Hashicorp Vault 是一个基于身份的秘密和加密管理系统,用于严格控制访问各种机密数据,如 API 加密密钥、密码和证书。以下是 Vault 的一些常见使用操作。

Login

1
2
$ export VAULT_ADDR='http://your-vault-address:8200'
$ export VAULT_TOKEN='your-vault-token'

Secret操作

  • secret引擎
    KV
  • Path
    region/cluster/project/application
  • Key
    devops-api
  • field
    k-name
  • value
    k-value
  1. 查看权限
1
$ vault token lookup
  1. 新建kv
1
2
3
4
5
$ vault secrets enable \
    -path=/git-av \
    -description "k/v engine for the quickstart guide" \
    -version=1 \
    kv
  1. 查看所有secrets
1
$ vault secrets list
  1. 创建或者更新key
1
$ vault kv put git-av/devops-api/k8s-test/test a=b
  1. list
1
$ vault kv list git-av/devops-api/k8s-test/
  1. 添加字段
1
$ vault kv patch git-av/devops-api/k8s-test/test d=b
  1. 删除字段
1
$ vault kv patch git-av/devops-api/k8s-test/test d=null
  1. 查看key的内容
1
$ vault kv get git-av/devops-api/k8s-test/test
  1. 删除key
1
2
$ vault kv delete git-av/devops-api/k8s-test/test
$ vault kv metadata delete git-av/kratos-api/k8s-test/test
  1. 删除kv secret
1
$ vault secrets disable git-av
  1. 查看版本列表
1
$ vault kv metadata get  git-av/devops-api/k8s-test/test
  1. 回滚到指定版本
1
$ vault kv rollback -version 6 git-av/devops-api/k8s-test/test

权限管理

  1. 创建policy
1
2
3
4
5
6
7
8
9
$ vault policy write jenkins-policy - <<EOF
path "global/services/app/prod/kv/*" {
  capabilities = ["read"]
}

path "global/services/app/stage/kv/*" {
  capabilities = ["read"]
}
EOF

policy中的path指的是key路径

  1. 查看 policy
1
$ vault policy read jenkins-policy
  1. 查看role
1
2
3
4
$ vault auth list
$ vault list auth/approle/role
$ vault read auth/approle/role/jenkins
$ vault read auth/approle/role/jenkins/role-id
  1. 更新role key
1
$ vault write -f auth/approle/role/devops-readonly/secret-id
  1. 创建app role for jenkins
    5.1 enable approle
1
$ vault auth enable approle

5.2 policy

1
2
3
4
5
$ vault policy write jenkins-policy - <<EOF
path "devops/data/jenkins/*" {
  capabilities = ["read"]
}
EOF

5.3 add approle

1
2
3
4
5
6
7
$vault write auth/approle/role/jenkins \
    secret_id_ttl=0s \
    token_num_uses=10 \
    token_ttl=20m \
    token_max_ttl=30m \
    secret_id_num_uses=0 \
    token_policies="jenkins-policy"

当 secret_id_ttl=0s,secret_id_num_uses=0 时表示secret 永不过期
5.4 更新secret_id_num_uses字段

1
2
vault write auth/approle/role/jenkins \
    secret_id_num_uses=0

5.5 get key/secret
vault read auth/approle/role/jenkins/role-id
vault write -f auth/approle/role/jenkins/secret-id

5.6 login with approle

1
2
3
4
vault write auth/approle/login \
    role_id=<role_id> \
    secret_id=<secret_id>
export VAULT_TOKEN=<vault_token>

服务管理

  1. vault初始化
1
$ vault operator init
  1. 封锁
1
vault operator seal
  1. 解封
1
2
3
vault operator unseal <key1>
vault operator unseal <key2>
vault operator unseal <key3>
  1. 生成新的解封key
1
vault operator rekey