Operations grimoire/Eglide/Vault: Difference between revisions
No edit summary |
No edit summary |
||
| Line 7: | Line 7: | ||
The package generate auto-signing keys and a out-of-the-box configuration in /etc/vault.d that needs to be removed by our unit, if the package is reinstalled, there is a risk those files are respawned again. | The package generate auto-signing keys and a out-of-the-box configuration in /etc/vault.d that needs to be removed by our unit, if the package is reinstalled, there is a risk those files are respawned again. | ||
Also, the package populates a systemd service to read /etc/vault.d/vault.hcl so it also needs to be replaced by our one, or by overrides. | |||
In any case, run <code>salt-call --local roles/shellserver/vault/config</code> to restore a correct configuration state. | |||
== Certificates == | == Certificates == | ||
Revision as of 10:41, 29 May 2023
Vault on the shellserver role is installed through HashiCorp repository package.
States are located in rOPS: roles/shellserver/vault unit. This unit is needed as Eglide isn't connected to our private network and so doesn't have access to Complector directly.
Configuration
Configuration is stored in /etc/vault.hcl as it's a Debian machine, not in /usr/local/etc
The package generate auto-signing keys and a out-of-the-box configuration in /etc/vault.d that needs to be removed by our unit, if the package is reinstalled, there is a risk those files are respawned again.
Also, the package populates a systemd service to read /etc/vault.d/vault.hcl so it also needs to be replaced by our one, or by overrides.
In any case, run salt-call --local roles/shellserver/vault/config to restore a correct configuration state.
Certificates
Vault certificates should be generated in /etc/certificates/vault
If we use the Nasqueron Vault CA for this, Vault client should use certificate from /usr/local/share/ca-certificates/nasqueron-vault-ca.crt like on any other server. The certificates_update_store state in rOPS: roles/core/certificates includes that certificate in /etc/ssl/certs as debian:nasqueron-vault-ca.pem.
Vault server wants two files to do TLS termination:
- /etc/certificates/vault/private.key
- /etc/certificates/vault/fullchain.pem
From Operations grimoire/Vault we can generate those elements from Complector Vault (working on Complector or WindRiver).
The certificate common name MUST be a subdomain of *.nasqueron.drake, so we use <machine name>.eglide.nasqueron.drake:
vault write -format=json pki_vault/issue/nasqueron-drake common_name=zonegrey.eglide.nasqueron.drake ttl=2160h ip_sans=127.0.0.1,10.197.126.53
The output needs to be dispatched in several files:
- .data.certificate to certificate.pem
- .data.issuing_ca to ca.pem (that will be used for the fullchain)
- .data.private_key to private.key (careful how you replace the \n, if you use Python REPL, do it on Complector and get rid of the history with import readline ; readline.clear_history()) -> chmod 400
- the fullchan bundle can be created with
cat certificate.pem ca.pem > fullchain.pem
You can then restart Vault with systemctl restart vault.
Troubleshoot
Certificates
Certificate MUST has a 127.0.0.1 IP SAN:
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": tls: failed to verify certificate: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
That could simply by the symptom Vault uses the self-signed certificate in /etc/vault.d
