Hashicorp Vault 是一个基于身份的秘密和加密管理系统,用于严格控制访问各种机密数据,如 API 加密密钥、密码和证书。以下是 Vault 的一些常见使用操作。

Login

1
2
$ export VAULT_ADDR='http://your-vault-address:8200'
$ export VAULT_TOKEN='your-vault-token'

Secret操作

  • secret引擎
    KV
  • Path
    region/cluster/project/application
  • Key
    devops-api
  • field
    k-name
  • value
    k-value

  1. 查看权限

    1
    $ vault token lookup

  2. 新建kv

    1
    2
    3
    4
    5
    $ vault secrets enable \
        -path=/git-av \
        -description "k/v engine for the quickstart guide" \
        -version=1 \
        kv

  3. 查看所有secrets

    1
    $ vault secrets list

  4. 创建或者更新key

    1
    $ vault kv put git-av/devops-api/k8s-test/test a=b

  5. list

    1
    $ vault kv list git-av/devops-api/k8s-test/

  6. 添加字段 

    1
    $ vault kv patch git-av/devops-api/k8s-test/test d=b

  7. 删除字段

    1
    $ vault kv patch git-av/devops-api/k8s-test/test d=null

  8. 查看key的内容

    1
    $ vault kv get git-av/devops-api/k8s-test/test

  9. 删除key

    1
    $ vault kv delete git-av/devops-api/k8s-test/test

  10. 查看版本列表

    1
    $ vault kv metadata get  git-av/devops-api/k8s-test/test

  11. 回滚到指定版本

    1
    $ vault kv rollback -version 6 git-av/devops-api/k8s-test/test

权限管理

  1. 创建policy

    1
    2
    3
    4
    5
    6
    7
    8
    9
    $ vault policy write jenkins-policy - <<EOF
    path "global/services/app/prod/kv/*" {
      capabilities = ["read"]
    }

    path "global/services/app/stage/kv/*" {
      capabilities = ["read"]
    }
    EOF

    policy中的path指的是key路径

  2. 查看 policy

    1
    $ vault policy read jenkins-policy

  3. 查看role

    1
    2
    3
    4
    $ vault auth list
    $ vault list auth/approle/role
    $ vault read auth/approle/role/jenkins
    $ vault read auth/approle/role/jenkins/role-id

  4. 更新role key

    1
    $ vault write -f auth/approle/role/devops-readonly/secret-id

  5. 创建app role for jenkins
    5.1 enable approle

    1
    $ vault auth enable approle

5.2 policy

1
2
3
4
5
$ vault policy write jenkins-policy - <<EOF
path "devops/data/jenkins/*" {
  capabilities = ["read"]
}
EOF

5.3 add approle

1
2
3
4
5
6
7
$vault write auth/approle/role/jenkins \
    secret_id_ttl=0s \
    token_num_uses=10 \
    token_ttl=20m \
    token_max_ttl=30m \
    secret_id_num_uses=40 \
    token_policies="jenkins-policy"

当 secret_id_ttl=0s,时表示secret 永不过期
5.4 get key/secret
vault read auth/approle/role/jenkins/role-id
vault write -f auth/approle/role/jenkins/secret-id

5.5 login with approle

1
2
3
4
vault write auth/approle/login \
    role_id=<role_id> \
    secret_id=<secret_id>
export VAULT_TOKEN=<vault_token>

服务管理

  1. 封锁
    1
    vault operator seal
  2. 解封
    1
    2
    3
    vault operator unseal <key1>
    vault operator unseal <key2>
    vault operator unseal <key3>
  3. 生成新的解封key
    1
    vault operator rekey