vault-unseal.sh b/file/vault-unseal.sh new file mode 100644 index 0000000..756b78e --- /dev/null +++ b/file/vault-unseal.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env sh + +#Define a timestamp function +timestamp() { +date "+%b %d %Y %T %Z" +} + +URL=https://vault.tips-of-mine.com +KEYS_FILE=/vault/file/unseal.json + +LOG=info + +SKIP_TLS_VERIFY=true + +if [ true = "$SKIP_TLS_VERIFY" ] +then + CURL_PARAMS="-sk" +else + CURL_PARAMS="-s" +fi + +# Add timestamp +echo "$(timestamp): Vault-useal started" | tee -a $LOG +echo "-------------------------------------------------------------------------------" | tee -a $LOG + +initialized=$(curl $CURL_PARAMS $URL/v1/sys/health | jq '.initialized') + +if [ true = "$initialized" ] +then + echo "$(timestamp): Vault already initialized" | tee -a $LOG + while true + do + status=$(curl $CURL_PARAMS $URL/v1/sys/health | jq '.sealed') + if [ true = "$status" ] + then + echo "$(timestamp): Vault Sealed. Trying to unseal" | tee -a $LOG + # Get keys from json file + for i in `jq -r '.keys[]' $KEYS_FILE` + do curl $CURL_PARAMS --request PUT --data "{\"key\": \"$i\"}" $URL/v1/sys/unseal + done + sleep 10 + else + echo "$(timestamp): Vault unsealed" | tee -a $LOG + break + fi + done +else + echo "$(timestamp): Vault not initialized yet" +fi + diff --git a/policy/secrets-read.hcl b/policy/secrets-read.hcl new file mode 100644 index 0000000..3229b31 --- /dev/null +++ b/policy/secrets-read.hcl @@ -0,0 +1,3 @@ +path "secret/*" { + capabilities = [ "read" ] +} \ No newline at end of file diff --git a/policy/secrets-readwrite.hcl b/policy/secrets-readwrite.hcl new file mode 100644 index 0000000..aafa0c9 --- /dev/null +++ b/policy/secrets-readwrite.hcl @@ -0,0 +1,3 @@ +path "secret/*" { + capabilities = [ "create", "read", "update", "delete", "list", "patch" ] +} \ No newline at end of file diff --git a/policy/secrets-terraform.hcl b/policy/secrets-terraform.hcl new file mode 100644 index 0000000..24faa06 --- /dev/null +++ b/policy/secrets-terraform.hcl @@ -0,0 +1,20 @@ +path "*" { + capabilities = ["list", "read"] +} + +path "secrets/data/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "kv/data/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + + +path "secret/data/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "auth/token/create" { +capabilities = ["create", "read", "update", "list"] +} \ No newline at end of file