From 15877ad0ff27ccfb3774ce9ac887aeff966004b8 Mon Sep 17 00:00:00 2001 From: Joaquin Menchaca Date: Tue, 20 Apr 2021 11:36:19 -0700 Subject: [PATCH] minor corrections for vault contrib --- contrib/config/vault/docker/README.md | 64 ++++++++++++------- .../vault/docker/dgraph_alpha_config.yaml | 2 +- .../docker/vault/payload_alpha_secrets.json | 2 +- 3 files changed, 43 insertions(+), 25 deletions(-) diff --git a/contrib/config/vault/docker/README.md b/contrib/config/vault/docker/README.md index 129e544ac67..3d399693bfe 100644 --- a/contrib/config/vault/docker/README.md +++ b/contrib/config/vault/docker/README.md @@ -22,7 +22,7 @@ Steps using `bind_secret_id`: 11. [Verify secrets access using app persona](#Step-11-verify-secrets-access-using-app-persona) 12. [Launch Dgraph](#Step-12-launch-Dgraph) -Alternative Steps using `bound_cidr_list` (see [Using Hashicorp Vault CIDR List for Authentication](#Using-hashicorp-vault-cidr-list-for-authentication)): +Alternative Steps using `bound_cidr_list` (see [Using HashiCorp Vault CIDR List for Authentication](#Using-hashicorp-vault-cidr-list-for-authentication)): 1. [Configure Dgraph and Vault Versions](#Step-1-configure-dgraph-and-vault-versions) 2. [Launch unsealed Vault server](#Step-2-launch-unsealed-Vault-server) @@ -46,16 +46,16 @@ Alternative Steps using `bound_cidr_list` (see [Using Hashicorp Vault CIDR List ## Steps -This configures an app role that requires log in with `role-id` and `secret-id` to login. This is the default role setting where `bind_seccret_id` is enabled. +This configures an app role that requires log in with `role-id` and `secret-id` to login. This is the default role setting where `bind_secret_id` is enabled. ### Step 1: Configure Dgraph and Vault Versions ```bash -export DGRAPH_VERSION="v21.03" # default is 'latest' -export VAULT_VERSION="1.7.0" # default is 'latest' +export DGRAPH_VERSION="v21.03.0" # default is 'latest' +export VAULT_VERSION="1.7.0" # default is 'latest' ``` -**NOTE**: This guide has been tested with Hashicorp Vault version `1.6.3` and `1.7.0`. +**NOTE**: This guide has been tested with HashiCorp Vault version `1.6.3` and `1.7.0`. ### Step 2: Launch unsealed Vault server @@ -78,9 +78,6 @@ Using the root token copied from `vault operator init`, we can enable these feat ```bash export VAULT_ROOT_TOKEN="" -``` - -```bash export VAULT_ADDRESS="127.0.0.1:8200" curl --silent \ @@ -102,7 +99,8 @@ curl --silent \ ## convert policies to json format cat < ./vault/policy_admin.json { - "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' -e 's/"/\\"/g' vault/policy_admin.hcl)" + "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' \ + -e 's/"/\\"/g' vault/policy_admin.hcl)" } EOF @@ -126,7 +124,11 @@ curl --silent \ curl --silent \ --header "X-Vault-Token: $VAULT_ROOT_TOKEN" \ --request POST \ - --data '{ "token_policies": "admin", "token_ttl": "1h", "token_max_ttl": "4h" }' \ + --data '{ + "token_policies": "admin", + "token_ttl": "1h", + "token_max_ttl": "4h" +}' \ http://$VAULT_ADDRESS/v1/auth/approle/role/admin ## verify the role @@ -154,7 +156,10 @@ VAULT_ADMIN_SECRET_ID=$(curl --silent \ export VAULT_ADMIN_TOKEN=$(curl --silent \ --request POST \ - --data "{ \"role_id\": \"$VAULT_ADMIN_ROLE_ID\", \"secret_id\": \"$VAULT_ADMIN_SECRET_ID\" }" \ + --data "{ + \"role_id\": \"$VAULT_ADMIN_ROLE_ID\", + \"secret_id\": \"$VAULT_ADMIN_SECRET_ID\" +}" \ http://$VAULT_ADDRESS/v1/auth/approle/login | jq -r '.auth.client_token' ) ``` @@ -165,7 +170,8 @@ export VAULT_ADMIN_TOKEN=$(curl --silent \ ## convert policies to json format cat < ./vault/policy_dgraph.json { - "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' -e 's/"/\\"/g' vault/policy_dgraph.hcl)" + "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' \ + -e 's/"/\\"/g' vault/policy_dgraph.hcl)" } EOF @@ -190,7 +196,11 @@ curl --silent \ curl --silent \ --header "X-Vault-Token: $VAULT_ADMIN_TOKEN" \ --request POST \ - --data '{ "token_policies": "dgraph", "token_ttl": "1h", "token_max_ttl": "4h" }' \ + --data '{ + "token_policies": "dgraph", + "token_ttl": "1h", + "token_max_ttl": "4h" +}' \ http://$VAULT_ADDRESS/v1/auth/approle/role/dgraph ## verify the role @@ -211,7 +221,7 @@ curl --silent \ http://$VAULT_ADDRESS/v1/secret/data/dgraph/alpha | jq ``` -**NOTE**: When updating K/V Version 2 secrets, be sure to increment the `options.cas` value to increase the version. For example, if updating the `enc_key` value to 32-bits, you would update `./vault/payload_alpha.secrests.json` to look like the following: +**NOTE**: When updating K/V Version 2 secrets, be sure to increment the `options.cas` value to increase the version. For example, if updating the `enc_key` value to 32-bits, you would update `./vault/payload_alpha_secrets.json` to look like the following: ```json { "options": { @@ -219,7 +229,7 @@ curl --silent \ }, "data": { "enc_key": "12345678901234567890123456789012", - "hmac_secret_file": "12345678901234567890123456789012" + "hmac_secret": "12345678901234567890123456789012" } } ``` @@ -240,7 +250,10 @@ VAULT_DGRAPH_SECRET_ID=$(curl --silent \ export VAULT_DGRAPH_TOKEN=$(curl --silent \ --request POST \ - --data "{ \"role_id\": \"$VAULT_DGRAPH_ROLE_ID\", \"secret_id\": \"$VAULT_DGRAPH_SECRET_ID\" }" \ + --data "{ + \"role_id\": \"$VAULT_DGRAPH_ROLE_ID\", + \"secret_id\": \"$VAULT_DGRAPH_SECRET_ID\" +}" \ http://$VAULT_ADDRESS/v1/auth/approle/login | jq -r '.auth.client_token' ) ``` @@ -274,9 +287,9 @@ You can verify encryption features are enabled with: curl localhost:8080/health | jq -r '.[].ee_features | .[]' | sed 's/^/* /' ``` -## Using Hashicorp Vault CIDR List for Authentication +## Using HashiCorp Vault CIDR List for Authentication -As an alternative, you can restrict access to a limited range of IP addresses and disable the requirement for a `secret-id`. In this scenario, we will set `bind_seccret_id` to `false`, and supply a list of IP addresses ranges for the `bound_cidr_list` key. +As an alternative, you can restrict access to a limited range of IP addresses and disable the requirement for a `secret-id`. In this scenario, we will set `bind_seccret_id` to `false`, and supply a list of IP address ranges for the `bound_cidr_list` key. Only two steps will need to be changed, but otherwise the other steps are the same: @@ -288,11 +301,16 @@ curl --silent \ --header "X-Vault-Token: $VAULT_ADMIN_TOKEN" \ --request POST \ --data '{ -"token_policies": "dgraph", -"token_ttl": "1h", -"token_max_ttl": "4h", -"bind_secret_id": false, -"bound_cidr_list": ["10.0.0.0/8","172.0.0.0/8","192.168.0.0/16", "127.0.0.1/32"] + "token_policies": "dgraph", + "token_ttl": "1h", + "token_max_ttl": "4h", + "bind_secret_id": false, + "bound_cidr_list": [ + "10.0.0.0/8", + "172.0.0.0/8", + "192.168.0.0/16", + "127.0.0.1/32" + ] }' \ http://$VAULT_ADDRESS/v1/auth/approle/role/dgraph diff --git a/contrib/config/vault/docker/dgraph_alpha_config.yaml b/contrib/config/vault/docker/dgraph_alpha_config.yaml index 13d40f4111e..4cdd42038cf 100644 --- a/contrib/config/vault/docker/dgraph_alpha_config.yaml +++ b/contrib/config/vault/docker/dgraph_alpha_config.yaml @@ -1,6 +1,6 @@ vault: addr: http://vault:8200 - acl_field: hmac_secret_file + acl_field: hmac_secret acl_format: raw enc_field: enc_key enc_format: raw diff --git a/contrib/config/vault/docker/vault/payload_alpha_secrets.json b/contrib/config/vault/docker/vault/payload_alpha_secrets.json index 6e63066de25..b579520c9bc 100644 --- a/contrib/config/vault/docker/vault/payload_alpha_secrets.json +++ b/contrib/config/vault/docker/vault/payload_alpha_secrets.json @@ -4,6 +4,6 @@ }, "data": { "enc_key": "1234567890123456", - "hmac_secret_file": "12345678901234567890123456789012" + "hmac_secret": "12345678901234567890123456789012" } }