Operations grimoire/Eglide/Vault: Difference between revisions

From Nasqueron Agora
mNo edit summary
No edit summary
Line 13: Line 13:


From [[Operations grimoire/Vault]] we can generate those elements from Complector Vault (working on Complector or WindRiver).
From [[Operations grimoire/Vault]] we can generate those elements from Complector Vault (working on Complector or WindRiver).
The certificate common name MUST be a subdomain of *.nasqueron.drake, so we use <machine name>.eglide.nasqueron.drake:
    vault write -format=json pki_vault/issue/nasqueron-drake common_name=zonegrey.eglide.nasqueron.drake ttl=2160h ip_sans=127.0.0.1,10.197.126.53
The output needs to be dispatched in several files:
* .data.certificate to certificate.pem
* .data.issuing_ca to ca.pem (that will be used for the fullchain)
* .data.private_key to private.key (careful how you replace the \n, if you use Python REPL, do it on Complector and get rid of the history with import readline ; readline.clear_history())
* the fullchan bundle can be created with <code>cat certificate.pem ca.pem > fullchain.pem</code>

Revision as of 10:15, 29 May 2023

Vault on the shellserver role is installed through HashiCorp repository package.

States are located in rOPS: roles/shellserver/vault unit. This unit is needed as Eglide isn't connected to our private network and so doesn't have access to Complector directly.

Certificates

Vault certificates should be generated in /etc/certificates/vault

If we use the Nasqueron Vault CA for this, Vault client should use certificate from /usr/local/share/ca-certificates/nasqueron-vault-ca.crt like on any other server. The certificates_update_store state in rOPS: roles/core/certificates includes that certificate in /etc/ssl/certs as debian:nasqueron-vault-ca.pem.

Vault server wants two files to do TLS termination:

  • /etc/certificates/vault/private.key
  • /etc/certificates/vault/fullchain.pem

From Operations grimoire/Vault we can generate those elements from Complector Vault (working on Complector or WindRiver).

The certificate common name MUST be a subdomain of *.nasqueron.drake, so we use <machine name>.eglide.nasqueron.drake:

   vault write -format=json pki_vault/issue/nasqueron-drake common_name=zonegrey.eglide.nasqueron.drake ttl=2160h ip_sans=127.0.0.1,10.197.126.53

The output needs to be dispatched in several files:

  • .data.certificate to certificate.pem
  • .data.issuing_ca to ca.pem (that will be used for the fullchain)
  • .data.private_key to private.key (careful how you replace the \n, if you use Python REPL, do it on Complector and get rid of the history with import readline ; readline.clear_history())
  • the fullchan bundle can be created with cat certificate.pem ca.pem > fullchain.pem