62 lines
1.6 KiB
Markdown
62 lines
1.6 KiB
Markdown
# Hashicorp's Vault Administration
|
|
|
|
A dump of knowledge, commands, and documentations to lookup for troubleshooting
|
|
or setting up
|
|
|
|
## CLI getting started
|
|
|
|
`export VAULT_ADDR='https://c4c.pegasust.com'`
|
|
|
|
`vault login`
|
|
|
|
- Note, the vault will first need to be unsealed
|
|
- The first time we log in as admin, it's probably best to use the
|
|
root token to access.
|
|
|
|
|
|
## Seal/unseal
|
|
|
|
- Vault server begins sealed
|
|
- I generated with 6/10 cluster vault configuration (10 keys & require 6 keys to unseal)
|
|
- These keys can be shared to other admins
|
|
- This means an admin only need 6 keys to unseal the vault when needed
|
|
|
|
## Enabling GitHub auth
|
|
|
|
- First, add our policy:
|
|
|
|
```bash
|
|
vault policy write {POLICY_NAME} {POLICY_FILE}
|
|
```
|
|
- Our deployment's replacements:
|
|
- `{POLICY_NAME}` is `web-app-admin`
|
|
- `{POLICY_FILE}` is `config/hashicorp-policy/web-app-admin.hcl`
|
|
|
|
- Then, we enable GitHub auth and attach `web-app-admin` to our `web-app-dev` team
|
|
|
|
```bash
|
|
vault auth enable github
|
|
vault write auth/github/config organization={GITHUB_ORG}
|
|
vault write auth/github/map/teams/{GITHUB_TEAM} value={VAULT_POLICY}
|
|
```
|
|
|
|
- Our deployment's version replaces:
|
|
- `{GITHUB_ORG}` is `change-for-change`
|
|
- `{GITHUB_TEAM}` is `web-app-dev`
|
|
- `{VAULT_POLICY}` is `web-app-admin`
|
|
|
|
## Updating policy
|
|
|
|
```bash
|
|
vault write sys/policy/{POLICY_NAME} policy=@{POLICY_FILE}
|
|
```
|
|
|
|
- An example is:
|
|
- `{POLICY_NAME}`: `web-app-admin`
|
|
- `{POLICY_FILE}`: `config/hashicorp-policy/web-app-admin.hcl`
|
|
|
|
## Bootstrapping our vault
|
|
|
|
`vault secrets enable -path=secret kv`
|
|
`vault secrets enable -path=secretv2 kv-v2`
|