The purpose of this document is to create a new HashiCorp Vault for secret management services. Secrets are defined as any form of sensitive credentials that need to be tightly controlled and monitored and can be used to unlock sensitive information. Secrets could be in the form of passwords, API keys, SSH keys, RSA tokens, or OTP.
New secret manager instance is required to setup before we start the migration process. We will be using official HashiCorp Helm chart for installing and configuring Vault on Kubernetes. To use the charts, Helm must be configured for your Kubernetes cluster (Setting up Kubernetes and Helm is outside the scope)
The versions required are:
- Helm 3.0+: This is the earliest version of Helm tested. It is possible it works with earlier versions but this chart is untested for those versions.
- Kubernetes 1.14+: This is the earliest version of Kubernetes tested. It is possible that this chart works with earlier versions but it is untested.
To install the latest version of this chart, add the Hashicorp helm repository and run helm install
:
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
$ helm install vault hashicorp/vault
Please see the many options supported in the values.yaml file. These are also fully documented directly on the Vault website along with more detailed installation instructions.
When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it. Unsealing is the process of obtaining the plaintext master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
# Create unseal key and root token
oc exec -it vault-0 -- /bin/sh
vault operator init -key-shares=1 -key-threshold=1
# Copy unseal key and root token
`Unseal Key 1: xxxxxxxx`
`Initial Root Token: yyyyyyyy`
# Unseal vault
vault operator unseal xxxxxxxx
exit
Please use following steps to enable ldap
access.
vault login <token>
VAULT_ADDR=http://localhost:8200
vault auth enable ldap
cd tmp
# policy-admin.hcl
echo 'path "dev/*" { capabilities = ["create", "read", "update", "delete", "list"] }' > policy-admin.hcl
echo 'path "prod/*" { capabilities = ["create", "read", "update", "delete", "list"] }' >> policy-admin.hcl
# policy-developer.hcl
echo 'path "dev/*" { capabilities = ["create", "read", "update", "delete", "list"] }' > policy-developer.hcl
# Write policies
vault policy write admin policy-admin.hcl
vault policy write developer policy-developer.hcl
vault write auth/ldap/config \
url="ldap://<domain>:<port>" \
userattr=sAMAccountName \
binddn="<binddn> \
bindpass="<bindpass>" \
userdn="<userdn>" \
groupfilter="(&(objectClass=group)(member:={{.UserDN}}))" \
groupattr="cn" \
groupdn="<groupdn>"
# Assign policies
vault write auth/ldap/groups/AD_Group_Admin_Users policies=admin
vault write auth/ldap/groups/AD_Group_Developer_Users policies=developer
Please click here to see step by step process to test/practise migration process from old vault to new vault in OpenShift 4.6 playground.
Please click here to see step by step process to backup and restore secrets.