====== HashiCorp Vault ======
**Oblak:** Večoblačnost / Na lokaciji \\
**HSM nivo:** FIPS 140-2 Nivo 2 (Transit SE) \\
**PQ podpora:** Mogoča preko prilagojenih vtičnikov
HashiCorp Vault kot centralno upravljanje skrivnosti in PKI za večoblačna okolja.
----
===== Arhitektura =====
flowchart TB
subgraph VAULT["HASHICORP VAULT"]
subgraph ENGINES["Secret Engines"]
PKI[PKI Engine]
KV[KV Secrets]
Transit[Transit]
end
subgraph AUTH["Auth Methods"]
K8S[Kubernetes]
OIDC[OIDC]
AWS[AWS IAM]
AZURE[Azure]
end
end
subgraph CONSUMERS["UPORABNIKI"]
EKS[AWS EKS]
AKS[Azure AKS]
GKE[GCP GKE]
VM[VM-ji]
end
PKI --> EKS & AKS & GKE & VM
K8S --> EKS & AKS & GKE
AWS --> EKS
AZURE --> AKS
style VAULT fill:#e8f5e9
style PKI fill:#fff3e0
----
===== Namestitev =====
==== Docker (razvoj) ====
# Development Mode (ni za produkcijo!)
docker run -d --name vault \
-p 8200:8200 \
-e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
-e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
hashicorp/vault:latest
==== Produkcija (Helm) ====
# Helm repozitorij
helm repo add hashicorp https://helm.releases.hashicorp.com
# Ustvarjanje vrednosti
cat > vault-values.yaml << 'EOF'
server:
ha:
enabled: true
replicas: 3
raft:
enabled: true
dataStorage:
size: 10Gi
auditStorage:
enabled: true
size: 10Gi
ingress:
enabled: true
hosts:
- host: vault.example.com
extraEnvironmentVars:
VAULT_SEAL_TYPE: awskms
VAULT_AWSKMS_SEAL_KEY_ID:
injector:
enabled: true
EOF
# Namestitev
helm install vault hashicorp/vault \
--namespace vault \
--create-namespace \
-f vault-values.yaml
----
===== PKI Engine =====
==== Ustvarjanje Root CA ====
# Aktivacija PKI Engine
vault secrets enable -path=pki pki
# Nastavitev Max TTL
vault secrets tune -max-lease-ttl=87600h pki
# Generacija Root-CA
vault write pki/root/generate/internal \
common_name="Example Root CA" \
issuer_name="root-2024" \
ttl=87600h \
key_type=ec \
key_bits=384
# Konfiguracija CRL/OCSP URL-jev
vault write pki/config/urls \
issuing_certificates="https://vault.example.com/v1/pki/ca" \
crl_distribution_points="https://vault.example.com/v1/pki/crl" \
ocsp_servers="https://vault.example.com/v1/pki/ocsp"
==== Ustvarjanje Intermediate CA ====
# Intermediate PKI Engine
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
# Generacija CSR
vault write -format=json pki_int/intermediate/generate/internal \
common_name="Example Intermediate CA" \
issuer_name="intermediate-2024" \
key_type=ec \
key_bits=384 \
| jq -r '.data.csr' > intermediate.csr
# Podpis s strani Root
vault write -format=json pki/root/sign-intermediate \
csr=@intermediate.csr \
format=pem_bundle \
ttl=43800h \
| jq -r '.data.certificate' > intermediate.pem
# Uvoz podpisanega certifikata
vault write pki_int/intermediate/set-signed \
certificate=@intermediate.pem
==== Vloga za izdajo certifikatov ====
# Vloga za strežniške certifikate
vault write pki_int/roles/server-cert \
allowed_domains="example.com" \
allow_subdomains=true \
max_ttl=720h \
key_type=ec \
key_bits=384 \
require_cn=false \
allow_any_name=false
# Vloga za odjemalske certifikate
vault write pki_int/roles/client-cert \
allowed_domains="example.com" \
allow_subdomains=true \
client_flag=true \
server_flag=false \
max_ttl=720h
==== Izdaja certifikata ====
# Strežniški certifikat
vault write pki_int/issue/server-cert \
common_name="server.example.com" \
alt_names="server.example.com,server" \
ttl=720h
# Odjemalski certifikat
vault write pki_int/issue/client-cert \
common_name="client@example.com" \
ttl=720h
----
===== Integracija Kubernetes =====
==== Kubernetes Auth ====
# Aktivacija Kubernetes Auth
vault auth enable kubernetes
# Konfiguracija Kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Vloga za cert-manager
vault write auth/kubernetes/role/cert-manager \
bound_service_account_names=cert-manager \
bound_service_account_namespaces=cert-manager \
policies=pki-issue \
ttl=1h
==== Policy ====
# pki-issue.hcl
path "pki_int/issue/server-cert" {
capabilities = ["create", "update"]
}
path "pki_int/sign/server-cert" {
capabilities = ["create", "update"]
}
path "pki_int/roles/server-cert" {
capabilities = ["read"]
}
vault policy write pki-issue pki-issue.hcl
==== Cert-Manager Vault Issuer ====
# vault-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: vault-issuer
spec:
vault:
path: pki_int/sign/server-cert
server: https://vault.example.com
caBundle:
auth:
kubernetes:
role: cert-manager
mountPath: /v1/auth/kubernetes
serviceAccountRef:
name: cert-manager
# certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: app-tls
namespace: production
spec:
secretName: app-tls-secret
issuerRef:
name: vault-issuer
kind: ClusterIssuer
dnsNames:
- app.example.com
----
===== Vault Agent Sidecar =====
# pod-with-vault-agent.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-with-certs
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "app-role"
vault.hashicorp.com/agent-inject-secret-tls.crt: "pki_int/issue/server-cert"
vault.hashicorp.com/agent-inject-template-tls.crt: |
{{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-tls.key: "pki_int/issue/server-cert"
vault.hashicorp.com/agent-inject-template-tls.key: |
{{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}}
{{ .Data.private_key }}
{{- end }}
spec:
serviceAccountName: app-sa
containers:
- name: app
image: myapp:latest
volumeMounts:
- name: tls
mountPath: /etc/tls
readOnly: true
----
===== Transit Engine (podpisovanje) =====
# Aktivacija Transit Engine
vault secrets enable transit
# Ustvarjanje ključa za podpisovanje
vault write transit/keys/signing-key \
type=ecdsa-p384
# Podpisovanje
vault write transit/sign/signing-key \
input=$(echo -n "data to sign" | base64)
# Preverjanje
vault write transit/verify/signing-key \
input=$(echo -n "data to sign" | base64) \
signature="vault:v1:..."
----
===== Revizijsko beleženje =====
# File Audit Backend
vault audit enable file file_path=/var/log/vault/audit.log
# Syslog Backend
vault audit enable syslog tag="vault" facility="LOCAL0"
# Socket Backend (za ELK)
vault audit enable socket address="logstash.example.com:5000" socket_type="tcp"
----
===== Visoka razpoložljivost =====
# vault-config.hcl
storage "raft" {
path = "/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/vault/tls/tls.crt"
tls_key_file = "/vault/tls/tls.key"
}
seal "awskms" {
region = "eu-central-1"
kms_key_id = "alias/vault-unseal"
}
api_addr = "https://vault-0.vault:8200"
cluster_addr = "https://vault-0.vault:8201"
----
===== Kontrolni seznam =====
| # | Kontrolna točka | |
|---|-----------------|---|
| 1 | Vault nameščen (HA) | |
| 2 | PKI Engine konfiguriran | |
| 3 | Root + Intermediate CA | |
| 4 | Vloge definirane | |
| 5 | Kubernetes Auth | |
| 6 | Revizijsko beleženje | |
| 7 | Auto-Unseal konfiguriran | |
| 8 | Strategija varnostnega kopiranja | |
----
===== Povezana dokumentacija =====
* [[.:azure-keyvault|Azure Key Vault]] – Integracija Azure
* [[.:aws-kms|AWS KMS]] – Integracija AWS
* [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] – K8s PKI
----
<< [[.:aws-kms|← AWS KMS]] | [[..:start|→ Scenariji za operaterje]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>vault hashicorp pki multi-cloud kubernetes operator}}