Inhaltsverzeichnis
HashiCorp Vault
Oblak: Večoblačnost / Na lokaciji
HSM nivo: FIPS 140-2 Nivo 2 (Transit SE)
PQ podpora: Mogoča preko prilagojenih vtičnikov
HashiCorp Vault kot centralno upravljanje skrivnosti in PKI za večoblačna okolja.
Arhitektura
flowchart TB
subgraph VAULT["HASHICORP VAULT"]
subgraph ENGINES["Secret Engines"]
PKI[PKI Engine]
KV[KV Secrets]
Transit[Transit]
end
subgraph AUTH["Auth Methods"]
K8S[Kubernetes]
OIDC[OIDC]
AWS[AWS IAM]
AZURE[Azure]
end
end
subgraph CONSUMERS["UPORABNIKI"]
EKS[AWS EKS]
AKS[Azure AKS]
GKE[GCP GKE]
VM[VM-ji]
end
PKI --> EKS & AKS & GKE & VM
K8S --> EKS & AKS & GKE
AWS --> EKS
AZURE --> AKS
style VAULT fill:#e8f5e9
style PKI fill:#fff3e0
Namestitev
Docker (razvoj)
# Development Mode (ni za produkcijo!) docker run -d --name vault \ -p 8200:8200 \ -e 'VAULT_DEV_ROOT_TOKEN_ID=root' \ -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \ hashicorp/vault:latest
Produkcija (Helm)
# Helm repozitorij helm repo add hashicorp https://helm.releases.hashicorp.com # Ustvarjanje vrednosti cat > vault-values.yaml << 'EOF' server: ha: enabled: true replicas: 3 raft: enabled: true dataStorage: size: 10Gi auditStorage: enabled: true size: 10Gi ingress: enabled: true hosts: - host: vault.example.com extraEnvironmentVars: VAULT_SEAL_TYPE: awskms VAULT_AWSKMS_SEAL_KEY_ID: <kms-key-id> injector: enabled: true EOF # Namestitev helm install vault hashicorp/vault \ --namespace vault \ --create-namespace \ -f vault-values.yaml
PKI Engine
Ustvarjanje Root CA
# Aktivacija PKI Engine vault secrets enable -path=pki pki # Nastavitev Max TTL vault secrets tune -max-lease-ttl=87600h pki # Generacija Root-CA vault write pki/root/generate/internal \ common_name="Example Root CA" \ issuer_name="root-2024" \ ttl=87600h \ key_type=ec \ key_bits=384 # Konfiguracija CRL/OCSP URL-jev vault write pki/config/urls \ issuing_certificates="https://vault.example.com/v1/pki/ca" \ crl_distribution_points="https://vault.example.com/v1/pki/crl" \ ocsp_servers="https://vault.example.com/v1/pki/ocsp"
Ustvarjanje Intermediate CA
# Intermediate PKI Engine vault secrets enable -path=pki_int pki vault secrets tune -max-lease-ttl=43800h pki_int # Generacija CSR vault write -format=json pki_int/intermediate/generate/internal \ common_name="Example Intermediate CA" \ issuer_name="intermediate-2024" \ key_type=ec \ key_bits=384 \ | jq -r '.data.csr' > intermediate.csr # Podpis s strani Root vault write -format=json pki/root/sign-intermediate \ csr=@intermediate.csr \ format=pem_bundle \ ttl=43800h \ | jq -r '.data.certificate' > intermediate.pem # Uvoz podpisanega certifikata vault write pki_int/intermediate/set-signed \ certificate=@intermediate.pem
Vloga za izdajo certifikatov
# Vloga za strežniške certifikate vault write pki_int/roles/server-cert \ allowed_domains="example.com" \ allow_subdomains=true \ max_ttl=720h \ key_type=ec \ key_bits=384 \ require_cn=false \ allow_any_name=false # Vloga za odjemalske certifikate vault write pki_int/roles/client-cert \ allowed_domains="example.com" \ allow_subdomains=true \ client_flag=true \ server_flag=false \ max_ttl=720h
Izdaja certifikata
# Strežniški certifikat vault write pki_int/issue/server-cert \ common_name="server.example.com" \ alt_names="server.example.com,server" \ ttl=720h # Odjemalski certifikat vault write pki_int/issue/client-cert \ common_name="client@example.com" \ ttl=720h
Integracija Kubernetes
Kubernetes Auth
# Aktivacija Kubernetes Auth vault auth enable kubernetes # Konfiguracija Kubernetes vault write auth/kubernetes/config \ kubernetes_host="https://kubernetes.default.svc" \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt # Vloga za cert-manager vault write auth/kubernetes/role/cert-manager \ bound_service_account_names=cert-manager \ bound_service_account_namespaces=cert-manager \ policies=pki-issue \ ttl=1h
Policy
# pki-issue.hcl
path "pki_int/issue/server-cert" {
capabilities = ["create", "update"]
}
path "pki_int/sign/server-cert" {
capabilities = ["create", "update"]
}
path "pki_int/roles/server-cert" {
capabilities = ["read"]
}
vault policy write pki-issue pki-issue.hcl
Cert-Manager Vault Issuer
# vault-issuer.yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: vault-issuer spec: vault: path: pki_int/sign/server-cert server: https://vault.example.com caBundle: <base64-enkodiran-ca> auth: kubernetes: role: cert-manager mountPath: /v1/auth/kubernetes serviceAccountRef: name: cert-manager
# certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: app-tls namespace: production spec: secretName: app-tls-secret issuerRef: name: vault-issuer kind: ClusterIssuer dnsNames: - app.example.com
Vault Agent Sidecar
# pod-with-vault-agent.yaml apiVersion: v1 kind: Pod metadata: name: app-with-certs annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "app-role" vault.hashicorp.com/agent-inject-secret-tls.crt: "pki_int/issue/server-cert" vault.hashicorp.com/agent-inject-template-tls.crt: | {{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}} {{ .Data.certificate }} {{ .Data.issuing_ca }} {{- end }} vault.hashicorp.com/agent-inject-secret-tls.key: "pki_int/issue/server-cert" vault.hashicorp.com/agent-inject-template-tls.key: | {{- with secret "pki_int/issue/server-cert" "common_name=app.example.com" -}} {{ .Data.private_key }} {{- end }} spec: serviceAccountName: app-sa containers: - name: app image: myapp:latest volumeMounts: - name: tls mountPath: /etc/tls readOnly: true
Transit Engine (podpisovanje)
# Aktivacija Transit Engine vault secrets enable transit # Ustvarjanje ključa za podpisovanje vault write transit/keys/signing-key \ type=ecdsa-p384 # Podpisovanje vault write transit/sign/signing-key \ input=$(echo -n "data to sign" | base64) # Preverjanje vault write transit/verify/signing-key \ input=$(echo -n "data to sign" | base64) \ signature="vault:v1:..."
Revizijsko beleženje
# File Audit Backend vault audit enable file file_path=/var/log/vault/audit.log # Syslog Backend vault audit enable syslog tag="vault" facility="LOCAL0" # Socket Backend (za ELK) vault audit enable socket address="logstash.example.com:5000" socket_type="tcp"
Visoka razpoložljivost
# vault-config.hcl
storage "raft" {
path = "/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/vault/tls/tls.crt"
tls_key_file = "/vault/tls/tls.key"
}
seal "awskms" {
region = "eu-central-1"
kms_key_id = "alias/vault-unseal"
}
api_addr = "https://vault-0.vault:8200"
cluster_addr = "https://vault-0.vault:8201"
Kontrolni seznam
| # | Kontrolna točka | |
| — | —————– | — |
| 1 | Vault nameščen (HA) | |
| 2 | PKI Engine konfiguriran | |
| 3 | Root + Intermediate CA | |
| 4 | Vloge definirane | |
| 5 | Kubernetes Auth | |
| 6 | Revizijsko beleženje | |
| 7 | Auto-Unseal konfiguriran | |
| 8 | Strategija varnostnega kopiranja |
Povezana dokumentacija
- Azure Key Vault – Integracija Azure
- AWS KMS – Integracija AWS
- Kubernetes Cert-Manager – K8s PKI
« ← AWS KMS | → Scenariji za operaterje »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: dne 30.01.2026 ob 07:23
