Operations grimoire/Vault: Difference between revisions

Vault

In July 2016, we selected Vault to store credentials.

kv engine

The kv engine contains the following paths:

 * ops/secrets: credentials like passwords, API tokens, private keys deployed to servers - a reference for machines
 * ops/internal: credentials to third-party services internally shared amongst ops - a reference for humans
 * ops/privacy: privacy information

Secrets

Secrets are directly and manually managed in Vault. If we need to run a disaster recovery procedure, we'll roll any secret by defining them again and deploy from rOPS those new secrets.

Privacy data

Personal identity information (PII) shared inside the Nasqueron Operations squad are more convenient to manage as a repository.

Such access to the repository is restricted to commit data, and ensure this data is deployed to the servers needing it. Any other use isn't allowed.

Information to the repository is then published in Vault, and referred in rOPS as Vault credentials.

Note: The ops/privacy path is only intended for PII of current or previous members of the Ops SIG, like IP addresses allowed to connect to restricted resources like the ops VPN. This is not acceptable to put 3rd party information in this repository.

Salt configuration

The information in the ops/secrets and ops/privacy kv engines are integrated in the Salt pillar:

ext_pillar:
  # Credentials to deploy to servers
  - vault:
       conf: path=ops/secrets
       nesting_key: credentials

  # Personal identity information from Nasqueron Operations SIG members
  - vault:
       conf: path=ops/privacy
       nesting_key: privacy

You can then access to this information in Salt states using the following references:

The ops/internal paths aren't accessible through Vault.

Current status

• Secrets in pillar/credentials/zr.sls have been migrated to Vault under ops/secets/<key>