Skip to content

Commit

Permalink
feat(vault-agent): use caching to authenticate against vault (#12)
Browse files Browse the repository at this point in the history
* feat(vault-agent): use caching to authenticate against vault
* fix: mv cache/listener global level
* fix(listener): disable tls
* fix: unused vars and readme
* fix: use api_proxy
Note: Vault Agent will be deprecating API proxy functionality in a
future release, and this functionality has moved to a new subcommand,
vault proxy. If you rely on this functionality, plan to move to Vault
Proxy instead.
* doc: update Readme with api proxy
* fix: vault socket in readme

---------

Co-authored-by: Andreas Gruhler <[email protected]>
  • Loading branch information
pree and Andreas Gruhler authored Jun 14, 2024
1 parent 9b57d9c commit a3ba75b
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 43 deletions.
33 changes: 17 additions & 16 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,9 @@ chmod 0640 /etc/vault.d/snap-{roleid,secretid}
chown vault:vault /etc/vault.d/snap-{roleid,secretid}
```

## Vault Agent Configuration
## Vault Proxy Configuration

Configure the vault agent for the snapshots:
Configure the vault proxy for the snapshots:
```bash
cat << EOF > /etc/vault.d/vault_snapshot_agent.hcl
# Vault agent configuration for Raft snapshots
Expand All @@ -52,6 +52,19 @@ vault {
address = "https://$HOSTNAME:8200"
}
api_proxy {
# Authenticate all requests automatically with the auto_auth token
# https://developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy
use_auto_auth_token = true
}
listener "unix" {
# Expose Vault-API seperately
# https://developer.hashicorp.com/vault/docs/agent/caching#configuration-listener
address = "/etc/vault.d/agent.sock"
tls_disable = true
}
auto_auth {
method {
# Authenticate with AppRole
Expand All @@ -64,18 +77,6 @@ auto_auth {
remove_secret_id_file_after_reading = false
}
}
sink {
# write Vault token to file
# https://www.vaultproject.io/docs/agent/autoauth/sinks/file
type = "file"
config = {
# best practice to write the file to a ramdisk (0640)
# have a look at wrapped token for advanced configuration
path = "/run/vault-snap-agent/token"
}
}
}
EOF
```
Expand All @@ -93,7 +94,7 @@ ConditionFileNotEmpty=/etc/vault.d/vault.hcl
[Service]
Restart=on-failure
ExecStart=/usr/local/bin/vault agent -config=/etc/vault.d/vault_snapshot_agent.hcl
ExecStart=/usr/local/bin/vault proxy -config=/etc/vault.d/vault_snapshot_agent.hcl
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
User=vault
Expand Down Expand Up @@ -126,7 +127,7 @@ cat << 'EOF' > /usr/local/bin/vault-snapshot
# - /etc/vault.d/vault_snapshot_agent.hcl
# - /etc/systemd/system/vault-agent.service
VAULT_TOKEN=$(cat /run/vault-snap-agent/token) VAULT_ADDR="https://$HOSTNAME:8200" \
VAULT_ADDR="VAULT_ADDR=unix:///etc/vault.d/agent.sock" \
/usr/local/bin/vault operator raft snapshot save "/opt/vault/snapshots/vault-raft_$(date +%F-%H%M).snapshot"
EOF
```
Expand Down
1 change: 0 additions & 1 deletion ansible/Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,4 @@ $ systemctl list-timers
The Ansible role comes with the following limitations:

* Does not configure a cron job, only a systemd timer/service pair
* Exposes a Vault token on the snapshot host (with limited privileges though)
* Does not automatically [install the Vault binary](https://learn.hashicorp.com/tutorials/vault/getting-started-install)
11 changes: 4 additions & 7 deletions ansible/roles/vault-raft-backup-agent/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ vault_snapshot_config_dir: '/etc/vault.d'
vault_snapshot_pid_file_name: 'vault-raft-backup-agent.pid'
# Location of pid file
vault_snapshot_pid_dir: '{{ vault_snapshot_config_dir }}'
# Systemd runtime directory
vault_snapshot_run_dir: 'vault-raft-backup-agent'
# Vault agent listener unix socket
vault_snapshot_listener_socket: '{{ vault_snapshot_config_dir }}/agent.sock'

# Vault API address
vault_address: '127.0.0.1'
Expand Down Expand Up @@ -65,13 +69,6 @@ vault_snapshot_approle_secretid_file: '{{ vault_snapshot_config_dir }}/snap-secr
# https://www.vaultproject.io/docs/agent/autoauth/methods/approle#remove_secret_id_file_after_reading
remove_secret_id_file_after_reading: yes

# Location of the Vault token, ideally a ramdisk, see also:
# https://www.vaultproject.io/docs/agent/autoauth/sinks/file
vault_snapshot_token_location: '/run/vault-snap-agent/token'
# Set to 0000 to prevent Vault from modifying the file mode
# The file is currently written with 0640 permissions as default
vault_snapshot_token_mode: '0000'

# Snapshot output directory
vault_snapshot_dir: '/opt/vault/snapshots'
# Snapshot file name format
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@ After=network-online.target

[Service]
Restart=on-failure
ExecStart={{ vault_bin_path }}/vault agent -config={{ vault_snapshot_agent_config_file }}
ExecStart={{ vault_bin_path }}/vault proxy -config={{ vault_snapshot_agent_config_file }}
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
User={{ vault_user }}
Group={{ vault_group }}
RuntimeDirectoryMode=0750
RuntimeDirectory=vault-snap-agent
RuntimeDirectory={{ vault_snapshot_run_dir }}

[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ Description={{ vault_snapshot_systemd_timer_description }}

[Service]
Type=oneshot
Environment=VAULT_ADDR={{ vault_tls_disable | ternary('http', 'https') }}://{{ vault_address }}:8200
ExecStart=/bin/sh -c 'VAULT_TOKEN="$$(cat /run/vault-snap-agent/token)" {{ vault_bin_path }}/vault operator raft snapshot save "{{ vault_snapshot_dir }}/{{ vault_snapshot_file_name }}"'
Environment=VAULT_ADDR=unix://{{ vault_snapshot_listener_socket }}
ExecStart=/bin/sh -c '{{ vault_bin_path }}/vault operator raft snapshot save "{{ vault_snapshot_dir }}/{{ vault_snapshot_file_name }}"'
ExecStartPost=/bin/sh -c 'find {{ vault_snapshot_dir }}/* -{{ vault_snapshot_retention_find_mode }} {{ vault_snapshot_retention_time }} -exec {{ vault_snapshot_retention_find_action }} {} \;'

[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,19 @@ vault {
tls_skip_verify = "{{ vault_tls_skip_verify | ternary('true', 'false') }}"
}

api_proxy {
# Authenticate all requests automatically with the auto_auth token
# https://developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy
use_auto_auth_token = true
}

listener "unix" {
# Expose Vault-API seperately
# https://developer.hashicorp.com/vault/docs/agent/caching#configuration-listener
address = "{{ vault_snapshot_listener_socket }}"
tls_disable = true
}

auto_auth {
method {
# Authenticate with AppRole
Expand All @@ -28,17 +41,4 @@ auto_auth {
remove_secret_id_file_after_reading = {{ remove_secret_id_file_after_reading | bool | lower }}
}
}

sink {
# write Vault token to file
# https://www.vaultproject.io/docs/agent/autoauth/sinks/file
type = "file"

config = {
# best practice to write the file to a ramdisk (0640)
# have a look at wrapped token for advanced configuration
path = "{{ vault_snapshot_token_location }}"
mode = {{ vault_snapshot_token_mode }}
}
}
}

0 comments on commit a3ba75b

Please sign in to comment.