Skip to content

avoidik/experience-with-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
ci
ci
 
 
consul
consul
 
 
dexidp
dexidp
 
 
ldap
ldap
 
 
ldapadmin
ldapadmin
 
 
ldapssp
ldapssp
 
 
pgsql
pgsql
 
 
tls
tls
 
 
vault
vault
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
ca.sh
ca.sh
 
 
carl.sh
carl.sh
 
 
consul.env
consul.env
 
 
dex.sh
dex.sh
 
 
docker-compose.ci.yaml
docker-compose.ci.yaml
 
 
docker-compose.yaml
docker-compose.yaml
 
 
entity.sh
entity.sh
 
 
init.sh
init.sh
 
 
kv.sh
kv.sh
 
 
ldap_auth.sh
ldap_auth.sh
 
 
ldap_secrets.sh
ldap_secrets.sh
 
 
login_dex.sh
login_dex.sh
 
 
login_dex_public.sh
login_dex_public.sh
 
 
oidc_auth.sh
oidc_auth.sh
 
 
oidc_auth_pol.sh
oidc_auth_pol.sh
 
 
pipeline.task.vars.yml
pipeline.task.vars.yml
 
 
pipeline.task.yml
pipeline.task.yml
 
 
pipeline.yml
pipeline.yml
 
 
pki_auth.sh
pki_auth.sh
 
 
pki_secrets.sh
pki_secrets.sh
 
 
policy.sh
policy.sh
 
 
postgres_roles.sh
postgres_roles.sh
 
 
postgres_secrets.sh
postgres_secrets.sh
 
 
prep.sh
prep.sh
 
 
run.sh
run.sh
 
 
run_ci.sh
run_ci.sh
 
 
stop.sh
stop.sh
 
 
stop_ci.sh
stop_ci.sh
 
 
team.sh
team.sh
 
 
team.yml
team.yml
 
 
unca.sh
unca.sh
 
 
uncarl.sh
uncarl.sh
 
 
unseal.sh
unseal.sh
 
 
vault.env
vault.env
 
 

Repository files navigation

Experiments with Vault

Prerequisites

  • installed VirtualBox
  • docker & docker-machine binaries
  • cfssl & cfssljson binaries
  • vault & consul binaries
  • curl
  • fly

What is this

An ideal playground to play with HashiCorp Vault authenticaion methods, secrets backend, etc.

The following advanced topics covered in this repo:

  • Docker-Machine & Docker-Containers - how to build and run them
  • TLS - how to generate certificates with cfssl and Vault itself, configure TLS communication between components
  • Vault Server, Consul Client, Consul Server, OpenLDAP (with phpLDAPadmin & self-service portal), DEX (with static-client & OpenLDAP) configuration
  • Concourse CI Server and Workers configuration - its credential manager authenticates in Vault authomatically by using PKI certificate, user will be able to use OIDC or LDAP to authenticate
  • OIDC (authenticaion) - using OpenLDAP as a central users directory, roundtrip authentication with OpenLDAP credentials over OIDC
  • Identity (both Groups & Entities) - map LDAP groups to Vault identity backend
  • LDAP (both authenticaion & secrets) - rotate OpenLDAP secrets and authenticate in Vault or Concourse
  • PKI (both authenticaion & secrets) - configure PKI and use it for authentication purposes
  • DB (secrets) - rotate database secrets
  • KV (secrets) - static secrets

How to run

Just follow along from top to bottom:

  1. docker-machine create dex - create test vm
  2. ./ca.sh - generate all required TLS certificates
  3. ./prep.sh - prepare all required docker images (build)
  4. ./run.sh - run test stack on top of test vm
  5. source ./vault.env - inject required environment variables (without token)
  6. ./init.sh - initialize vault
  7. ./unseal.sh - unseal vault
  8. source ./vault.env - inject required environment variables (with token)
  9. ./policy.sh - write policies
  10. ./oidc_auth.sh - configure OIDC authenticaion
  11. ./entity.sh - configure identity groups
  12. ./ldap_auth.sh - configure LDAP authenticaion
  13. ./ldap_secrets.sh - configure LDAP secrets (take a look on dynamically generated credentials for Carl)
  14. ./kv.sh - configure KV secrets

How to test PKI

  1. ./pki_auth.sh - configure PKI authenticaion & login with cfssl generate certificate
  2. ./pki_secrets.sh - configure PKI secrets, generate TLS authenticaion certificate, and login with it (login with Vault generated PKI certificate into Vault)

How to test OIDC and LDAP

  1. source ./vault.env - inject required environment variables
  2. vault login -method=oidc role=oidc-reader - login with OIDC (and LDAP as identities directory)
  3. vault login -method=ldap username=carl - login with LDAP (by using Carl's dynamically generated credentials)

How to start CI

  1. ./run_ci.sh - start Concourse CI server (login via OpenLDAP, OIDC, or static credentials)
  2. ./team.sh - set demo team in Concourse

It will not work without initializing, unsealing and configuring Vault and related authentication services (LDAP, DEX), hence ./run.sh and all associated scripts must be executed before

How to test Postgres

  1. ./postgres_secrets.sh - configure database secrets (Postgres)
  2. ./postgres_roles.sh - configure database roles (Postgres)

How to elevate identity entity

  1. ./carl.sh - an example on how to elevate someone having access to identity backend
  2. ./uncarl.sh - take elevated privileges back

How to read from Consul

  1. source ./consul.env - inject required environment variables
  2. consul kv get -keys -recurse vault/core/ - list consul keys
  3. consul kv get vault/core/lock - read consul key

How to interact with DEX

  1. ./dex.sh - view DEX configuration
  2. ./login_dex.sh - retrieve JWT token from DEX
  3. ./login_dex_public.sh - retrive JWT token from DEX (if Public Client configured)

How to stop

  1. ./stop.sh or ./stop_ci.sh - stop test stack
  2. ./unca.sh - remove all TLS certificates
  3. docker-machine rm -f dex - destroy vm

Special note

Please consider reviewing configuration and processes provided in this repository if you are going to use it, e.g. hardcoded secrets, passwords, etc.

Credits

Found something interesting and want to reuse it in your own project? Please give proper credits to HashiCorp, Concourse CI, Docker-Containers maintainers, OSS authors, and me Viacheslav :-)

About

HashiCorp Vault advanced topics in one place

Topics

docker ldap consul vault openldap secrets pki concourse-ci hashicorp-vault oidc docker-containers cfssl dex tls-certificate dexidp authenticaion

Resources

Readme
Activity

Stars

4 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages