Page MenuHomeDevCentral
Differential D2638

Deploy policies for Vault
ClosedPublic
Actions

Authored by dereckson on Mar 26 2022, 15:09.
Tags
None
Referenced Files
F7520387: D2638.diff
Mon, Apr 28, 01:39
F7505956: D2638.id6673.diff
Sun, Apr 27, 20:22
F7488300: D2638.diff
Sun, Apr 27, 14:10
Unknown Object (File)
Sun, Apr 27, 06:56
Unknown Object (File)
Sat, Apr 26, 15:10
Unknown Object (File)
Sat, Apr 26, 07:32
Unknown Object (File)
Sat, Apr 26, 03:12
Unknown Object (File)
Fri, Apr 25, 16:11
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T928: Deploy Vault to store credentials
T1425: Provision secrets through Salt
Commits
rOPSaf9db00760be: Deploy policies for Vault
Summary

This change focus to provide a framework to define and deploy policies,
and focus to integrate Salt and Vault.

The Salt primary server has a salt_primary policy to be able
to generate token with specific policies for other nodes.

Nodes receive policy for the exact paths of credentials they need,
as the ops/secrets/ namespace is shared between Salt deployment
and application own needs.

Ref T928, T1425

Test Plan

vault policy list

salt-call vault.read_secret on various nodes, to check they can access theirs
but not others. Salt correctly log in with a permission allowing to create more
tokens with salt-node-* policy, and assign the correct one to each node.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
SeverityLocationCodeMessage
Advice_modules/credentials.py:57F821flake8 F821
Advice_modules/credentials.py:72F821flake8 F821
Advice_modules/credentials.py:84F821flake8 F821
Advice_modules/credentials.py:91F821flake8 F821
Advice_modules/credentials.py:94F821flake8 F821
Advice_modules/credentials.py:113F821flake8 F821
Advice_modules/credentials.py:120F821flake8 F821
Advice_modules/credentials.py:131F821flake8 F821
Advice_states/credentials.py:36F821flake8 F821
Unit
No Test Coverage
Branch
vault-policies
Build Status
Buildable 4143
Build 4395: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Mar 26 2022, 15:09
dereckson created this revision.
Harbormaster completed remote builds in B4137: Diff 6666.Mar 26 2022, 15:09
dereckson planned changes to this revision.Mar 26 2022, 15:10

We need to implement import_policy to read from salt://, as the file can't be missing on the node if we deploy this for the first time.

dereckson updated this revision to Diff 6672.Mar 27 2022, 17:58

Allow to read policy from salt://

Harbormaster completed remote builds in B4142: Diff 6672.Mar 27 2022, 17:58
dereckson updated this revision to Diff 6673.Mar 28 2022, 17:27

ops/secrets -> ops/data/secrets ; policy in dashes ; give rights to both legacy /sys/policy and new /sys/acl/policies paths

Harbormaster completed remote builds in B4143: Diff 6673.Mar 28 2022, 17:27
dereckson accepted this revision.Apr 3 2022, 10:16
This revision is now accepted and ready to land.Apr 3 2022, 10:16
dereckson edited the test plan for this revision. (Show Details)Apr 3 2022, 10:32
Closed by commit rOPSaf9db00760be: Deploy policies for Vault (authored by dereckson). · Explain WhyApr 3 2022, 10:33
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPSaf9db00760be: Deploy policies for Vault.

Revision Contents
Changeset List

PathSize
_modules/
134 lines
_states/
36 lines
pillar/
credentials/
137 lines
nodes/
3 lines
3 lines
roles/
vault/
3 lines
policies/
files/
69 lines
52 lines

Diff 6673

View Options

_modules/credentials.py

Loading...
View Options

_states/credentials.py

Loading...
View Options

pillar/credentials/vault.sls

Loading...
View Options

pillar/nodes/nodes.sls

Loading...
View Options

pillar/top.sls

Loading...
View Options

roles/vault/init.sls

Loading...
View Options

roles/vault/policies/files/salt-primary.hcl

Loading...
View Options

roles/vault/policies/init.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator