Page MenuHomeDevCentral

Deploy policies for Vault
ClosedPublic

Authored by dereckson on Mar 26 2022, 15:09.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 20, 04:45
Unknown Object (File)
Tue, Dec 17, 22:46
Unknown Object (File)
Tue, Dec 17, 05:37
Unknown Object (File)
Thu, Dec 12, 01:59
Unknown Object (File)
Tue, Dec 10, 11:29
Unknown Object (File)
Mon, Dec 9, 14:15
Unknown Object (File)
Mon, Dec 9, 12:02
Unknown Object (File)
Mon, Dec 9, 11:15
Subscribers
None

Details

Summary

This change focus to provide a framework to define and deploy policies,
and focus to integrate Salt and Vault.

The Salt primary server has a salt_primary policy to be able
to generate token with specific policies for other nodes.

Nodes receive policy for the exact paths of credentials they need,
as the ops/secrets/ namespace is shared between Salt deployment
and application own needs.

Ref T928, T1425

Test Plan

vault policy list

salt-call vault.read_secret on various nodes, to check they can access theirs
but not others. Salt correctly log in with a permission allowing to create more
tokens with salt-node-* policy, and assign the correct one to each node.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
SeverityLocationCodeMessage
Advice_modules/credentials.py:57F821flake8 F821
Advice_modules/credentials.py:72F821flake8 F821
Advice_modules/credentials.py:84F821flake8 F821
Advice_modules/credentials.py:91F821flake8 F821
Advice_modules/credentials.py:94F821flake8 F821
Advice_modules/credentials.py:113F821flake8 F821
Advice_modules/credentials.py:120F821flake8 F821
Advice_modules/credentials.py:131F821flake8 F821
Advice_states/credentials.py:36F821flake8 F821
Unit
No Test Coverage
Branch
vault-policies
Build Status
Buildable 4143
Build 4395: arc lint + arc unit

Event Timeline

dereckson created this revision.

We need to implement import_policy to read from salt://, as the file can't be missing on the node if we deploy this for the first time.

Allow to read policy from salt://

ops/secrets -> ops/data/secrets ; policy in dashes ; give rights to both legacy /sys/policy and new /sys/acl/policies paths

This revision is now accepted and ready to land.Apr 3 2022, 10:16
This revision was automatically updated to reflect the committed changes.