Page MenuHomeDevCentral
Create Task
Maniphest T1890

Deploy Vault on Eglide
Closed, ResolvedPublic
Actions

Description

A lot of secrets are used on Eglide, mainly in two categories:

  • bouncers and gateway accounts passwords
  • services like nickserv password

Vault would be useful for such cases.

As Eglide is on another realm ("forest") than nasqueron-infra, there is currently no access to the Complector Vault.

So we can't:

  • use our main Vault from Eglide
  • use our main Vault to auto-unseal the Vault by making the two communicate

But we can:

  • create a service to unseal the Eglide Vault by reading keys in our Vault

So plan is:

  • deploy Vault on Eglide
  • store unseal keys on Complector Vault
  • write an unseal script

Revisions and Commits

rOPS Nasqueron Operations
D3154rOPS84acdfd94ee6 Help to configure Salt for Vault access on shellserver
D3153rOPS7edaa6ce674f Help operations to unseal Eglide Vault
D3152rOPSdcfada31bc48 Configure Vault on shellserver
D3151rOPS939c40e6364d Install Vault on shellserver

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedNoneT1721 Move IRC bots from Freenode to Libera
 ResolvedderecksonT1739 Add SASL capability to Darkbot
 ResolvedderecksonT1890 Deploy Vault on Eglide

Event Timeline

dereckson triaged this task as Normal priority.May 29 2023, 00:01
dereckson created this task.
dereckson moved this task from Backlog to Next to deploy on the Odderon board.May 29 2023, 00:06
dereckson added a parent task: T1721: Move IRC bots from Freenode to Libera.
dereckson added a revision: D3151: Install Vault on shellserver.May 29 2023, 02:28
dereckson added a parent task: T1739: Add SASL capability to Darkbot.May 29 2023, 02:29
dereckson added a commit: rOPS939c40e6364d: Install Vault on shellserver.May 29 2023, 02:30
dereckson added a comment.May 29 2023, 10:54

Server log

May 29 10:51:24 zonegrey vault[2047948]: ==> Vault server configuration:
May 29 10:51:24 zonegrey vault[2047948]: Api Address: http://127.0.0.1:8200
May 29 10:51:24 zonegrey vault[2047948]: Cgo: disabled
May 29 10:51:24 zonegrey vault[2047948]: Cluster Address: https://127.0.0.1:8201
May 29 10:51:24 zonegrey vault[2047948]: Environment Variables: GODEBUG, HOME, INVOCATION_ID, JOURNAL_STREAM, LANG, LOGNAME, NOTIFY_SOCKET, PATH, USER
May 29 10:51:24 zonegrey vault[2047948]: Go Version: go1.20.3
May 29 10:51:24 zonegrey vault[2047948]: Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
May 29 10:51:24 zonegrey vault[2047948]: Log Level:
May 29 10:51:24 zonegrey vault[2047948]: Mlock: supported: true, enabled: false
May 29 10:51:24 zonegrey vault[2047948]: Recovery Mode: false
May 29 10:51:24 zonegrey vault[2047948]: Storage: raft (HA available)
May 29 10:51:24 zonegrey vault[2047948]: Version: Vault v1.13.2, built 2023-04-25T13:02:50Z
May 29 10:51:24 zonegrey vault[2047948]: Version Sha: b9b773f1628260423e6cc9745531fd903cae853f
May 29 10:51:24 zonegrey vault[2047948]: ==> Vault server started! Log data will stream in below:
May 29 10:51:24 zonegrey vault[2047948]: 2023-05-29T10:51:24.856Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
May 29 10:51:24 zonegrey vault[2047948]: 2023-05-29T10:51:24.876Z [INFO] core: Initializing version history cache for core
May 29 10:51:24 zonegrey systemd[1]: Started "HashiCorp Vault - A tool for managing secrets".

Vault client

Eglide
$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.13.2
Build Date         2023-04-25T13:02:50Z
Storage Type       raft
HA Enabled         true

Currently in a train, so I'll bootstrap it later when I can have more privacy.

Operator keys will be stored in Complector Vault.

Unseal helper

A script will be prepared to be run from the nasqueron.drake private network by Operations SIG members to ask Complector for keys and use them on eglide:

Could be as simple as vault kv ... | ssh eglide.org vault operator init

dereckson added a revision: D3152: Configure Vault on shellserver.May 29 2023, 10:56
dereckson added a commit: rOPSdcfada31bc48: Configure Vault on shellserver.May 29 2023, 14:04
dereckson added a revision: D3153: Help operations to unseal Eglide Vault.May 29 2023, 14:43
dereckson added a commit: rOPS7edaa6ce674f: Help operations to unseal Eglide Vault.May 29 2023, 14:44
dereckson added a revision: D3154: Help to configure Salt for Vault access on shellserver.May 29 2023, 17:13
dereckson added a commit: rOPS84acdfd94ee6: Help to configure Salt for Vault access on shellserver.May 29 2023, 17:17
dereckson closed this task as Resolved.May 29 2023, 17:18
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator