Page MenuHomeDevCentral

Deploy policies for Vault
ClosedPublic

Authored by dereckson on Mar 26 2022, 15:09.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 13, 07:07
Unknown Object (File)
Mon, Nov 11, 07:27
Unknown Object (File)
Sun, Nov 10, 17:37
Unknown Object (File)
Sun, Nov 10, 16:30
Unknown Object (File)
Sun, Nov 10, 04:28
Unknown Object (File)
Fri, Nov 8, 17:35
Unknown Object (File)
Fri, Nov 8, 15:34
Unknown Object (File)
Fri, Nov 8, 14:39
Subscribers
None

Details

Summary

This change focus to provide a framework to define and deploy policies,
and focus to integrate Salt and Vault.

The Salt primary server has a salt_primary policy to be able
to generate token with specific policies for other nodes.

Nodes receive policy for the exact paths of credentials they need,
as the ops/secrets/ namespace is shared between Salt deployment
and application own needs.

Ref T928, T1425

Test Plan

vault policy list

salt-call vault.read_secret on various nodes, to check they can access theirs
but not others. Salt correctly log in with a permission allowing to create more
tokens with salt-node-* policy, and assign the correct one to each node.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
SeverityLocationCodeMessage
Advice_modules/credentials.py:57F821flake8 F821
Advice_modules/credentials.py:72F821flake8 F821
Advice_modules/credentials.py:84F821flake8 F821
Advice_modules/credentials.py:91F821flake8 F821
Advice_modules/credentials.py:94F821flake8 F821
Advice_modules/credentials.py:113F821flake8 F821
Advice_modules/credentials.py:120F821flake8 F821
Advice_modules/credentials.py:131F821flake8 F821
Advice_states/credentials.py:36F821flake8 F821
Unit
No Test Coverage
Branch
vault-policies
Build Status
Buildable 4143
Build 4395: arc lint + arc unit

Event Timeline

dereckson created this revision.

We need to implement import_policy to read from salt://, as the file can't be missing on the node if we deploy this for the first time.

Allow to read policy from salt://

ops/secrets -> ops/data/secrets ; policy in dashes ; give rights to both legacy /sys/policy and new /sys/acl/policies paths

This revision is now accepted and ready to land.Apr 3 2022, 10:16
This revision was automatically updated to reflect the committed changes.