sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
85e97da92faffb49450fda3c5b44ce37e6693198
dsk-iac/packer/ansible/roles/helm_install/files/vault
History
havelight-ee 2d70373907 update
2023-05-11 13:55:28 +09:00
..
00.old
update
2023-05-11 13:55:28 +09:00
templates
update
2023-05-11 13:55:28 +09:00
tls
update
2023-05-11 13:55:28 +09:00
.gitignore
update
2023-05-11 13:55:28 +09:00
.helmignore
update
2023-05-11 13:55:28 +09:00
CHANGELOG.md
update
2023-05-11 13:55:28 +09:00
Chart.yaml
update
2023-05-11 13:55:28 +09:00
CONTRIBUTING.md
update
2023-05-11 13:55:28 +09:00
LICENSE
update
2023-05-11 13:55:28 +09:00
Makefile
update
2023-05-11 13:55:28 +09:00
override-values.yaml
update
2023-05-11 13:55:28 +09:00
override-values.yaml_bak
update
2023-05-11 13:55:28 +09:00
README.MD
update
2023-05-11 13:55:28 +09:00
test
update
2023-05-11 13:55:28 +09:00
values.openshift.yaml
update
2023-05-11 13:55:28 +09:00
values.schema.json
update
2023-05-11 13:55:28 +09:00
values.yaml
update
2023-05-11 13:55:28 +09:00

README.MD

override-values.yaml 내용 확인

# user_vault의 access_key, secret_key를 입력.
# vault-auto-unseal key id를 입력.
   seal "awskms" {
     region     = "ap-northeast-2"
     access_key = user_vault의 access_key
     secret_key = user_vault의 secret_key
     kms_key_id = aws kms vault-auto-unseal key id
   }

vault server 설치

helm install vault-server -n dsk-middle -f override-values.yaml .

vault server 생성 확인

kubectl get pods -n dsk-middle

vault server 초기화

kubectl exec -it -n dsk-middle vault-server-0 -- vault operator init

위 명령어로 나온 key 값들은 반드시 파일로 저장 후 반드시 보관 필요
vault server 봉인 해제, ui 접속 등에 필요

vault server 봉인 해제. unseal key 5 개 중, 아무거나 3 개 필요

kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal

unseal key 입력

kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal

unseal key 입력

kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal

unseal key 입력

vault server login

kubectl exec -it -n dsk-middle vault-server-0 -- vault login

Initial Root Token 입력

vault secret engine 활성화. 사용 엔진 kv (key value)

kubectl exec -it -n dsk-middle vault-server-0 -- vault secrets enable -version=2 -path=tls kv

secret engine 활성화 확인

kubectl exec -it -n dsk-middle vault-server-0 -- vault secrets list

approle 활성화

kubectl exec -it -n dsk-middle vault-server-0 -- vault auth enable approle

approle 활성화 확인

kubectl exec -it -n dsk-middle vault-server-0 -- vault auth list

policy 생성. (secret에 접근하는 권한 설정)

kubectl exec -it -n dsk-middle vault-server-0 -- vault policy write datasaker -<<EOF
path "tls/data/client" {
  capabilities = [ "read", "list" ]
}

path "tls/data/server" {
  capabilities = [ "read", "list" ]
}
EOF

policy 확인

kubectl exec -it -n dsk-middle vault-server-0 -- vault policy list

policy 세부 사항 확인

kubectl exec -it -n dsk-middle vault-server-0 -- vault policy read datasaker

role 생성

kubectl exec -it -n dsk-middle vault-server-0 -- vault write auth/approle/role/datasaker token_policies="datasaker" token_ttl=12h token_max_ttl=24h

role 생성 확인

kubectl exec -it -n dsk-middle vault-server-0 -- vault list auth/approle/role

role 세부사항 확인

kubectl exec -it -n dsk-middle vault-server-0 -- vault read auth/approle/role/datasaker

role의 role-id 획득

kubectl exec -it -n dsk-middle vault-server-0 -- vault read auth/approle/role/datasaker/role-id

role의 secret-id 획득

kubectl exec -it -n dsk-middle vault-server-0 -- vault write -force auth/approle/role/datasaker/secret-id

role-id와 secret-id는 vault agent가 참고하는 volume에 저장

vault agent가 token 획득하는데 사용됨

tls 키 생성

/tls/generator.sh 실행

생성된 tls data 확인

kubectl exec -it -n dsk-middle vault-server-0 -- vault kv get -mount=tls client

kubectl exec -it -n dsk-middle vault-server-0 -- vault kv get -mount=tls server