Page MenuHomeDevCentral

Deploy policies for Vault
ClosedPublic

Authored by dereckson on Mar 26 2022, 15:09.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 20, 04:45
Unknown Object (File)
Tue, Dec 17, 22:46
Unknown Object (File)
Tue, Dec 17, 05:37
Unknown Object (File)
Thu, Dec 12, 01:59
Unknown Object (File)
Tue, Dec 10, 11:29
Unknown Object (File)
Mon, Dec 9, 14:15
Unknown Object (File)
Mon, Dec 9, 12:02
Unknown Object (File)
Mon, Dec 9, 11:15
Subscribers
None

Details

Summary

This change focus to provide a framework to define and deploy policies,
and focus to integrate Salt and Vault.

The Salt primary server has a salt_primary policy to be able
to generate token with specific policies for other nodes.

Nodes receive policy for the exact paths of credentials they need,
as the ops/secrets/ namespace is shared between Salt deployment
and application own needs.

Ref T928, T1425

Test Plan

vault policy list

salt-call vault.read_secret on various nodes, to check they can access theirs
but not others. Salt correctly log in with a permission allowing to create more
tokens with salt-node-* policy, and assign the correct one to each node.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

We need to implement import_policy to read from salt://, as the file can't be missing on the node if we deploy this for the first time.

Allow to read policy from salt://

ops/secrets -> ops/data/secrets ; policy in dashes ; give rights to both legacy /sys/policy and new /sys/acl/policies paths

This revision is now accepted and ready to land.Apr 3 2022, 10:16
This revision was automatically updated to reflect the committed changes.