Inhaltsverzeichnis

HashiCorp Vault

Oblak: Večoblačnost / Na lokaciji
HSM nivo: FIPS 140-2 Nivo 2 (Transit SE)
PQ podpora: Mogoča preko prilagojenih vtičnikov

HashiCorp Vault kot centralno upravljanje skrivnosti in PKI za večoblačna okolja.

Arhitektura

flowchart TB subgraph VAULT["HASHICORP VAULT"] subgraph ENGINES["Secret Engines"] PKI[PKI Engine] KV[KV Secrets] Transit[Transit] end subgraph AUTH["Auth Methods"] K8S[Kubernetes] OIDC[OIDC] AWS[AWS IAM] AZURE[Azure] end end subgraph CONSUMERS["UPORABNIKI"] EKS[AWS EKS] AKS[Azure AKS] GKE[GCP GKE] VM[VM-ji] end PKI --> EKS & AKS & GKE & VM K8S --> EKS & AKS & GKE AWS --> EKS AZURE --> AKS style VAULT fill:#e8f5e9 style PKI fill:#fff3e0

Namestitev

Docker (razvoj)

# Development Mode (ni za produkcijo!)
docker run -d --name vault \
    -p 8200:8200 \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
    -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
    hashicorp/vault:latest

Produkcija (Helm)

# Helm repozitorij
helm repo add hashicorp https://helm.releases.hashicorp.com
 
# Ustvarjanje vrednosti
cat > vault-values.yaml << 'EOF'
server:
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
  dataStorage:
    size: 10Gi
  auditStorage:
    enabled: true
    size: 10Gi
  ingress:
    enabled: true
    hosts:
      - host: vault.example.com
  extraEnvironmentVars:
    VAULT_SEAL_TYPE: awskms
    VAULT_AWSKMS_SEAL_KEY_ID: <kms-key-id>
 
injector:
  enabled: true
EOF
 
# Namestitev
helm install vault hashicorp/vault \
    --namespace vault \
    --create-namespace \
    -f vault-values.yaml

PKI Engine

Ustvarjanje Root CA

# Aktivacija PKI Engine
vault secrets enable -path=pki pki
 
# Nastavitev Max TTL
vault secrets tune -max-lease-ttl=87600h pki
 
# Generacija Root-CA
vault write pki/root/generate/internal \
    common_name="Example Root CA" \
    issuer_name="root-2024" \
    ttl=87600h \
    key_type=ec \
    key_bits=384
 
# Konfiguracija CRL/OCSP URL-jev
vault write pki/config/urls \
    issuing_certificates="https://vault.example.com/v1/pki/ca" \
    crl_distribution_points="https://vault.example.com/v1/pki/crl" \
    ocsp_servers="https://vault.example.com/v1/pki/ocsp"

Ustvarjanje Intermediate CA

# Intermediate PKI Engine
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
 
# Generacija CSR
vault write -format=json pki_int/intermediate/generate/internal \
    common_name="Example Intermediate CA" \
    issuer_name="intermediate-2024" \
    key_type=ec \
    key_bits=384 \
    | jq -r '.data.csr' > intermediate.csr
 
# Podpis s strani Root
vault write -format=json pki/root/sign-intermediate \
    csr=@intermediate.csr \
    format=pem_bundle \
    ttl=43800h \
    | jq -r '.data.certificate' > intermediate.pem
 
# Uvoz podpisanega certifikata
vault write pki_int/intermediate/set-signed \
    certificate=@intermediate.pem

Vloga za izdajo certifikatov

# Vloga za strežniške certifikate
vault write pki_int/roles/server-cert \
    allowed_domains="example.com" \
    allow_subdomains=true \
    max_ttl=720h \
    key_type=ec \
    key_bits=384 \
    require_cn=false \
    allow_any_name=false
 
# Vloga za odjemalske certifikate
vault write pki_int/roles/client-cert \
    allowed_domains="example.com" \
    allow_subdomains=true \
    client_flag=true \
    server_flag=false \
    max_ttl=720h

Izdaja certifikata

# Strežniški certifikat
vault write pki_int/issue/server-cert \
    common_name="server.example.com" \
    alt_names="server.example.com,server" \
    ttl=720h
 
# Odjemalski certifikat
vault write pki_int/issue/client-cert \
    common_name="client@example.com" \
    ttl=720h

Integracija Kubernetes

Kubernetes Auth

# Aktivacija Kubernetes Auth
vault auth enable kubernetes
 
# Konfiguracija Kubernetes
vault write auth/kubernetes/config \
    kubernetes_host="https://kubernetes.default.svc" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 
# Vloga za cert-manager
vault write auth/kubernetes/role/cert-manager \
    bound_service_account_names=cert-manager \
    bound_service_account_namespaces=cert-manager \
    policies=pki-issue \
    ttl=1h

Policy

# pki-issue.hcl
path "pki_int/issue/server-cert" {
  capabilities = ["create", "update"]
}
 
path "pki_int/sign/server-cert" {
  capabilities = ["create", "update"]
}
 
path "pki_int/roles/server-cert" {
  capabilities = ["read"]
}
vault policy write pki-issue pki-issue.hcl

Cert-Manager Vault Issuer

# vault-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: vault-issuer
spec:
  vault:
    path: pki_int/sign/server-cert
    server: https://vault.example.com
    caBundle: <base64-enkodiran-ca>
    auth:
      kubernetes:
        role: cert-manager
        mountPath: /v1/auth/kubernetes
        serviceAccountRef:
          name: cert-manager
# certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: app-tls
  namespace: production
spec:
  secretName: app-tls-secret
  issuerRef:
    name: vault-issuer
    kind: ClusterIssuer
  dnsNames:
    - app.example.com

Vault Agent Sidecar

# pod-with-vault-agent.yaml
apiVersion: v1
kind: Pod
metadata:
  name: app-with-certs
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "app-role"
    vault.hashicorp.com/agent-inject-secret-tls.crt: "pki_int/issue/server-cert"
    vault.hashicorp.com/agent-inject-template-tls.crt: |
      {{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}}
      {{ .Data.certificate }}
      {{ .Data.issuing_ca }}
      {{- end }}
    vault.hashicorp.com/agent-inject-secret-tls.key: "pki_int/issue/server-cert"
    vault.hashicorp.com/agent-inject-template-tls.key: |
      {{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}}
      {{ .Data.private_key }}
      {{- end }}
spec:
  serviceAccountName: app-sa
  containers:
    - name: app
      image: myapp:latest
      volumeMounts:
        - name: tls
          mountPath: /etc/tls
          readOnly: true

Transit Engine (podpisovanje)

# Aktivacija Transit Engine
vault secrets enable transit
 
# Ustvarjanje ključa za podpisovanje
vault write transit/keys/signing-key \
    type=ecdsa-p384
 
# Podpisovanje
vault write transit/sign/signing-key \
    input=$(echo -n "data to sign" | base64)
 
# Preverjanje
vault write transit/verify/signing-key \
    input=$(echo -n "data to sign" | base64) \
    signature="vault:v1:..."

Revizijsko beleženje

# File Audit Backend
vault audit enable file file_path=/var/log/vault/audit.log
 
# Syslog Backend
vault audit enable syslog tag="vault" facility="LOCAL0"
 
# Socket Backend (za ELK)
vault audit enable socket address="logstash.example.com:5000" socket_type="tcp"

Visoka razpoložljivost

# vault-config.hcl
storage "raft" {
  path = "/vault/data"
  node_id = "node1"
}
 
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/vault/tls/tls.crt"
  tls_key_file = "/vault/tls/tls.key"
}
 
seal "awskms" {
  region     = "eu-central-1"
  kms_key_id = "alias/vault-unseal"
}
 
api_addr = "https://vault-0.vault:8200"
cluster_addr = "https://vault-0.vault:8201"

Kontrolni seznam

# Kontrolna točka
—————–
1 Vault nameščen (HA)
2 PKI Engine konfiguriran
3 Root + Intermediate CA
4 Vloge definirane
5 Kubernetes Auth
6 Revizijsko beleženje
7 Auto-Unseal konfiguriran
8 Strategija varnostnega kopiranja

Povezana dokumentacija

« ← AWS KMS | → Scenariji za operaterje »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , , , ,