richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4355 Commits
29 Branches
80 Tags
156 MiB
Tree: 4a10dca7d4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4a10dca7d4'
${ noResults }
kubespray/contrib/vault/vault.md

98 lines
4.0 KiB
Raw Normal View History

Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
5 years ago
Vault security hardening and role isolation
7 years ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
5 years ago
Vault security hardening and role isolation
7 years ago
fix a typo
6 years ago
Vault security hardening and role isolation
7 years ago
rename almost all mentions of kargo
7 years ago
Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Revert "Fix #4237: update kube cert path (#4354)" (#4369) This reverts commit ea7a6f1cf1d95732d8305d0ca8da0da8a0050e3d. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters.
5 years ago
Vault security hardening and role isolation
7 years ago
Remove Vault (#3684) * Remove Vault * Remove reference to 'kargo' in the doc * change check order
5 years ago
Vault security hardening and role isolation
7 years ago
  1. # /!\ The vault role have been retired from the main playbook.
  2. # This role probably requires a LOT of changes in order to work again
  4. Hashicorp Vault Role
  5. ====================
  7. Overview
  8. --------
  10. The Vault role is a two-step process:
  12. 1. Bootstrap
  14. You cannot start your certificate management service securely with SSL (and
  15. the datastore behind it) without having the certificates in-hand already. This
  16. presents an unfortunate chicken and egg scenario, with one requiring the other.
  17. To solve for this, the Bootstrap step was added.
  19. This step spins up a temporary instance of Vault to issue certificates for
  20. Vault itself. It then leaves the temporary instance running, so that the Etcd
  21. role can generate certs for itself as well. Eventually, this may be improved
  22. to allow alternate backends (such as Consul), but currently the tasks are
  23. hardcoded to only create a Vault role for Etcd.
  25. 2. Cluster
  27. This step is where the long-term Vault cluster is started and configured. Its
  28. first task, is to stop any temporary instances of Vault, to free the port for
  29. the long-term. At the end of this task, the entire Vault cluster should be up
  30. and ready to go.
  32. Keys to the Kingdom
  33. -------------------
  35. The two most important security pieces of Vault are the ``root_token``
  36. and ``unsealing_keys``. Both of these values are given exactly once, during
  37. the initialization of the Vault cluster. For convenience, they are saved
  38. to the ``vault_secret_dir`` (default: /etc/vault/secrets) of every host in the
  39. vault group.
  41. It is *highly* recommended that these secrets are removed from the servers after
  42. your cluster has been deployed, and kept in a safe location of your choosing.
  43. Naturally, the seriousness of the situation depends on what you're doing with
  44. your Kubespray cluster, but with these secrets, an attacker will have the ability
  45. to authenticate to almost everything in Kubernetes and decode all private
  46. (HTTPS) traffic on your network signed by Vault certificates.
  48. For even greater security, you may want to remove and store elsewhere any
  49. CA keys generated as well (e.g. /etc/vault/ssl/ca-key.pem).
  51. Vault by default encrypts all traffic to and from the datastore backend, all
  52. resting data, and uses TLS for its TCP listener. It is recommended that you
  53. do not change the Vault config to disable TLS, unless you absolutely have to.
  55. Usage
  56. -----
  58. To get the Vault role running, you must to do two things at a minimum:
  60. 1. Assign the ``vault`` group to at least 1 node in your inventory
  61. 1. Change ``cert_management`` to be ``vault`` instead of ``script``
  63. Nothing else is required, but customization is possible. Check
  64. ``roles/vault/defaults/main.yml`` for the different variables that can be
  65. overridden, most common being ``vault_config``, ``vault_port``, and
  66. ``vault_deployment_type``.
  68. As a result of the Vault role will be create separated Root CA for `etcd`,
  69. `kubernetes` and `vault`. Also, if you intend to use a Root or Intermediate CA
  70. generated elsewhere, you'll need to copy the certificate and key to the hosts in the vault group prior to running the vault role. By default, they'll be located at:
  72. * vault:
  73. * ``/etc/vault/ssl/ca.pem``
  74. * ``/etc/vault/ssl/ca-key.pem``
  75. * etcd:
  76. * ``/etc/ssl/etcd/ssl/ca.pem``
  77. * ``/etc/ssl/etcd/ssl/ca-key.pem``
  78. * kubernetes:
  79. * ``/etc/kubernetes/ssl/ca.pem``
  80. * ``/etc/kubernetes/ssl/ca-key.pem``
  82. Additional Notes:
  84. - ``groups.vault|first`` is considered the source of truth for Vault variables
  85. - ``vault_leader_url`` is used as pointer for the current running Vault
  86. - Each service should have its own role and credentials. Currently those
  87. credentials are saved to ``/etc/vault/roles/<role>/``. The service will
  88. need to read in those credentials, if they want to interact with Vault.
  90. Potential Work
  91. --------------
  93. - Change the Vault role to not run certain tasks when ``root_token`` and
  94. ``unseal_keys`` are not present. Alternatively, allow user input for these
  95. values when missing.
  96. - Add the ability to start temp Vault with Host, Rkt, or Docker
  97. - Add a dynamic way to change out the backend role creation during Bootstrap,
  98. so other services can be used (such as Consul)