====== HashiCorp Vault ======
**Cloud:** Multi-Cloud / On-Premises \\
**HSM-Level:** FIPS 140-2 Level 2 (Transit SE) \\
**PQ-Support:** Möglich via Custom Plugins
HashiCorp Vault als zentrales Secrets- und PKI-Management für Multi-Cloud-Umgebungen.
----
===== Architektur =====
flowchart TB
subgraph VAULT["🔐 HASHICORP VAULT"]
subgraph ENGINES["Secret Engines"]
PKI[PKI Engine]
KV[KV Secrets]
Transit[Transit]
end
subgraph AUTH["Auth Methods"]
K8S[Kubernetes]
OIDC[OIDC]
AWS[AWS IAM]
AZURE[Azure]
end
end
subgraph CONSUMERS["👥 CONSUMERS"]
EKS[AWS EKS]
AKS[Azure AKS]
GKE[GCP GKE]
VM[VMs]
end
PKI --> EKS & AKS & GKE & VM
K8S --> EKS & AKS & GKE
AWS --> EKS
AZURE --> AKS
style VAULT fill:#e8f5e9
style PKI fill:#fff3e0
----
===== Installation =====
==== Docker (Development) ====
# Development Mode (nicht für Produktion!)
docker run -d --name vault \
-p 8200:8200 \
-e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
-e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
hashicorp/vault:latest
==== Production (Helm) ====
# Helm Repository
helm repo add hashicorp https://helm.releases.hashicorp.com
# Values erstellen
cat > vault-values.yaml << 'EOF'
server:
ha:
enabled: true
replicas: 3
raft:
enabled: true
dataStorage:
size: 10Gi
auditStorage:
enabled: true
size: 10Gi
ingress:
enabled: true
hosts:
- host: vault.example.com
extraEnvironmentVars:
VAULT_SEAL_TYPE: awskms
VAULT_AWSKMS_SEAL_KEY_ID:
injector:
enabled: true
EOF
# Installation
helm install vault hashicorp/vault \
--namespace vault \
--create-namespace \
-f vault-values.yaml
----
===== PKI Engine =====
==== Root CA erstellen ====
# PKI Engine aktivieren
vault secrets enable -path=pki pki
# Max TTL setzen
vault secrets tune -max-lease-ttl=87600h pki
# Root-CA generieren
vault write pki/root/generate/internal \
common_name="Example Root CA" \
issuer_name="root-2024" \
ttl=87600h \
key_type=ec \
key_bits=384
# CRL/OCSP URLs konfigurieren
vault write pki/config/urls \
issuing_certificates="https://vault.example.com/v1/pki/ca" \
crl_distribution_points="https://vault.example.com/v1/pki/crl" \
ocsp_servers="https://vault.example.com/v1/pki/ocsp"
==== Intermediate CA erstellen ====
# Intermediate PKI Engine
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
# CSR generieren
vault write -format=json pki_int/intermediate/generate/internal \
common_name="Example Intermediate CA" \
issuer_name="intermediate-2024" \
key_type=ec \
key_bits=384 \
| jq -r '.data.csr' > intermediate.csr
# Von Root signieren
vault write -format=json pki/root/sign-intermediate \
csr=@intermediate.csr \
format=pem_bundle \
ttl=43800h \
| jq -r '.data.certificate' > intermediate.pem
# Signiertes Zertifikat importieren
vault write pki_int/intermediate/set-signed \
certificate=@intermediate.pem
==== Rolle für Zertifikatsausstellung ====
# Server-Zertifikats-Rolle
vault write pki_int/roles/server-cert \
allowed_domains="example.com" \
allow_subdomains=true \
max_ttl=720h \
key_type=ec \
key_bits=384 \
require_cn=false \
allow_any_name=false
# Client-Zertifikats-Rolle
vault write pki_int/roles/client-cert \
allowed_domains="example.com" \
allow_subdomains=true \
client_flag=true \
server_flag=false \
max_ttl=720h
==== Zertifikat ausstellen ====
# Server-Zertifikat
vault write pki_int/issue/server-cert \
common_name="server.example.com" \
alt_names="server.example.com,server" \
ttl=720h
# Client-Zertifikat
vault write pki_int/issue/client-cert \
common_name="client@example.com" \
ttl=720h
----
===== Kubernetes Integration =====
==== Kubernetes Auth ====
# Kubernetes Auth aktivieren
vault auth enable kubernetes
# Kubernetes Config
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Rolle für cert-manager
vault write auth/kubernetes/role/cert-manager \
bound_service_account_names=cert-manager \
bound_service_account_namespaces=cert-manager \
policies=pki-issue \
ttl=1h
==== Policy ====
# pki-issue.hcl
path "pki_int/issue/server-cert" {
capabilities = ["create", "update"]
}
path "pki_int/sign/server-cert" {
capabilities = ["create", "update"]
}
path "pki_int/roles/server-cert" {
capabilities = ["read"]
}
vault policy write pki-issue pki-issue.hcl
==== Cert-Manager Vault Issuer ====
# vault-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: vault-issuer
spec:
vault:
path: pki_int/sign/server-cert
server: https://vault.example.com
caBundle:
auth:
kubernetes:
role: cert-manager
mountPath: /v1/auth/kubernetes
serviceAccountRef:
name: cert-manager
# certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: app-tls
namespace: production
spec:
secretName: app-tls-secret
issuerRef:
name: vault-issuer
kind: ClusterIssuer
dnsNames:
- app.example.com
----
===== Vault Agent Sidecar =====
# pod-with-vault-agent.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-with-certs
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "app-role"
vault.hashicorp.com/agent-inject-secret-tls.crt: "pki_int/issue/server-cert"
vault.hashicorp.com/agent-inject-template-tls.crt: |
{{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-tls.key: "pki_int/issue/server-cert"
vault.hashicorp.com/agent-inject-template-tls.key: |
{{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}}
{{ .Data.private_key }}
{{- end }}
spec:
serviceAccountName: app-sa
containers:
- name: app
image: myapp:latest
volumeMounts:
- name: tls
mountPath: /etc/tls
readOnly: true
----
===== Transit Engine (Signing) =====
# Transit Engine aktivieren
vault secrets enable transit
# Signing Key erstellen
vault write transit/keys/signing-key \
type=ecdsa-p384
# Signieren
vault write transit/sign/signing-key \
input=$(echo -n "data to sign" | base64)
# Verifizieren
vault write transit/verify/signing-key \
input=$(echo -n "data to sign" | base64) \
signature="vault:v1:..."
----
===== Audit Logging =====
# File Audit Backend
vault audit enable file file_path=/var/log/vault/audit.log
# Syslog Backend
vault audit enable syslog tag="vault" facility="LOCAL0"
# Socket Backend (für ELK)
vault audit enable socket address="logstash.example.com:5000" socket_type="tcp"
----
===== High Availability =====
# vault-config.hcl
storage "raft" {
path = "/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/vault/tls/tls.crt"
tls_key_file = "/vault/tls/tls.key"
}
seal "awskms" {
region = "eu-central-1"
kms_key_id = "alias/vault-unseal"
}
api_addr = "https://vault-0.vault:8200"
cluster_addr = "https://vault-0.vault:8201"
----
===== Checkliste =====
| # | Prüfpunkt | ✓ |
|---|-----------|---|
| 1 | Vault installiert (HA) | ☐ |
| 2 | PKI Engine konfiguriert | ☐ |
| 3 | Root + Intermediate CA | ☐ |
| 4 | Rollen definiert | ☐ |
| 5 | Kubernetes Auth | ☐ |
| 6 | Audit Logging | ☐ |
| 7 | Auto-Unseal konfiguriert | ☐ |
| 8 | Backup-Strategie | ☐ |
----
===== Verwandte Dokumentation =====
* [[.:azure-keyvault|Azure Key Vault]] – Azure Integration
* [[.:aws-kms|AWS KMS]] – AWS Integration
* [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] – K8s PKI
----
<< [[.:aws-kms|← AWS KMS]] | [[..:start|→ Operator-Szenarien]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>vault hashicorp pki multi-cloud kubernetes operator}}