Skip to content

Latest commit

 

History

History
152 lines (115 loc) · 7.62 KB

File metadata and controls

152 lines (115 loc) · 7.62 KB

Vault Management

This repository facilitates the setup of an existing Vault cluster using the Vault provider.

  1. Configuring an Approle: Learn what is an approle and how to set them up by reading this.

  2. Configure cert-manager: In order to easily provision certificates in Kubernetes you should consider reading this documentation

  3. Backup and Restore: Implement a backup strategy. Follow this guide: Backup and Restore.

✅ Requirements

  1. Cluster Creation: Start by following the cluster creation instructions available here.

  2. Required Files: Ensure you have these files, generated in the previous step:

    • intermediate-ca.pem
    • root-ca.pem
    • root-ca-key.pem

      ⚠️ Important: The root-ca-key.pem file is highly sensitive. Securely store it and delete it immediately after use.

🚀 Getting Started

  1. Vault Authentication:

    • Authenticate to the Vault instance using the root token:

      export VAULT_TOKEN=<token>
      export VAULT_SKIP_VERIFY=true
      export VAULT_ADDR=https://bao.priv.cloud.ogenki.io:8200
    • ℹ️ Note: This guide does not include setting up an authentication system. It's recommended to use an identity provider instead of the root token for routine operations. Ensure the root token is securely stored.

  2. Enable PKI and Set TTL:

    • Activate the PKI (Public Key Infrastructure) secrets engine and set the maximum Time To Live (TTL) to 10 years:

      bao secrets enable pki
      bao secrets tune -max-lease-ttl=315360000 pki
  3. Build and Import the Full Chain Bundle:

    • Create the bundle and import it into Vault:

      cd terraform/openbao/management
      cat .tls/intermediate-ca.pem .tls/root-ca.pem .tls/intermediate-ca-key.pem > .tls/bundle.pem
      bao write pki/config/ca [email protected]/bundle.pem
  4. Prepare variables.tfvars File:

    • Example configuration:

      domain_name      = "priv.cloud.ogenki.io"
      pki_country      = "France"
      pki_organization = "Ogenki"
      pki_domains = [
        "cluster.local",
        "priv.cloud.ogenki.io"
      ]
      
      tags = {
        project = "cloud-native-ref"
        owner   = "Smana"
      }
  5. Execute OpentofuCommands:

    • Initialize and apply the Opentofu configuration:

      tofu init
      tofu apply -var-file variables.tfvars
  6. Test by Generating a Certificate:

    • Generate a certificate and verify it:

      bao write -format=json pki_private_issuer/issue/pki_private_issuer common_name="foobar.priv.cloud.ogenki.io" ttl="720h" > data.json
      jq -r '.data.ca_chain[]' data.json > bao_ca_chain.pem
      jq -r '.data.certificate' data.json > foobar-cert.pem
      openssl verify -CAfile bao_ca_chain.pem foobar-cert.pem

      The output should confirm foobar-cert.pem: OK.

      And clean these test files

      rm data.json bao_ca_chain.pem foobar-cert.pem

Requirements

Name Version
terraform ~> 1.4
aws ~> 5.0
vault ~> 4.0

Providers

Name Version
vault ~> 4.0

Modules

No modules.

Resources

Name Type
vault_approle_auth_backend_role.cert_manager resource
vault_approle_auth_backend_role.snapshot resource
vault_auth_backend.approle resource
vault_mount.secret resource
vault_mount.this resource
vault_pki_secret_backend_intermediate_cert_request.this resource
vault_pki_secret_backend_intermediate_set_signed.this resource
vault_pki_secret_backend_issuer.this resource
vault_pki_secret_backend_key.this resource
vault_pki_secret_backend_role.this resource
vault_pki_secret_backend_root_sign_intermediate.this resource
vault_policy.admin resource
vault_policy.cert_manager resource
vault_policy.snapshot resource

Inputs

Name Description Type Default Required
allowed_cidr_blocks List of CIDR blocks allowed to reach Vault's API list(string)
[
"10.0.0.0/16"
]
no
domain_name The domain name for which the certificate should be issued string n/a yes
openbao_domain_name Vault domain name (default: bao.<domain_name>) string "" no
pki_common_name Common name to identify the Vault issuer string "Private PKI - Vault Issuer" no
pki_country The country name used for generating certificates string n/a yes
pki_domains List of domain names that can be used within the certificates list(string)
[
"cluster.local"
]
no
pki_key_bits The number of bits of generated keys number 256 no
pki_key_type The generated key type string "ec" no
pki_max_lease_ttl Maximum TTL (in seconds) that can be requested for certificates (default 3 years) number 94670856 no
pki_mount_path Vault Issuer PKI mount path string "pki_private_issuer" no
pki_organization The organization name used for generating certificates string n/a yes

Outputs

No outputs.