OrgGo
/
Mainflux.mainflux
mirror of https://github.com/mainflux/mainflux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Mainflux.mainflux/docker/addons/vault
History
b1ackd0t 687505c833
NOISSUE - Remove Development Mode on Certs Creation (#1908) 
* Fix certificate creation in development mode

This commit removes certificate creation in development mode. Previously, the `MF_CERTS_VAULT_HOST` environment variable was not being properly checked, resulting in incorrect behavior when issuing certificates. This commit ensures that the correct mode is set based on the value of `MF_CERTS_VAULT_HOST`.

Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>

* Fix certificate revocation in README.md

The README.md file has been updated to clarify the process of revoking certificates. The previous instructions were incorrect, and the correct method is now provided. The certificates can be revoked using the `certs` service by providing the `thing_id` of the thing for which the certificate was issued.

```
curl -s -S -X DELETE http://localhost:9019/certs/revoke -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' -d '{"thing_id":"c30b8842-507c-4bcd-973c-74008cef3be5"}'
```

Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>

---------

Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
 		2023-10-18 11:48:47 +02:00
..
.gitignore NOISSSUE - Vault integration as an addon. (#1266) 2020-10-31 21:44:25 +01:00
README.md NOISSUE - Remove Development Mode on Certs Creation (#1908) 2023-10-18 11:48:47 +02:00
config.hcl NOISSSUE - Vault integration as an addon. (#1266) 2020-10-31 21:44:25 +01:00
docker-compose.yml NOISSUE - Implementation of gRPC mTLS (#1848) 2023-08-16 19:11:33 +02:00
entrypoint.sh NOISSSUE - Vault integration as an addon. (#1266) 2020-10-31 21:44:25 +01:00
vault-init.sh NOISSUE - Add cert revocation to SDK (#1693) 2023-01-13 14:33:00 +01:00
vault-set-pki.sh NOISSUE - Add cert revocation to SDK (#1693) 2023-01-13 14:33:00 +01:00
vault-unseal.sh NOISSUE - Add cert revocation to SDK (#1693) 2023-01-13 14:33:00 +01:00

README.md

Vault

This is Vault service deployment to be used with Mainflux.

When the Vault service is started, some initialization steps need to be done to set things up.

Configuration

Variable Description Default
MF_VAULT_HOST Vault service address vault
MF_VAULT_PORT Vault service port 8200
MF_VAULT_UNSEAL_KEY_1 Vault unseal key ""
MF_VAULT_UNSEAL_KEY_2 Vault unseal key ""
MF_VAULT_UNSEAL_KEY_3 Vault unseal key ""
MF_VAULT_TOKEN Vault cli access token ""
MF_VAULT_PKI_PATH Vault secrets engine path for CA pki
MF_VAULT_PKI_INT_PATH Vault secrets engine path for intermediate CA pki_int
MF_VAULT_CA_ROLE_NAME Vault secrets engine role mainflux
MF_VAULT_CA_NAME Certificates name used by vault-set-pki.sh mainflux
MF_VAULT_CA_CN Common name used for CA creation by vault-set-pki.sh mainflux.com
MF_VAULT_CA_OU Org unit used for CA creation by vault-set-pki.sh Mainflux Cloud
MF_VAULT_CA_O Organization used for CA creation by vault-set-pki.sh Mainflux Labs
MF_VAULT_CA_C Country used for CA creation by vault-set-pki.sh Serbia
MF_VAULT_CA_L Location used for CA creation by vault-set-pki.sh Belgrade

Setup

The following scripts are provided, which work on the running Vault service in Docker.

  1. vault-init.sh

Calls vault operator init to perform the initial vault initialization and generates a data/secrets file which contains the Vault unseal keys and root tokens.

After this step, the corresponding Vault environment variables (MF_VAULT_TOKEN, MF_VAULT_UNSEAL_KEY_1, MF_VAULT_UNSEAL_KEY_2, MF_VAULT_UNSEAL_KEY_3) should be updated in .env file.

Example contents for data/secrets:

Unseal Key 1: Ay0YZecYJ2HVtNtXfPootXK5LtF+JZoDmBb7IbbYdLBI
Unseal Key 2: P6hb7x2cglv0p61jdLyNE3+d44cJUOFaDt9jHFDfr8Df
Unseal Key 3: zSBfDHzUiWoOzXKY1pnnBqKO8UD2MDLuy8DNTxNtEBFy
Unseal Key 4: 5oJuDDuMI0I8snaw/n4VLNpvndvvKi6JlkgOxuWXqMSz
Unseal Key 5: ZhsUkk2tXBYEcWgz4WUCHH9rocoW6qZoiARWlkE5Epi5

Initial Root Token: s.V2hdd00P4bHtUQnoWZK2hSaS

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
bash-4.4

Use 3 out of five keys presented and put it into .env file and than start the composition again Vault should be in unsealed state ( take a note that this is not recommended in terms of security, this is deployment for development) A real production deployment can use Vault auto unseal mode where vault gets unseal keys from some 3rd party KMS ( on AWS for example)
  1. vault-unseal.sh

This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get secrets. This can be used if you don't want to restart the service.

The unseal environment variables need to be set in .env for the script to work (MF_VAULT_TOKEN, MF_VAULT_UNSEAL_KEY_1, MF_VAULT_UNSEAL_KEY_2, MF_VAULT_UNSEAL_KEY_3).

This script should not be necessary to run after the initial setup, since the Vault service unseals itself when starting the container.

  1. vault-set-pki.sh

This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate. After it runs, it copies the necessary certificates and keys to the docker/ssl/certs folder.

The CA parameters are obtained from the environment variables starting with MF_VAULT_CA in .env file.

Vault CLI

It can also be useful to run the Vault CLI for inspection and administration work.

This can be done directly using the Vault image in Docker: docker run -it mainflux/vault:latest vault

Usage: vault <command> [args]

Common commands:
    read        Read data and retrieves secrets
    write       Write data, configuration, and secrets
    delete      Delete secrets and configuration
    list        List data or secrets
    login       Authenticate locally
    agent       Start a Vault agent
    server      Start a Vault server
    status      Print seal and HA status
    unwrap      Unwrap a wrapped secret

Other commands:
    audit          Interact with audit devices
    auth           Interact with auth methods
    debug          Runs the debug command
    kv             Interact with Vault's Key-Value storage
    lease          Interact with leases
    monitor        Stream log messages from a Vault server
    namespace      Interact with namespaces
    operator       Perform operator-specific tasks
    path-help      Retrieve API help for paths
    plugin         Interact with Vault plugins and catalog
    policy         Interact with policies
    print          Prints runtime configurations
    secrets        Interact with secrets engines
    ssh            Initiate an SSH session
    token          Interact with tokens

Vault Web UI

The Vault Web UI is accessible by default on http://localhost:8200/ui.