search

genesis-community / concourse-genesis-kit

A Genesis Kit for Concourse CI/CD
MIT License
6 stars 13 forks source link

Allow CRUD under secret path #73

Closed itsouvalas closed 2 years ago

itsouvalas commented 2 years ago

Concourse pipelines rely on safe exists secret/handshake to confirm connectivity to vault:

TRACE ⮀ Setting environment values:
         DEBUG=''
         SAFE_TARGET='https://10.4.1.6'

         From directory: /tmp/build/87a8b8e6/dev-changes
         Executing: `safe "$@" 2>&1`
          - with arguments:
            1: 'exists'
            2: '/secret/handshake'
         ⬑  ~/.geese/lib/Genesis.pm:L520 (in Genesis::run)

 TRACE ⮀ command duration: 0 seconds
 VALUE ⮀ run_output = '!! 403 Forbidden: 1 error occurred:
                * permission denied'
         ⬑  ~/.geese/lib/Genesis/Vault.pm:L342 (in Genesis::Vault::query)

 TRACE ⮀ command exited with status 100 (rc 1)
         ⬑  ~/.geese/lib/Genesis.pm:L545 (in Genesis::run)

uninitialized

 DEBUG ⮀ Vault status: uninitialized
 ERROR ⮀ [ERROR] Could not connect to vault
         ⬑  ~/.geese/lib/Genesis/Vault.pm:L262 (in Genesis::Vault::connect_and_validate)

[ERROR] Could not connect to vault

Although this could be addressed by adding path "secret/data/handshake", the rest of the pipeline requires secrets that are stored under secret/*:

Verifying availability of vault 'deployments-vault' (https://10.4.1.7)...ok

Preparing to deploy dev:
  - based on kit cf/2.2.0-rc.14
[ERROR] Could not find BOSH director dev

The lines bellow add the following policy line and alone for the pipeline to proceed accordingly

path "/secret/*" {                                                               
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]          
}
norman-abramovitz commented 2 years ago

I do not believe we should be allowing the sudo capability without explicit user input. We should be following the principle of least privilege.

We might want to add the patch capability

KV Engine V2 API

Vault Capabilities

dennisjbell commented 2 years ago

I am confused as to what this is trying to accomplish. I agree with Norm regarding the granting of sudo should be minimized if not refused altogether. Has something changes recently that has made how we've been doing this for years no longer viable? It simply looks like the vault token used doesn't have the correct permissions/policy in place to read secrets/(meta)data/handshake, which the standard policy sets up.

dennisjbell commented 2 years ago

After investigation, I see you're trying to use the concourse approle for the genesis-pipeline, when you should be using the genesis-pipeline approle. The concourse approle is intended to allow concourse to read concourse/* to fetch secrets inside concourse, which populates ((variables)) in the pipeline YAML files. genesis-pipeline approle is to be provided in the those secrets to be made available to the workers to access safe under genesis.