Page MenuHomeDevCentral
Differential D2638

Deploy policies for Vault
ClosedPublic
Actions

Authored by dereckson on Mar 26 2022, 15:09.
Tags
None
Referenced Files
F3745284: D2638.diff
Fri, Nov 15, 13:42
Unknown Object (File)
Wed, Nov 13, 07:07
Unknown Object (File)
Mon, Nov 11, 07:27
Unknown Object (File)
Sun, Nov 10, 17:37
Unknown Object (File)
Sun, Nov 10, 16:30
Unknown Object (File)
Sun, Nov 10, 04:28
Unknown Object (File)
Fri, Nov 8, 17:35
Unknown Object (File)
Fri, Nov 8, 15:34
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T928: Deploy Vault to store credentials
T1425: Provision secrets through Salt
Commits
rOPSaf9db00760be: Deploy policies for Vault
Summary

This change focus to provide a framework to define and deploy policies,
and focus to integrate Salt and Vault.

The Salt primary server has a salt_primary policy to be able
to generate token with specific policies for other nodes.

Nodes receive policy for the exact paths of credentials they need,
as the ops/secrets/ namespace is shared between Salt deployment
and application own needs.

Ref T928, T1425

Test Plan

vault policy list

salt-call vault.read_secret on various nodes, to check they can access theirs
but not others. Salt correctly log in with a permission allowing to create more
tokens with salt-node-* policy, and assign the correct one to each node.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Errors
SeverityLocationCodeMessage
Error_modules/credentials.py:12F401flake8 F401
Advice_modules/credentials.py:57F821flake8 F821
Advice_modules/credentials.py:76F821flake8 F821
Advice_modules/credentials.py:83F821flake8 F821
Advice_modules/credentials.py:102F821flake8 F821
Advice_modules/credentials.py:109F821flake8 F821
Advice_modules/credentials.py:120F821flake8 F821
Unit
No Test Coverage
Branch
vault-policies
Build Status
Buildable 4137
Build 4389: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Mar 26 2022, 15:09
dereckson created this revision.
Harbormaster completed remote builds in B4137: Diff 6666.Mar 26 2022, 15:09
dereckson planned changes to this revision.Mar 26 2022, 15:10

We need to implement import_policy to read from salt://, as the file can't be missing on the node if we deploy this for the first time.

dereckson updated this revision to Diff 6672.Mar 27 2022, 17:58

Allow to read policy from salt://

Harbormaster completed remote builds in B4142: Diff 6672.Mar 27 2022, 17:58
dereckson updated this revision to Diff 6673.Mar 28 2022, 17:27

ops/secrets -> ops/data/secrets ; policy in dashes ; give rights to both legacy /sys/policy and new /sys/acl/policies paths

Harbormaster completed remote builds in B4143: Diff 6673.Mar 28 2022, 17:27
dereckson accepted this revision.Apr 3 2022, 10:16
This revision is now accepted and ready to land.Apr 3 2022, 10:16
dereckson edited the test plan for this revision. (Show Details)Apr 3 2022, 10:32
Closed by commit rOPSaf9db00760be: Deploy policies for Vault (authored by dereckson). · Explain WhyApr 3 2022, 10:33
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPSaf9db00760be: Deploy policies for Vault.

Revision Contents
Changeset List

PathSize
_modules/
123 lines
_states/
37 lines
pillar/
credentials/
113 lines
nodes/
3 lines
3 lines
roles/
vault/
3 lines
policies/
files/
26 lines
52 lines

Diff 6666

View Options

_modules/credentials.py

Loading...
View Options

_states/credentials.py

Loading...
View Options

pillar/credentials/vault.sls

Loading...
View Options

pillar/nodes/nodes.sls

Loading...
View Options

pillar/top.sls

Loading...
View Options

roles/vault/init.sls

Loading...
View Options

roles/vault/policies/files/salt_primary.hcl

Loading...
View Options

roles/vault/policies/init.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator