Zenn
Open16

Hashicorp Vaultに入門する

Vault
RyuSARyuSA

Hashicorp Vaultでなにができるのかを確認👀

  • CA局として動かしてSSHを証明書でできるようにセットアップしてみる
  • OIDCのIdPとして動かしてみる
  • ついでにKubernetesのOIDCトークン認証で連携してみたい
  • KubernetesのExternal Secretの保存先にしてみる
RyuSARyuSA

とりあえず起動してみる

docker run --rm -it --cap-add=IPC_LOCK -p 8200:8200 vault:1.9.2
==> Vault server configuration:

             Api Address: http://0.0.0.0:8200
                     Cgo: disabled
         Cluster Address: https://0.0.0.0:8201
              Go Version: go1.17.5
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.9.2
             Version Sha: f4c6d873e2767c0d6853b5d9ffc77b0d297bfbdf

2022-01-13T12:26:08.297Z [INFO]  proxy environment: http_proxy="\"\"" https_proxy="\"\"" no_proxy="\"\""
2022-01-13T12:26:08.297Z [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2022-01-13T12:26:08.297Z [INFO]  core: Initializing VersionTimestamps for core
2022-01-13T12:26:08.298Z [INFO]  core: security barrier not initialized
2022-01-13T12:26:08.298Z [INFO]  core: security barrier initialized: stored=1 shares=1 threshold=1
2022-01-13T12:26:08.298Z [INFO]  core: post-unseal setup starting
2022-01-13T12:26:08.300Z [INFO]  core: loaded wrapping token key
2022-01-13T12:26:08.300Z [INFO]  core: Recorded vault version: vault version=1.9.2 upgrade time="2022-01-13 12:26:08.300360345 +0000 UTC m=+0.029160918"
2022-01-13T12:26:08.300Z [INFO]  core: successfully setup plugin catalog: plugin-directory="\"\""
2022-01-13T12:26:08.300Z [INFO]  core: no mounts; adding default mount table
2022-01-13T12:26:08.301Z [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2022-01-13T12:26:08.302Z [INFO]  core: successfully mounted backend: type=system path=sys/
2022-01-13T12:26:08.302Z [INFO]  core: successfully mounted backend: type=identity path=identity/
2022-01-13T12:26:08.308Z [INFO]  core: successfully enabled credential backend: type=token path=token/
2022-01-13T12:26:08.308Z [INFO]  rollback: starting rollback manager
2022-01-13T12:26:08.308Z [INFO]  core: restoring leases
2022-01-13T12:26:08.309Z [INFO]  expiration: lease restore complete
2022-01-13T12:26:08.309Z [INFO]  identity: entities restored
2022-01-13T12:26:08.309Z [INFO]  identity: groups restored
2022-01-13T12:26:08.309Z [INFO]  core: post-unseal setup complete
2022-01-13T12:26:08.309Z [INFO]  core: root token generated
2022-01-13T12:26:08.309Z [INFO]  core: pre-seal teardown starting
2022-01-13T12:26:08.309Z [INFO]  rollback: stopping rollback manager
2022-01-13T12:26:08.309Z [INFO]  core: pre-seal teardown complete
2022-01-13T12:26:08.309Z [INFO]  core.cluster-listener.tcp: starting listener: listener_address=0.0.0.0:8201
2022-01-13T12:26:08.309Z [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=[::]:8201
2022-01-13T12:26:08.309Z [INFO]  core: post-unseal setup starting
2022-01-13T12:26:08.309Z [INFO]  core: loaded wrapping token key
2022-01-13T12:26:08.309Z [INFO]  core: successfully setup plugin catalog: plugin-directory="\"\""
2022-01-13T12:26:08.310Z [INFO]  core: successfully mounted backend: type=system path=sys/
2022-01-13T12:26:08.310Z [INFO]  core: successfully mounted backend: type=identity path=identity/
2022-01-13T12:26:08.310Z [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2022-01-13T12:26:08.310Z [INFO]  core: successfully enabled credential backend: type=token path=token/
2022-01-13T12:26:08.310Z [INFO]  rollback: starting rollback manager
2022-01-13T12:26:08.310Z [INFO]  core: restoring leases
2022-01-13T12:26:08.311Z [INFO]  identity: entities restored
2022-01-13T12:26:08.311Z [INFO]  expiration: lease restore complete
2022-01-13T12:26:08.311Z [INFO]  identity: groups restored
2022-01-13T12:26:08.311Z [INFO]  core: post-unseal setup complete
2022-01-13T12:26:08.311Z [INFO]  core: vault is unsealed
2022-01-13T12:26:08.312Z [INFO]  core: successful mount: namespace="\"\"" path=secret/ type=kv
==> Vault server started! Log data will stream in below:

2022-01-13T12:26:08.322Z [INFO]  secrets.kv.kv_7525b3e2: collecting keys to upgrade
2022-01-13T12:26:08.322Z [INFO]  secrets.kv.kv_7525b3e2: done collecting keys: num_keys=1
2022-01-13T12:26:08.322Z [INFO]  secrets.kv.kv_7525b3e2: upgrading keys finished
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://0.0.0.0:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: KtSf69yWn5ynG44i/1eh4UT/6ThLye+UEAzLuPGj6m8=
Root Token: s.CTGnYpcJRrcWz87aRQwazGIK

Development mode should NOT be used in production installations!

--cap-add=IPC_LOCKは必須らしい。Vaultはセンシティブなメモリ情報をロックするため、このシステムコールを使うそうだ。一応SKIP_SETCAP環境変数を定義しておくと処理自体はスキップされる……が、まぁそんなことする必要ないのでOK

docker exec -it busy_keldysh sh
/ # export VAULT_ADDR='http://0.0.0.0:8200'
/ # vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.9.2
Storage Type    inmem
Cluster Name    vault-cluster-5cbf5e68
Cluster ID      0ffcf8ff-9b9a-f533-b927-561192bb96ca
HA Enabled      false

とりあえず起動完了。Devモードで起動しているからか、Sealedが最初からfalseになってますね🤔

RyuSARyuSA

WebUIにアクセス

秘密情報保護のためのストレージの種類はいくつかあるっぽいな、すごいDBとかいろいろあるww

RyuSARyuSA

Randomをペイっと作れるの、なんかフェチポイントを感じる

RyuSARyuSA

KVでとりあえずStorageを作ってみる

versionとかも管理できるのか、なるほど

RyuSARyuSA

ほうほう、Secretの保存はパスベースで管理していくのか

メタデータとかも付与できるみたい

RyuSARyuSA

metadata覚え書き

RyuSARyuSA

Delete version after動作チェック

適当なSecretを用意して、metadataを設定

き、消えてる……!いいぞこれは……!

RyuSARyuSA

PKIを構築してみる
https://learn.hashicorp.com/tutorials/vault/pki-engine

RyuSARyuSA

やばい、機能が多すぎるww もうちょっと証明書周りについて知見を深めないとそもそも読み切れないw

RyuSARyuSA

メモ

  • Role
    • 証明書を発行するためのルールセット的なもの
    • Vault専用の概念かな?
  • CRL
    • Certificate Revocation List、無効になったCertificateの一覧
    • 一般的なやつっぽい
  • bare domain
    • alias root domain
  • glob domains
    • ftp*.example.com的なヤツ
RyuSARyuSA

OIDCプロバイダー
https://learn.hashicorp.com/tutorials/vault/oidc-identity-provider

RyuSARyuSA

サンプルとしてVaultをOIDC Providerとして起動して、そのVault自身でOIDC認証してみる

RyuSARyuSA

残念ながらOIDC Providerの設定はWebUIで見れない模様、見たいな~チラッ

RyuSARyuSA

と、最後まで来て発覚

/ # curl -s http://127.0.0.1:8200/v1/identity/oidc/provider/my-provider/.well-known/openid-configuration | jq .issuer
"http://0.0.0.0:8200/v1/identity/oidc/provider/my-provider"

サーバーがそもそも0.0.0.0でListenしているからブラウザからリダイレクトできね~~~~!😜
ということで、次はVaultのListenアドレスを変更して再リトライ