diff --git a/README.md b/README.md index 9c08d8a..742a873 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,9 @@ chmod 0640 /etc/vault.d/snap-{roleid,secretid} chown vault:vault /etc/vault.d/snap-{roleid,secretid} ``` -## Vault Agent Configuration +## Vault Proxy Configuration -Configure the vault agent for the snapshots: +Configure the vault proxy for the snapshots: ```bash cat << EOF > /etc/vault.d/vault_snapshot_agent.hcl # Vault agent configuration for Raft snapshots @@ -52,6 +52,19 @@ vault { address = "https://$HOSTNAME:8200" } +api_proxy { + # Authenticate all requests automatically with the auto_auth token + # https://developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy + use_auto_auth_token = true +} + +listener "unix" { + # Expose Vault-API seperately + # https://developer.hashicorp.com/vault/docs/agent/caching#configuration-listener + address = "/etc/vault.d/agent.sock" + tls_disable = true +} + auto_auth { method { # Authenticate with AppRole @@ -64,18 +77,6 @@ auto_auth { remove_secret_id_file_after_reading = false } } - - sink { - # write Vault token to file - # https://www.vaultproject.io/docs/agent/autoauth/sinks/file - type = "file" - - config = { - # best practice to write the file to a ramdisk (0640) - # have a look at wrapped token for advanced configuration - path = "/run/vault-snap-agent/token" - } - } } EOF ``` @@ -93,7 +94,7 @@ ConditionFileNotEmpty=/etc/vault.d/vault.hcl [Service] Restart=on-failure -ExecStart=/usr/local/bin/vault agent -config=/etc/vault.d/vault_snapshot_agent.hcl +ExecStart=/usr/local/bin/vault proxy -config=/etc/vault.d/vault_snapshot_agent.hcl ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT User=vault @@ -126,7 +127,7 @@ cat << 'EOF' > /usr/local/bin/vault-snapshot # - /etc/vault.d/vault_snapshot_agent.hcl # - /etc/systemd/system/vault-agent.service -VAULT_TOKEN=$(cat /run/vault-snap-agent/token) VAULT_ADDR="https://$HOSTNAME:8200" \ +VAULT_ADDR="VAULT_ADDR=unix:///etc/vault.d/agent.sock" \ /usr/local/bin/vault operator raft snapshot save "/opt/vault/snapshots/vault-raft_$(date +%F-%H%M).snapshot" EOF ``` diff --git a/ansible/Readme.md b/ansible/Readme.md index c36ecac..8b7e8ae 100644 --- a/ansible/Readme.md +++ b/ansible/Readme.md @@ -33,5 +33,4 @@ $ systemctl list-timers The Ansible role comes with the following limitations: * Does not configure a cron job, only a systemd timer/service pair -* Exposes a Vault token on the snapshot host (with limited privileges though) * Does not automatically [install the Vault binary](https://learn.hashicorp.com/tutorials/vault/getting-started-install) diff --git a/ansible/roles/vault-raft-backup-agent/defaults/main.yml b/ansible/roles/vault-raft-backup-agent/defaults/main.yml index ef5a773..ec2e0a5 100644 --- a/ansible/roles/vault-raft-backup-agent/defaults/main.yml +++ b/ansible/roles/vault-raft-backup-agent/defaults/main.yml @@ -6,6 +6,10 @@ vault_snapshot_config_dir: '/etc/vault.d' vault_snapshot_pid_file_name: 'vault-raft-backup-agent.pid' # Location of pid file vault_snapshot_pid_dir: '{{ vault_snapshot_config_dir }}' +# Systemd runtime directory +vault_snapshot_run_dir: 'vault-raft-backup-agent' +# Vault agent listener unix socket +vault_snapshot_listener_socket: '{{ vault_snapshot_config_dir }}/agent.sock' # Vault API address vault_address: '127.0.0.1' @@ -65,13 +69,6 @@ vault_snapshot_approle_secretid_file: '{{ vault_snapshot_config_dir }}/snap-secr # https://www.vaultproject.io/docs/agent/autoauth/methods/approle#remove_secret_id_file_after_reading remove_secret_id_file_after_reading: yes -# Location of the Vault token, ideally a ramdisk, see also: -# https://www.vaultproject.io/docs/agent/autoauth/sinks/file -vault_snapshot_token_location: '/run/vault-snap-agent/token' -# Set to 0000 to prevent Vault from modifying the file mode -# The file is currently written with 0640 permissions as default -vault_snapshot_token_mode: '0000' - # Snapshot output directory vault_snapshot_dir: '/opt/vault/snapshots' # Snapshot file name format diff --git a/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-raft-backup-agent.service.j2 b/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-raft-backup-agent.service.j2 index e6d61aa..5a0c95a 100644 --- a/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-raft-backup-agent.service.j2 +++ b/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-raft-backup-agent.service.j2 @@ -5,13 +5,13 @@ After=network-online.target [Service] Restart=on-failure -ExecStart={{ vault_bin_path }}/vault agent -config={{ vault_snapshot_agent_config_file }} +ExecStart={{ vault_bin_path }}/vault proxy -config={{ vault_snapshot_agent_config_file }} ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT User={{ vault_user }} Group={{ vault_group }} RuntimeDirectoryMode=0750 -RuntimeDirectory=vault-snap-agent +RuntimeDirectory={{ vault_snapshot_run_dir }} [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-snap-agent.service.j2 b/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-snap-agent.service.j2 index 97fca29..82f2786 100644 --- a/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-snap-agent.service.j2 +++ b/ansible/roles/vault-raft-backup-agent/templates/etc/systemd/system/vault-snap-agent.service.j2 @@ -3,9 +3,9 @@ Description={{ vault_snapshot_systemd_timer_description }} [Service] Type=oneshot -Environment=VAULT_ADDR={{ vault_tls_disable | ternary('http', 'https') }}://{{ vault_address }}:8200 -ExecStart=/bin/sh -c 'VAULT_TOKEN="$$(cat /run/vault-snap-agent/token)" {{ vault_bin_path }}/vault operator raft snapshot save "{{ vault_snapshot_dir }}/{{ vault_snapshot_file_name }}"' +Environment=VAULT_ADDR=unix://{{ vault_snapshot_listener_socket }} +ExecStart=/bin/sh -c '{{ vault_bin_path }}/vault operator raft snapshot save "{{ vault_snapshot_dir }}/{{ vault_snapshot_file_name }}"' ExecStartPost=/bin/sh -c 'find {{ vault_snapshot_dir }}/* -{{ vault_snapshot_retention_find_mode }} {{ vault_snapshot_retention_time }} -exec {{ vault_snapshot_retention_find_action }} {} \;' [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/ansible/roles/vault-raft-backup-agent/templates/etc/vault.d/vault_snapshot_agent.hcl.j2 b/ansible/roles/vault-raft-backup-agent/templates/etc/vault.d/vault_snapshot_agent.hcl.j2 index 3d40d23..c950257 100644 --- a/ansible/roles/vault-raft-backup-agent/templates/etc/vault.d/vault_snapshot_agent.hcl.j2 +++ b/ansible/roles/vault-raft-backup-agent/templates/etc/vault.d/vault_snapshot_agent.hcl.j2 @@ -16,6 +16,19 @@ vault { tls_skip_verify = "{{ vault_tls_skip_verify | ternary('true', 'false') }}" } +api_proxy { + # Authenticate all requests automatically with the auto_auth token + # https://developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy + use_auto_auth_token = true +} + +listener "unix" { + # Expose Vault-API seperately + # https://developer.hashicorp.com/vault/docs/agent/caching#configuration-listener + address = "{{ vault_snapshot_listener_socket }}" + tls_disable = true +} + auto_auth { method { # Authenticate with AppRole @@ -28,17 +41,4 @@ auto_auth { remove_secret_id_file_after_reading = {{ remove_secret_id_file_after_reading | bool | lower }} } } - - sink { - # write Vault token to file - # https://www.vaultproject.io/docs/agent/autoauth/sinks/file - type = "file" - - config = { - # best practice to write the file to a ramdisk (0640) - # have a look at wrapped token for advanced configuration - path = "{{ vault_snapshot_token_location }}" - mode = {{ vault_snapshot_token_mode }} - } - } }