用于操作Rubin天文台Vault安装的工具
项目描述
LSST Vault Utilities
此软件包是一组用于LSST用例的Vault实用程序。
LSST Vault层次结构
这些工具旨在与以下详细说明的特定分类层次结构一起工作。
秘密
LSST vault的主要用例一直是作为Kubernetes秘密的存储库。这些秘密组织如下:
secret/k8s_operator/:instance:
这些秘密通常在集群创建时创建并注入;在LSP部署的情况下,这是脚本化的。我们使用Vault Secrets Operator来自动管理将vault秘密转换为Kubernetes秘密的转换。
次要的、更灵活的用例是使用LSST vault作为通用键值存储。
以这种方式使用时,LSST vault组织如下的secret下的秘密:
secret/:subsystem:/:team:/:category:/:instance:
在我们的术语中,每个以:instance:结尾的这些vault路径都被称为一个飞地。一个飞地既有读令牌也有写令牌。
使用 enclave 的方式是,用户将在该 enclave 下填充带有写令牌的秘密树,然后使用读令牌进行自动化数据检索。在 vault-secrets-operator 的情况下,应该使用读密钥来从 vault 秘密填充 K8s 秘密。
请注意,enclave 中的秘密 不可 由创建 enclave 的管理用户、其令牌对及其策略访问。这些秘密只能通过 enclave 的读令牌或写令牌访问。
使用方法
令牌
首先,使用管理令牌创建一个代表令牌,该代表令牌将用于运行 Vault 令牌供应工具。使用 delegator.hcl 作为输入创建此策略。然后创建一个带有该新代表策略的令牌。
令牌 ID 和访问者存储在 secret/delegated/:subsystem:/:team:/:category:/:instance:/:role:/:type: 下,其中 role 是 read 或 write 之一,而 type 是 id 或 accessor 之一。这些秘密只能由管理用户(例如最初创建令牌对的用户,应该是附加到上面创建的 delegator 策略的令牌)访问。
每个 enclave 有两个令牌,组成“令牌对”。这些是 read 和 write。
我们的意图是让运行时系统能够访问 read 令牌以读取(但不能更新)秘密,并让该系统的管理员能够访问 write 令牌以创建、更新和删除秘密。
我们之前提供了一种工具,可以轻松地将 Kubernetes 秘密复制到 Vault 并从 Vault 复制出来。由于 vault-secrets-operator 是一个 Kubernetes operator,它提供了秘密的自动化同步,因此现在已经删除了该工具。
策略
策略存储为 delegated/:subsystem:/:team:/:category:/:instance:/:role:,其中 role 是 read 或 write 之一。创建或撤销令牌对的管理用户也负责创建和销毁这些策略。
类
包名为 lsstvaultutils。其功能类包括
-
AdminTool-- 这个高度特定于 LSST 的类允许你指定 Vault 秘密存储下的路径,它将为该路径下的秘密生成两个令牌(读和写)。它将这些令牌存储在 secret/delegated 下,以便管理员可以在以后找到(如果需要,可以撤销)它们。它还管理撤销这些令牌并从 secret/delegated 路径中删除它们。如果正在操作已存在的路径上的令牌,可以选择撤销旧令牌并用新令牌覆盖,或者同时在撤销令牌的同时删除秘密数据。还有一个功能来显示与路径关联的令牌对的 ID 和访问者。 -
VaultConfig-- 这是另一个非常特定于 LSST 的类,它对于在多个 vault enclave 中添加或删除给定路径上的秘密非常有用。 -
RecursiveDeleter-- 它为 Vault 添加了递归删除功能,可以一次删除整个秘密树。
还有一个名为 TimeFormatter 的类,仅用于向调试日志中添加毫秒数。还有一个方便的函数 getLogger,它提供了一个接口,可以获取这些工具和类的标准化记录器。
程序
这些类的核心功能也作为独立的程序公开。
-
tokenadmin-- 为给定的 Vault 秘密路径创建或撤销令牌集,或显示该路径的令牌 ID 和访问者。 -
multisecret-- 在多个 Vault 前哨站中创建或删除秘密路径。这在向由 K8s 管理的科学平台应用程序添加新功能时非常有用,例如。 -
vaultrmrf-- 删除 Vault 秘密路径及其下的一切。正如其名称所暗示的,这是一个相当危险的操作。
示例工作流程
我们将通过创建令牌对、创建一些秘密、删除秘密树以及最终删除令牌对来练习 tokenadmin 和 vaultrmrf。
创建令牌对。
首先,我们将为 dm/test 层次创建一个令牌对。(注意,我们省略了一个层次以使输出稍微更容易阅读;dm/square/test 才更真实。)我们确保 VAULT_ADDR 和 VAULT_CAPATH 设置正确,并且 VAULT_TOKEN 设置为适当的管理员令牌。我们将使用 debug 来了解过程中发生的事情,并使用 display 选项打印表示令牌的 JSON。
我正在使用包含已安装 lsstvaultutils 包的 vaultutils 虚拟环境,并且 vault CLI 在我的路径上。
(vaultutils) adam@ixitxachitl:~$ tokenadmin create --debug --display dm/test
2019-03-04 14:45:52.625 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Debug logging started.
2019-03-04 14:45:52.625 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Getting Vault client for 'https://35.184.246.111'.
2019-03-04 14:45:52.939 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Vault Client is authenticated.
2019-03-04 14:45:52.939 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Creating policies and tokens for 'dm/test'.
2019-03-04 14:45:52.939 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Creating policies for 'dm/test'.
2019-03-04 14:45:52.939 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Checking for existence of policy 'delegated/dm/test'.
2019-03-04 14:45:53.109 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Creating policy for 'dm/test/read'.
2019-03-04 14:45:53.109 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Policy string: path "secret/data/dm/test/*" {
capabilities = ["read"]
}
path "secret/metadata/dm/test/*" {
capabilities = ["read","list"]
}
2019-03-04 14:45:53.109 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Policy path: delegated/dm/test/read
2019-03-04 14:45:53.535 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Creating policy for 'dm/test/write'.
2019-03-04 14:45:53.535 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Policy string: path "secret/data/dm/test" {
capabilities = ["read", "create", "update", "delete"]
}
path "secret/data/dm/test/*" {
capabilities = ["read", "create", "update", "delete"]
}
path "secret/metadata/dm/test/*" {
capabilities = ["list", "read", "update","delete"]
}
path "secret/metadata/dm/test" {
capabilities = ["list", "read", "update","delete"]
}
path "secret/delete/dm/test/*" {
capabilities = ["update"]
}
path "secret/undelete/dm/test/*" {
capabilities = ["update"]
}
path "secret/destroy/dm/test/*" {
capabilities = ["update"]
}
2019-03-04 14:45:53.535 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Policy path: delegated/dm/test/write
2019-03-04 14:45:54.217 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Creating token for 'dm/test/read'.
2019-03-04 14:45:54.217 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | - policies '['delegated/dm/test/read']'.
2019-03-04 14:45:55.630 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Writing token store for 'dm/test/read'.
2019-03-04 14:45:55.630 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | 'delegated/dm/test/read' -> 's.3nyTeqdWiINKIKNtuoIDtD9D'.
2019-03-04 14:45:56.840 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Creating token for 'dm/test/write'.
2019-03-04 14:45:56.840 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | - policies '['delegated/dm/test/write']'.
2019-03-04 14:45:58.171 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Writing token store for 'dm/test/write'.
2019-03-04 14:45:58.171 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | 'delegated/dm/test/write' -> 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 14:45:59.335 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Getting tokens for 'dm/test'.
{
"dm/test": {
"read": {
"accessor": "1WRccTQEebkqx78t37EyVztK",
"id": "s.3nyTeqdWiINKIKNtuoIDtD9D"
},
"write": {
"accessor": "8LvOhKiGFJf9qYNIgOXrb8Ik",
"id": "s.4l4eDdLMyD436RsjRqlI11cD"
}
}
}
添加一些秘密
首先,设置 Vault 使用 write 令牌
export VAULT_TOKEN="s.4l4eDdLMyD436RsjRqlI11cD"
我喜欢 JSON 输出,所以我将设置
export VAULT_FORMAT=json
然后使用 vault 客户端添加一些秘密
(vaultutils) adam@ixitxachitl:~$ vault kv put secret/dm/test/group1/foo value=bar
{
"request_id": "0a814bd2-e95d-cf1c-9018-c00173668e3d",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"created_time": "2019-03-04T21:51:07.616034224Z",
"deletion_time": "",
"destroyed": false,
"version": 1
},
"warnings": null
}
(vaultutils) adam@ixitxachitl:~$ vault kv put secret/dm/test/group1/baz value=quux
{
"request_id": "38c65e0d-735d-db9a-c2d6-840bdd4dff65",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"created_time": "2019-03-04T21:51:34.991913644Z",
"deletion_time": "",
"destroyed": false,
"version": 1
},
"warnings": null
}
(vaultutils) adam@ixitxachitl:~$ vault kv put secret/dm/test/group2/king value=fink
{
"request_id": "12753857-25f2-a27a-3d65-badc18805d07",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"created_time": "2019-03-04T21:51:45.645224365Z",
"deletion_time": "",
"destroyed": false,
"version": 1
},
"warnings": null
}
读取一个回来
(vaultutils) adam@ixitxachitl:~$ vault kv get secret/dm/test/group1/baz
{
"request_id": "03ef8ba1-3eb2-2962-d4c6-ebaf595e3387",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"data": {
"value": "quux"
},
"metadata": {
"created_time": "2019-03-04T21:51:34.991913644Z",
"deletion_time": "",
"destroyed": false,
"version": 1
}
},
"warnings": null
}
递归删除秘密树
假设我们最终并不需要那些秘密。我们可以使用 vaultrmrf 命令和 write 令牌轻松地删除该树。
(vaultutils) adam@ixitxachitl:~$ vaultrmrf --debug dm/test/copy1
2019-03-04 15:05:47.920 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Debug logging started.
2019-03-04 15:05:47.920 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Acquiring Vault client for 'https://35.184.246.111'.
2019-03-04 15:05:48.164 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/copy1' recursively.
2019-03-04 15:05:48.269 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'dm/test/copy1'
2019-03-04 15:05:48.269 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': 'f6774de1-cb8c-76ed-8425-7963b5d95d76', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['baz', 'foo']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:05:48.269 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/copy1/baz' recursively.
2019-03-04 15:05:48.369 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/copy1/baz' as leaf node.
2019-03-04 15:05:48.369 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:05:48.703 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/copy1/foo' recursively.
2019-03-04 15:05:48.809 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/copy1/foo' as leaf node.
2019-03-04 15:05:48.809 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:05:49.123 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/copy1' as leaf node.
2019-03-04 15:05:49.123 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
现在尝试读取秘密将显示它已消失
(vaultutils) adam@ixitxachitl:~$ vault kv get secret/dm/test/copy1/foo
No value found at secret/data/dm/test/copy1/foo
撤销令牌对并删除数据
现在我们将进行清理
我们回到管理员令牌,撤销我们的令牌对(通过将 VAULT_TOKEN 设置为适当的值),同时我们还将清理我们插入 vault 的数据。
(vaultutils) adam@ixitxachitl:~$ tokenadmin revoke --delete-data --debug dm/test2019-03-04 15:08:12.888 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Debug logging started.
2019-03-04 15:08:12.888 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Getting Vault client for 'https://35.184.246.111'.
2019-03-04 15:08:13.147 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Vault Client is authenticated.
2019-03-04 15:08:13.147 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Revoking tokens and removing policies for 'dm/test'.
2019-03-04 15:08:13.147 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Getting write token for 'dm/test'.
2019-03-04 15:08:13.147 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Reading value from 'delegated/dm/test/write/id'.
2019-03-04 15:08:13.208 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Got data: {'request_id': 'e5084c92-f404-7338-f776-47f1d8ee5980', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'data': {'value': 's.4l4eDdLMyD436RsjRqlI11cD'}, 'metadata': {'created_time': '2019-03-04T21:45:58.325211493Z', 'deletion_time': '', 'destroyed': False, 'version': 1}}, 'wrap_info': None, 'warnings': None, 'auth': None}
2019-03-04 15:08:13.208 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Debug logging started.
2019-03-04 15:08:13.208 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Acquiring Vault client for 'https://35.184.246.111'.
2019-03-04 15:08:13.498 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Deleting data under 'dm/test'.
2019-03-04 15:08:13.498 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test' recursively.
2019-03-04 15:08:13.638 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'dm/test'
2019-03-04 15:08:13.638 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '661160b2-6916-62f5-ae29-8da0d576d841', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['group1/', 'group2/']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:13.638 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group1' recursively.
2019-03-04 15:08:13.907 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'dm/test/group1'
2019-03-04 15:08:13.907 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '02e65063-64e2-8ca9-1532-f3aaf1eaeeb5', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['baz', 'foo']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:13.908 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group1/baz' recursively.
2019-03-04 15:08:14.262 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group1/baz' as leaf node.
2019-03-04 15:08:14.262 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:08:14.729 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group1/foo' recursively.
2019-03-04 15:08:14.906 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group1/foo' as leaf node.
2019-03-04 15:08:14.906 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:08:15.409 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group1' as leaf node.
2019-03-04 15:08:15.409 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:08:15.560 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group2' recursively.
2019-03-04 15:08:15.716 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'dm/test/group2'
2019-03-04 15:08:15.716 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '9a9f23d3-f5cf-10c7-e18c-2f54a848e3e7', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['king']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:15.716 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group2/king' recursively.
2019-03-04 15:08:15.866 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group2/king' as leaf node.
2019-03-04 15:08:15.866 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:08:16.480 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test/group2' as leaf node.
2019-03-04 15:08:16.480 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:08:16.623 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'dm/test' as leaf node.
2019-03-04 15:08:16.623 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.4l4eDdLMyD436RsjRqlI11cD'.
2019-03-04 15:08:16.765 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Requesting ID for 'read' token for 'dm/test'.
2019-03-04 15:08:16.826 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Tokendata: {'request_id': '845ca454-5b0e-9518-9029-bf221c771e4f', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'data': {'value': 's.3nyTeqdWiINKIKNtuoIDtD9D'}, 'metadata': {'created_time': '2019-03-04T21:45:55.802574394Z', 'deletion_time': '', 'destroyed': False, 'version': 1}}, 'wrap_info': None, 'warnings': None, 'auth': None}
2019-03-04 15:08:16.827 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Deleting 'read' token for 'dm/test'.
2019-03-04 15:08:18.393 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Requesting ID for 'write' token for 'dm/test'.
2019-03-04 15:08:18.454 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Tokendata: {'request_id': '5f3aae99-59f4-618b-cf1c-cb9bc3b39478', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'data': {'value': 's.4l4eDdLMyD436RsjRqlI11cD'}, 'metadata': {'created_time': '2019-03-04T21:45:58.325211493Z', 'deletion_time': '', 'destroyed': False, 'version': 1}}, 'wrap_info': None, 'warnings': None, 'auth': None}
2019-03-04 15:08:18.455 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Deleting 'write' token for 'dm/test'.
2019-03-04 15:08:19.845 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Deleting token store for 'dm/test'.
2019-03-04 15:08:19.846 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Debug logging started.
2019-03-04 15:08:19.846 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Debug logging started.
2019-03-04 15:08:19.846 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Acquiring Vault client for 'https://35.184.246.111'.
2019-03-04 15:08:19.846 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Acquiring Vault client for 'https://35.184.246.111'.
2019-03-04 15:08:20.085 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Recursive delete of: 'delegated/dm/test'
2019-03-04 15:08:20.085 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test' recursively.
2019-03-04 15:08:20.085 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test' recursively.
2019-03-04 15:08:20.199 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'delegated/dm/test'
2019-03-04 15:08:20.199 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'delegated/dm/test'
2019-03-04 15:08:20.199 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '5c1f33cf-8878-a5c8-a884-1f5cda607fa6', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['read/', 'write/']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:20.199 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '5c1f33cf-8878-a5c8-a884-1f5cda607fa6', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['read/', 'write/']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:20.199 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read' recursively.
2019-03-04 15:08:20.199 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read' recursively.
2019-03-04 15:08:20.317 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'delegated/dm/test/read'
2019-03-04 15:08:20.317 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'delegated/dm/test/read'
2019-03-04 15:08:20.317 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '4d18f739-1ee7-c413-6b9a-1766f6f300de', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['accessor', 'id']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:20.317 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '4d18f739-1ee7-c413-6b9a-1766f6f300de', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['accessor', 'id']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:20.317 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/accessor' recursively.
2019-03-04 15:08:20.317 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/accessor' recursively.
2019-03-04 15:08:20.422 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/accessor' as leaf node.
2019-03-04 15:08:20.422 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/accessor' as leaf node.
2019-03-04 15:08:20.422 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:20.422 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:20.856 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/id' recursively.
2019-03-04 15:08:20.856 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/id' recursively.
2019-03-04 15:08:20.971 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/id' as leaf node.
2019-03-04 15:08:20.971 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read/id' as leaf node.
2019-03-04 15:08:20.972 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:20.972 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:21.406 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read' as leaf node.
2019-03-04 15:08:21.406 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/read' as leaf node.
2019-03-04 15:08:21.406 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:21.406 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:21.492 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write' recursively.
2019-03-04 15:08:21.492 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write' recursively.
2019-03-04 15:08:21.603 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'delegated/dm/test/write'
2019-03-04 15:08:21.603 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing tree rooted at 'delegated/dm/test/write'
2019-03-04 15:08:21.603 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '8446aa1b-3d86-3b0d-eb55-01a9fe0e1cad', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['accessor', 'id']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:21.603 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | resp = '{'request_id': '8446aa1b-3d86-3b0d-eb55-01a9fe0e1cad', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'keys': ['accessor', 'id']}, 'wrap_info': None, 'warnings': None, 'auth': None}'
2019-03-04 15:08:21.603 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/accessor' recursively.
2019-03-04 15:08:21.603 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/accessor' recursively.
2019-03-04 15:08:21.707 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/accessor' as leaf node.
2019-03-04 15:08:21.707 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/accessor' as leaf node.
2019-03-04 15:08:21.708 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:21.708 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:22.120 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/id' recursively.
2019-03-04 15:08:22.120 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/id' recursively.
2019-03-04 15:08:22.224 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/id' as leaf node.
2019-03-04 15:08:22.224 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write/id' as leaf node.
2019-03-04 15:08:22.224 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:22.224 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:22.673 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write' as leaf node.
2019-03-04 15:08:22.673 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test/write' as leaf node.
2019-03-04 15:08:22.673 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:22.673 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:22.761 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test' as leaf node.
2019-03-04 15:08:22.761 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Removing 'delegated/dm/test' as leaf node.
2019-03-04 15:08:22.761 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:22.761 MST(-0700) [DEBUG] lsstvaultutils.recursivedeleter | Using token 's.86o9UFmo4bbd4yxs1pWHS2Z1'.
2019-03-04 15:08:22.856 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Deleting policy for 'delegated/dm/test/read'.
2019-03-04 15:08:23.039 MST(-0700) [DEBUG] lsstvaultutils.tokenadmin | Deleting policy for 'delegated/dm/test/write'.
现在系统回到了我们开始时的状态。
验证令牌删除
我们可以尝试一个操作来查看令牌是否已被撤销。设置(现在已撤销的)读取令牌: export VAULT_TOKEN="s.3nyTeqdWiINKIKNtuoIDtD9D"。然后再次尝试我们之前运行的相同读取操作
(vaultutils) adam@ixitxachitl:~$ vault kv get secret/dm/test/group1/baz
Error making API request.
URL: GET https://35.184.246.111/v1/sys/internal/ui/mounts/secret/dm/test/group1/baz
Code: 403. Errors:
* permission denied
使用 multisecret
在这个工作流程中,我们将使用 multisecret 将秘密添加到 Kubernetes vault-secrets-operator 路径。我们将将其添加到两个前哨站,data-dev.lsst.cloud 和 nublado.lsst.codes,验证秘密已创建,然后删除它们,也使用 multisecret。
首先,我们确保 lsstvaultutils 已安装到我们的活动环境中(那是什么让我们在提示符前面看到 (lvu)),然后我们运行 multisecret --help
Usage: multisecret [OPTIONS] COMMAND [ARGS]...
A tool to manipulate secrets in the same relative location across vault
enclaves.
--vault-address is a string representing a URL for a Vault implementation,
e.g. "vault.lsst.codes". If unspecified, the value of the environment
variable VAULT_ADDR will be used. It that isn't specified either, the
default of "https://:8200" will be used.
--secret-name is a string representing the name of the secret relative to
the top of the enclave, e.g. "pull-secret".
--secret-file is only used with the "add" command. It is a path to a JSON
document that specifies the contents of the secret you want to inject, as
a single object with key-value pairs, each pair being the name of the item
within the secret and its value.
--vault-file is a path to a file that contains a JSON document that is a
list of enclaves (each one being a dict whose only key is the name of the
top of the vault path for the enclave, and whose values are pair of dicts,
"read" and "write", each a dict containing two keys, "accessor" and "id",
whose values are the vault accessor and the vault token for its respective
context within the enclave). Not by coincidence, this is the form in
which the vault document exists in SQuaRE's 1password.
--omit may be specified multiple times; each time it is specified, it is
the name of the enclave to skip when updating vaults. This is helpful,
for example, to *not* put the SQuaRE docker pull password into third-party
implementations that rely on vault.lsst.codes.
--dry-run is a boolean flag; if it is set, no change to the vault will
actually be made, although the tool will report on the changes it would
have done.
Options:
-a, --vault-address TEXT
-n, --secret-name TEXT [required]
-s, --secret-file TEXT
-v, --vault-file TEXT [required]
-o, --omit TEXT
-x, --dry-run
--help Show this message and exit.
Commands:
add Add a secret across enclaves.
remove Remove a secret from multiple enclaves.
让我们设置一个工作目录来保存我们的配置并配置 vault
(lvu) adam@air-wired:~/git/lsstvaultutils$ mkdir -p ~/Documents/src/vault-doc-test
(lvu) adam@air-wired:~/git/lsstvaultutils$ cd ~/Documents/src/vault-doc-test
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ export VAULT_ADDR="https://vault.lsst.codes"
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ export VAULT_FORMAT="json"
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$
有了这些知识,我们准备了一个多前哨站文件。我们将称其为 vault-nb-idf,其内容如下,但带有实际的密钥。
[
{
"k8s_operator/nublado.lsst.codes": {
"read": {
"accessor": "[REDACTED]",
"id": "[REDACTED]"
},
"write": {
"accessor": "[REDACTED]",
"id": "[REDACTED]"
}
}
},
{
"k8s_operator/data-dev.lsst.cloud": {
"read": {
"accessor": "[REDACTED]",
"id": "[REDACTED]"
},
"write": {
"accessor": "[REDACTED]",
"id": "[REDACTED]"
}
}
}
]
接下来,我们将创建有效载荷。testcase.json 仅包含以下内容
{ "foo": "bar" }
让我们验证我们的新秘密(我们将其简单地称为 test)在任一前哨站中还不存在。我已经将读取令牌放入其他shell变量中,显然,这些变量不在本文档中
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv list secret/k8s_operator/data-dev.lsst.cloud
[
"cert-manager",
"gafaelfawr",
"log",
"mobu",
"nublado",
"nublado2",
"postgres",
"pull-secret",
"tap"
]
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ export VAULT_TOKEN=${NLC_READ_TOKEN}
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv list secret/k8s_operator/nublado.lsst.codes
[
"cert-manager",
"gafaelfawr",
"jwt_authorizer",
"mobu",
"nublado",
"postgres",
"tap"
]
让我们先使用 --dry-run 运行它,以确保它看起来正确
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ multisecret --vault-address=https://vault.lsst.codes --secret-name test --secret-file testcase.json --vault-file vault-nb-idf.json --dry-run add
Dry run: add secret at https://vault.lsst.codes/k8s_operator/nublado.lsst.codes/test
Dry run: add secret at https://vault.lsst.codes/k8s_operator/data-dev.lsst.cloud/test
看起来是对的。不使用 --dry-run 重复。
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ multisecret --vault-address=https://vault.lsst.codes --secret-name test --secret-file testcase.json --vault-file vault-nb-idf.json add
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$
验证秘密已创建
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ export VAULT_TOKEN=${DLC_READ_TOKEN}
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv get secret/k8s_operator/data-dev.lsst.cloud/test
{
"request_id": "bb53344a-31e9-81d3-32c2-5f2f895d7554",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"data": {
"foo": "bar"
},
"metadata": {
"created_time": "2020-12-10T19:18:58.345274962Z",
"deletion_time": "",
"destroyed": false,
"version": 1
}
},
"warnings": null
}
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ export VAULT_TOKEN=${NLC_READ_TOKEN}
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv get secret/k8s_operator/nublado.lsst.codes/test
{
"request_id": "5f69665d-e8ca-f9a3-aa69-5fe12c1784c0",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"data": {
"foo": "bar"
},
"metadata": {
"created_time": "2020-12-10T19:18:57.631480686Z",
"deletion_time": "",
"destroyed": false,
"version": 1
}
},
"warnings": null
}
然后销毁它们
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ multisecret --vault-address=https://vault.lsst.codes --secret-name test --vault-file vault-nb-idf.json remove
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$
然后验证它们不再存在
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ export VAULT_TOKEN=${DLC_READ_TOKEN}
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv get secret/k8s_operator/data-dev.lsst.cloud/test
No value found at secret/data/k8s_operator/data-dev.lsst.cloud/test
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv list secret/k8s_operator/data-dev.lsst.cloud
[
"cert-manager",
"gafaelfawr",
"log",
"mobu",
"nublado",
"nublado2",
"postgres",
"pull-secret",
"tap"
]
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ export VAULT_TOKEN=${NLC_READ_TOKEN}
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv get secret/k8s_operator/nublado.lsst.codes/test
No value found at secret/data/k8s_operator/nublado.lsst.codes/test
(lvu) adam@air-wired:~/Documents/src/vault-doc-test$ vault kv list secret/k8s_operator/nublado.lsst.codes
[
"cert-manager",
"gafaelfawr",
"jwt_authorizer",
"mobu",
"nublado",
"postgres",
"tap"
]
下载文件
下载适用于您平台文件的文件。如果您不确定选择哪一个,请了解更多关于安装包的信息。
源代码发行版
lsstvaultutils-0.3.1.tar.gz (35.0 kB 查看哈希值)
构建发行版
lsstvaultutils-0.3.1-py3-none-any.whl (19.7 kB 查看哈希值)