External Vault - cniackz/public GitHub Wiki

Objective:

Test external Vault for KES-KMS

Pre-Step:

  1. Have your configuration file ready, in this case, listening in a Public IP with an open port in the server
listener "tcp" {
  address     = "64.71.151.78:8200"
  tls_disable = 1
}

Steps:

  1. Have Vault Running externally in Intel cluster by following steps from: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install
export VAULT_ADDR='http://64.71.151.78:8200'
vault server -dev -config=config.hcl
  1. Get root token from the logs:
Root Token: hvs.qeLxlJBPYFEWUdRWeX5Jkmuo
  1. Enabled approle auth method:
VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault auth enable approle

Expected:

minio@minio-k8s17:~$ VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault auth enable approle
Success! Enabled approle auth method at: approle/
  1. Enabled the kv secrets engine:
VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv

Expected:

minio@minio-k8s17:~$ VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault secrets enable kv
Success! Enabled the kv secrets engine at: kv/
  1. Copy kes file:
cd ~
git clone https://github.com/minio/operator.git
sudo cp ~/operator/examples/vault/kes-policy.hcl /kes-policy.hcl
  1. Upload Policy:
VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault policy write kes-policy /kes-policy.hcl

Expected:

minio@minio-k8s17:~$ VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault policy write kes-policy /kes-policy.hcl
Success! Uploaded policy: kes-policy
  1. Write data to kes-role:
VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy

Expected:

minio@minio-k8s17:~$ VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy
Success! Data written to: auth/approle/role/kes-role
  1. Get Vault Token:
VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault read auth/approle/role/kes-role/role-id
ROLE_ID=ce535eeb-397a-75ca-9dff-659a491e0ad1

Expected:

minio@minio-k8s17:~$ VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault read auth/approle/role/kes-role/role-id
Key        Value
---        -----
role_id    ce535eeb-397a-75ca-9dff-659a491e0ad1
  1. Get Secret ID:
VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault write -f auth/approle/role/kes-role/secret-id
SECRET_ID=e7bb3fba-cc3c-7e8b-3908-dff731f6a37e

Expected:

minio@minio-k8s17:~$ VAULT_TOKEN='hvs.qeLxlJBPYFEWUdRWeX5Jkmuo' VAULT_ADDR="http://127.0.0.1:8200" vault write -f auth/approle/role/kes-role/secret-id
Key                   Value
---                   -----
secret_id             e7bb3fba-cc3c-7e8b-3908-dff731f6a37e
secret_id_accessor    a94751fe-5143-ad07-86ea-459fc0766edb
secret_id_num_uses    0
secret_id_ttl         0s
  1. When enable encryption do this:
KMS: Vault
Endpoint: http://64.71.151.78:8200
Prefix: my-minio

AppRole ID: It comes from vault configuration, look at lines below: 

====================================
$ echo $ROLE_ID
ce535eeb-397a-75ca-9dff-659a491e0ad1
====================================

AppRole Secret: Similar to above, it comes from vault configuration, look at lines below:

====================================
$ echo $SECRET_ID
e7bb3fba-cc3c-7e8b-3908-dff731f6a37e
====================================

Replicas: 1

Run As User* 1000
Run As Group* 1000
FsGroup* 1000
Do not run as root is true

EXAMPLE with public ip

minio@minio-k8s17:~$ VAULT_TOKEN='hvs.FndFLoHNnIVNhkmUsbYKgUAI' VAULT_ADDR="http://64.71.151.78:8200" vault auth enable approle
Success! Enabled approle auth method at: approle/
minio@minio-k8s17:~$ 
minio@minio-k8s17:~$ 
minio@minio-k8s17:~$ 
minio@minio-k8s17:~$ 
minio@minio-k8s17:~$ vi config.hcl
minio@minio-k8s17:~$ VAULT_TOKEN='hvs.FndFLoHNnIVNhkmUsbYKgUAI' VAULT_ADDR="http://64.71.151.78:8200" vault secrets enable kv
Success! Enabled the kv secrets engine at: kv/
minio@minio-k8s17:~$ 
minio@minio-k8s17:~$ 
minio@minio-k8s17:~$ 
minio@minio-k8s17:~$ sudo cp ~/operator/examples/vault/kes-policy.hcl /kes-policy.hcl
minio@minio-k8s17:~$ VAULT_TOKEN='hvs.FndFLoHNnIVNhkmUsbYKgUAI' VAULT_ADDR="http://64.71.151.78:8200" vault policy write kes-policy /kes-policy.hcl
Success! Uploaded policy: kes-policy
minio@minio-k8s17:~$ VAULT_TOKEN='hvs.FndFLoHNnIVNhkmUsbYKgUAI' VAULT_ADDR="http://64.71.151.78:8200" vault write auth/approle/role/kes-role token_num_uses=0 secret_id_num_uses=0 period=5m policies=kes-policy
Success! Data written to: auth/approle/role/kes-role
minio@minio-k8s17:~$ VAULT_TOKEN='hvs.FndFLoHNnIVNhkmUsbYKgUAI' VAULT_ADDR="http://64.71.151.78:8200" vault read auth/approle/role/kes-role/role-id
Key        Value
---        -----
role_id    376d2e09-cfe8-941f-0284-1ff07bb16828
minio@minio-k8s17:~$ VAULT_TOKEN='hvs.FndFLoHNnIVNhkmUsbYKgUAI' VAULT_ADDR="http://64.71.151.78:8200" vault read auth/approle/role/kes-role/role-id
Key        Value
---        -----
role_id    376d2e09-cfe8-941f-0284-1ff07bb16828
minio@minio-k8s17:~$ VAULT_TOKEN='hvs.FndFLoHNnIVNhkmUsbYKgUAI' VAULT_ADDR="http://64.71.151.78:8200" vault write -f auth/approle/role/kes-role/secret-id
Key                   Value
---                   -----
secret_id             665dfa85-fa86-0040-eb6f-feb59ecf5762
secret_id_accessor    ecd165fd-0046-0bee-5b21-cf3a4b31c0ec
secret_id_num_uses    0
secret_id_ttl         0s
minio@minio-k8s17:~$