Page MenuHomeDevCentral
Differential D2638

Deploy policies for Vault
ClosedPublic
Actions

Authored by dereckson on Mar 26 2022, 15:09.
Tags
None
Referenced Files
F2841614: D2638.id6666.diff
Mon, Apr 22, 23:40
F2841590: D2638.id6691.diff
Mon, Apr 22, 23:37
Unknown Object (File)
Sun, Apr 21, 11:35
Unknown Object (File)
Fri, Apr 19, 09:56
Unknown Object (File)
Fri, Apr 19, 09:03
Unknown Object (File)
Fri, Apr 19, 06:43
Unknown Object (File)
Fri, Apr 19, 06:07
Unknown Object (File)
Thu, Apr 18, 13:25
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T928: Deploy Vault to store credentials
T1425: Provision secrets through Salt
Commits
rOPSaf9db00760be: Deploy policies for Vault
Summary

This change focus to provide a framework to define and deploy policies,
and focus to integrate Salt and Vault.

The Salt primary server has a salt_primary policy to be able
to generate token with specific policies for other nodes.

Nodes receive policy for the exact paths of credentials they need,
as the ops/secrets/ namespace is shared between Salt deployment
and application own needs.

Ref T928, T1425

Test Plan

vault policy list

salt-call vault.read_secret on various nodes, to check they can access theirs
but not others. Salt correctly log in with a permission allowing to create more
tokens with salt-node-* policy, and assign the correct one to each node.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson requested review of this revision.Mar 26 2022, 15:09
dereckson created this revision.
Harbormaster completed remote builds in B4137: Diff 6666.Mar 26 2022, 15:09
dereckson planned changes to this revision.Mar 26 2022, 15:10

We need to implement import_policy to read from salt://, as the file can't be missing on the node if we deploy this for the first time.

dereckson updated this revision to Diff 6672.Mar 27 2022, 17:58

Allow to read policy from salt://

Harbormaster completed remote builds in B4142: Diff 6672.Mar 27 2022, 17:58
dereckson updated this revision to Diff 6673.Mar 28 2022, 17:27

ops/secrets -> ops/data/secrets ; policy in dashes ; give rights to both legacy /sys/policy and new /sys/acl/policies paths

Harbormaster completed remote builds in B4143: Diff 6673.Mar 28 2022, 17:27
dereckson accepted this revision.Apr 3 2022, 10:16
This revision is now accepted and ready to land.Apr 3 2022, 10:16
dereckson edited the test plan for this revision. (Show Details)Apr 3 2022, 10:32
Closed by commit rOPSaf9db00760be: Deploy policies for Vault (authored by dereckson). · Explain WhyApr 3 2022, 10:33
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPSaf9db00760be: Deploy policies for Vault.

Revision Contents
Changeset List

PathSize
_modules/
134 lines
_states/
36 lines
pillar/
credentials/
137 lines
3 lines
roles/
vault/
3 lines
policies/
files/
69 lines
52 lines

Diff 6691

View Options

_modules/credentials.py

Loading...
View Options

_states/credentials.py

Loading...
View Options

pillar/credentials/vault.sls

Loading...
View Options

pillar/top.sls

Loading...
View Options

roles/vault/init.sls

Loading...
View Options

roles/vault/policies/files/salt-primary.hcl

Loading...
View Options

roles/vault/policies/init.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator