Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CD: automate vault bootstrapping #57

Closed
17 tasks done
noahehall opened this issue Dec 21, 2022 · 0 comments
Closed
17 tasks done

CD: automate vault bootstrapping #57

noahehall opened this issue Dec 21, 2022 · 0 comments

Comments

@noahehall
Copy link
Contributor

noahehall commented Dec 21, 2022
edited
Loading

C

  • there are a nuimber of bootstrapping steps that need to occur for each env on a green deployment
  • bootstrapping vault for a particular env should include configuring vault to match the status quo
  • vault bootstrapping and deployments should be immutable

T

  • automate each step taken to get it back to a working state
    • root token semi-automation
      • restore vault to a blank state
      • pgp key(s) and root token creation
      • vault initialization and unsealing
      • admin token & policy creation
    • admin token automation
      • policy: create all policies in policy dir
      • token: create all tokens in token dir
      • features: enable all featres in enable_feature dir
        • tested on kv1, kv2, database, and approle
      • secrets engines configuration
        • [ ] kv1 kv1 has no configuration
        • kv2
        • postgres-database-plugin
          • update postgres user-init-file to create user specifically for vault
          • create postgres config
          • rotate vault user creds
          • create 3 roles: readonly, readwrite, readstatic
      • auth schemes configuration
    • update docs

A

Any valid GitHub access token with the read:org scope for any user belonging to the Vault-configured organization can be used for authentication. If such a token is stolen from a third party service, and the attacker is able to make network calls to Vault, they will be able to log in as the user that generated the access token.
@noahehall noahehall changed the title CD: move vault policies to a distinct policy dir and setup script to push to vault server CD: move vault policies to a distinct policy dir and setup script to force on each container start Dec 21, 2022
@noahehall noahehall changed the title CD: move vault policies to a distinct policy dir and setup script to force on each container start CD: move vault policies to a distinct policy dir and setup script to loop and write on each container start Dec 21, 2022
@noahehall noahehall changed the title CD: move vault policies to a distinct policy dir and setup script to loop and write on each container start CD: automate vault bootstrapping Dec 23, 2022
@noahehall noahehall reopened this Dec 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
nirvai
Status: DEPLOYED
Milestone
No milestone
Development

No branches or pull requests
1 participant
@noahehall