search

bank-vaults / vault-operator

Kubernetes operator for Hashicorp Vault
https://bank-vaults.dev/docs/operator/
Apache License 2.0
52 stars 20 forks source link

Vault HSM Vault-Root Token #430

Open l4z41 opened 2 months ago

l4z41 commented 2 months ago

Hi folks, I'm testing the HSM integration from vault-operator with a Nitrokey HSM which works with following example of yours. Here is a logs excerpt kubectl logs -f vault-0 bank-vaults

time=2024-04-09T17:45:46.209Z level=INFO msg="HSM Information {CryptokiVersion:{Major:2 Minor:20} ManufacturerID:OpenSC Project Flags:0 LibraryDescription:OpenSC smartcard framework LibraryVersion:{Major:0 Minor:24}}"
time=2024-04-09T17:45:46.212Z level=INFO msg="HSM Searching for slot in HSM slots [{ctx:0xc00088ce88 id:0}]"
time=2024-04-09T17:45:46.212Z level=INFO msg="found HSM slot 0 in HSM by slot ID"
time=2024-04-09T17:45:46.252Z level=INFO msg="HSM TokenInfo {Label:SmartCard-HSM (UserPIN) ManufacturerID:www.CardContact.de Model:PKCS#15 emulated SerialNumber:DENK0300782 Flags:1037 MaxSessionCount:0 SessionCount:0 MaxRwSessionCount:0 RwSessionCount:0 MaxPinLen:15 MinPinLen:6 TotalPublicMemory:18446744073709551615 FreePublicMemory:18446744073709551615 TotalPrivateMemory:18446744073709551615 FreePrivateMemory:18446744073709551615 HardwareVersion:{Major:24 Minor:13} FirmwareVersion:{Major:3 Minor:5} UTCTime:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}"
time=2024-04-09T17:45:46.254Z level=INFO msg="HSM SlotInfo for slot 0: {SlotDescription:Nitrokey Nitrokey HSM (DENK03007820000         ) 00 00 ManufacturerID: Flags:7 HardwareVersion:{Major:0 Minor:0} FirmwareVersion:{Major:0 Minor:0}}"
time=2024-04-09T17:45:46.358Z level=INFO msg="found objects with label \"bank-vaults\" in HSM"
time=2024-04-09T17:45:46.358Z level=INFO msg="this HSM doesn't support on-device encryption, extracting public key and doing encryption on the computer"
time=2024-04-09T17:45:46.358Z level=INFO msg="no storage backend specified for HSM, using on device storage"
2024/04/09 17:45:46 INFO joining leader vault...
2024/04/09 17:45:46 INFO vault metrics exporter enabled: :9091/metrics
2024/04/09 17:45:47 INFO joining raft cluster...
2024/04/09 17:45:47 INFO vault is already initialized, skipping raft join
2024/04/09 17:45:47 INFO vault is sealed, unsealing
2024/04/09 17:45:51 INFO successfully unsealed vault

Data is written to HSM pkcs11-tool --list-objects


Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      bank-vaults
  ID:         00f066a87ba8511fffb0382d4650aeda5b0709e9
  Usage:      encrypt, verify, wrap
  Access:     none
Profile object 1333124656
  profile_id:          CKP_PUBLIC_CERTIFICATES_TOKEN (4)
Data object 1333119184
  label:          'vault-test'
  application:    'vault-test'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119280
  label:          'vault-unseal-0'
  application:    'vault-unseal-0'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119376
  label:          'vault-unseal-1'
  application:    'vault-unseal-1'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119472
  label:          'vault-unseal-2'
  application:    'vault-unseal-2'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119568
  label:          'vault-unseal-3'
  application:    'vault-unseal-3'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119664
  label:          'vault-unseal-4'
  application:    'vault-unseal-4'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119760
  label:          'vault-root'
  application:    'vault-root'
  app_id:         <empty>
  flags:           modifiable

Additional thing is I switched the serviceType: LoadBalancer which exposes vault to external IP address so that I have an UI available.

Now to the my main question: How do I login with new vault instance as vault-root is saved to HSM or create an admin token for further configuration? Any pointer in the right direction is much appreciated.

I tried to read out the value which gives me gibberish pkcs15-tool --read-data-object vault-root -o vault-root pkcs11-tool --read-object --type data --label vault-root --pin XXXXXXX --output-file vault-root

github-actions[bot] commented 3 weeks ago

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.