HashiCorp Vault入门介绍

HashiCorp Vault是一款企业级私密信息管理工具。说起Vault，不得不提它的创造者HashiCorp公司。HashiCorp是一家专注于DevOps工具链的公司，其旗下明星级产品包括Vagrant、Packer、Terraform、Consul、Nomad等，再加上Vault，这些工具贯穿了持续交付的整个流程。

为什么使用HashiCorp Vault？

企业内各类私密信息安全存储问题需求，例如:ssh key,各类API认证信息，数据库权限等等

HashiCorp Vault优势

HashiCorp Vault作为集中化的私密信息管理工具，具有以下特点：

• 存储私密信息
  不仅可以存放现有的私密信息，还可以动态生成用于管理第三方资源的私密信息。所有存放的数据都是加密的，任何动态生成的私密信息都有租期，并且到期会自动回收。
• 滚动更新秘钥
  用户可以随时更新存放的私密信息。Vault提供了加密即服务（encryption-as-a-service）的功能，可以随时将密钥滚动到新的密钥版本，同时保留对使用过去密钥版本加密的值进行解密的能力。 对于动态生成的秘密，可配置的最大租赁寿命确保密钥滚动易于实施。
• 审计日志
  保管库存储所有经过身份验证的客户端交互的详细审核日志：身份验证，令牌创建，私密信息访问，私密信息撤销等。 可以将审核日志发送到多个后端以确保冗余副本。

另外，HaishiCorp Vault提供了多种方式来管理私密信息。用户可以通过命令行、HTTP API等集成到应用中来获取私密信息。HashiCorp Vault也能与Ansible、Chef、Consul等DevOps工具链无缝结合使用。

HashiCorp Vault实践

[root@node01 ~]# wget https://releases.hashicorp.com/vault/1.4.0/vault_1.4.0_linux_arm64.zip
[root@node01 ~]# unzip vault_1.4.0_linux_arm64.zip
[root@node01 ~]# install vault /usr/local/bin/

[root@node01 ~]# vault server -dev-listen-address=0.0.0.0:8200 --dev
==> Vault server configuration:

             Api Address: http://0.0.0.0:8200
                     Cgo: disabled
         Cluster Address: https://0.0.0.0:8201
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.4.0

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://0.0.0.0:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: t8B6LCmjcX4mc2cx5XDjzLkYzd1ZSX1Fn3rkq3p50P4=
Root Token: s.yOXkEpKd27M5eYRC1Knv3T6D

Development mode should NOT be used in production installations!

==> Vault server started! Log data will stream in below:

2020-04-11T10:55:49.813+0800 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-04-11T10:55:49.813+0800 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2020-04-11T10:55:49.813+0800 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-04-11T10:55:49.813+0800 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-04-11T10:55:49.813+0800 [INFO]  core: security barrier not initialized
2020-04-11T10:55:49.813+0800 [INFO]  core: security barrier initialized: stored=1 shares=1 threshold=1
2020-04-11T10:55:49.814+0800 [INFO]  core: post-unseal setup starting
2020-04-11T10:55:49.824+0800 [INFO]  core: loaded wrapping token key
2020-04-11T10:55:49.824+0800 [INFO]  core: successfully setup plugin catalog: plugin-directory=
2020-04-11T10:55:49.824+0800 [INFO]  core: no mounts; adding default mount table
2020-04-11T10:55:49.825+0800 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2020-04-11T10:55:49.825+0800 [INFO]  core: successfully mounted backend: type=system path=sys/
2020-04-11T10:55:49.826+0800 [INFO]  core: successfully mounted backend: type=identity path=identity/
2020-04-11T10:55:49.827+0800 [INFO]  core: successfully enabled credential backend: type=token path=token/
2020-04-11T10:55:49.827+0800 [INFO]  core: restoring leases
2020-04-11T10:55:49.827+0800 [INFO]  rollback: starting rollback manager
2020-04-11T10:55:49.828+0800 [INFO]  expiration: lease restore complete
2020-04-11T10:55:49.831+0800 [INFO]  identity: entities restored
2020-04-11T10:55:49.831+0800 [INFO]  identity: groups restored
2020-04-11T10:55:49.831+0800 [INFO]  core: post-unseal setup complete
2020-04-11T10:55:49.832+0800 [INFO]  core: root token generated
2020-04-11T10:55:49.832+0800 [INFO]  core: pre-seal teardown starting
2020-04-11T10:55:49.832+0800 [INFO]  rollback: stopping rollback manager
2020-04-11T10:55:49.832+0800 [INFO]  core: pre-seal teardown complete
2020-04-11T10:55:49.832+0800 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-04-11T10:55:49.832+0800 [INFO]  core.cluster-listener.tcp: starting listener: listener_address=0.0.0.0:8201
2020-04-11T10:55:49.832+0800 [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=[::]:8201
2020-04-11T10:55:49.832+0800 [INFO]  core: post-unseal setup starting
2020-04-11T10:55:49.832+0800 [INFO]  core: loaded wrapping token key
2020-04-11T10:55:49.832+0800 [INFO]  core: successfully setup plugin catalog: plugin-directory=
2020-04-11T10:55:49.832+0800 [INFO]  core: successfully mounted backend: type=system path=sys/
2020-04-11T10:55:49.833+0800 [INFO]  core: successfully mounted backend: type=identity path=identity/
2020-04-11T10:55:49.833+0800 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2020-04-11T10:55:49.833+0800 [INFO]  core: successfully enabled credential backend: type=token path=token/
2020-04-11T10:55:49.833+0800 [INFO]  core: restoring leases
2020-04-11T10:55:49.833+0800 [INFO]  rollback: starting rollback manager
2020-04-11T10:55:49.833+0800 [INFO]  identity: entities restored
2020-04-11T10:55:49.833+0800 [INFO]  identity: groups restored
2020-04-11T10:55:49.833+0800 [INFO]  core: post-unseal setup complete
2020-04-11T10:55:49.833+0800 [INFO]  core: vault is unsealed
2020-04-11T10:55:49.835+0800 [INFO]  core: successful mount: namespace= path=secret/ type=kv
2020-04-11T10:55:49.836+0800 [INFO]  expiration: lease restore complete
2020-04-11T10:55:49.836+0800 [INFO]  secrets.kv.kv_bb6143ab: collecting keys to upgrade
2020-04-11T10:55:49.836+0800 [INFO]  secrets.kv.kv_bb6143ab: done collecting keys: num_keys=1
2020-04-11T10:55:49.836+0800 [INFO]  secrets.kv.kv_bb6143ab: upgrading keys finished

运行起来后检查下应用信息

[root@node01 ~]# vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.4.0
Cluster Name    vault-cluster-7a108e78
Cluster ID      87b55947-d512-6a0f-a6ab-91e89ea3f4f9
HA Enabled      false
[root@node01 ~]# vault auth list
Path      Type     Accessor               Description
----      ----     --------               -----------
token/    token    auth_token_d4a43357    token based credentials

UI界面体验

登陆地址: http://{ip}:8200/ui/

启动后默认会生成一个token信息，每次都会变化，使用该token登陆。Vault支持很多主流认证方式，根据需要增加其他认证方式，本人测试使用的是OpenLDAP。

支持的密钥引擎

界面就这么内容，很多操作还是依赖于命令行操作。

启用OpenLDAP认证

vault auth enable ldap

vault write auth/ldap/config \
    url="ldap://master-ldap.xxx.com:389" \
    userdn="cn=Users,dc=xxx,dc=com" \
    groupfilter="(&(objectClass=person)(uid={{.Username}}))" \
    groupattr="memberOf" \
    binddn="cn=admin,dc=xxx,dc=com" \
    bindpass='xxx' \
    insecure_tls=false \
    starttls=false

修改配置信息重新执行命令即可更新

业务实践

基于Vault实现Linux服务器一次性SSH密码登陆

• 官网案例
• vault-ssh-helper

参考资料

• https://github.com/hashicorp/vault-ssh-helper

======================================================
希望各位朋友支持一下

• 领取我的阿里云幸运券,谢谢.
• 使用腾讯云资源
• Linode VPS
• 搬瓦工VPS
• 阿里云1888元云产品通用代金券点我
• 阿里云最新活动全民云计算升级-拼团上云更优惠
• 今日头条

本文作者：dongsheng
本文地址： https://mds1455975151.github.io/archives/ff02dc0f.html
版权声明：转载请注明出处！