Automatically configure s/a policy for {AWS,GCP,Azure}Role

[tamalsaha]

Video: https://youtu.be/sObgDZLOMxY

[tamalsaha]

api review: @tamalsaha

PolicyDocument

VaultAppRef

config:
  credentialSecret:
    name: <>

[tamalsaha]

    namespace: demo
  policyDocument: |
    path "secret/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }

{
  "path": {
    "secret/*": {
      "capabilities": ["create", "read", "update", "delete", "list"]
    }
  }
}

---
path:
  secret/*:
    capabilities:
    - create
    - read
    - update
    - delete
    - list

[tamalsaha]

SecretEngine CRD: https://youtu.be/8tZUmZvTolY

[tamalsaha]

Video: https://youtu.be/xAGRf_naJTA

VaultServer (optional) / AppBinding

SecretEngine  (optional)

VaultPolicy
VaultPolicyBinding ->>>>>>>>> diff namespace s/a

AWSRole
AzureRole
GCPRole
              -> AppBinding Name + Secret Engine Path + DB Name
PostgresRole
MongoDBRole
MySQLRole

Same Namespace ^^^^
----------------------------
Diff Namespace vvv

*Request

=======================================

Q:

{engine}.kubevault.com/v1alpha1/namespaces/default/awsroles/name

{secret}

Ans: engine - keep things as is @tamalsaha 2019-07-31

=======================================

AppBinding.spec.parameters.path <------ path to be used for authN with AppBinding

DB:

vault write database/config/my-postgresql-database \ plugin_name=postgresql-database-plugin \ allowed_roles="my-role" \

vault write [db_secret_engine_path]/config/[k8s.cluster.db_ns.db_name] \ allowed_roles="k8s.cluster.role-ns.my-role-name" \

API change:

Now: // PostgresRoleSpec contains connection information, postgres role info etc type PostgresRoleSpec struct { AuthManagerRef *appcat.AppReference json:"authManagerRef,omitempty"

DatabaseRef *core.LocalObjectReference `json:"databaseRef"`

future:

// PostgresRoleSpec contains connection information, postgres role info etc
type PostgresRoleSpec struct {
    VaultRef *core.LocalObjectReference  `json:"authManagerRef,omitempty"`
    SecretEngingePath                    `json:"secretEgninePath"`

    DatabaseRef appcat.AppReference      `json:"databaseRef"` // db namespace + name
}

====================================================================================

AWS:
---
vault write aws/config/root \
    access_key=AKIAJWVN5Z4FOFT7NLNA \
    secret_key=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 \
    region=us-east-1

vault write [aws_secret-engine_path]/config/root \
    region=us-east-1

$ vault write [aws_secret-engine_path]/roles/[k8s.cluster.role-ns.my-role-name] \
    credential_type=iam_user \
    policy_document=-<<EOF

- https://github.com/kubedb/apimachinery/tree/master/apis

[tamalsaha]

TODOs:

• [ ] Integration Story with Certmanager (Auth Story)
  • https://docs.cert-manager.io/en/release-0.9/tasks/issuers/setup-vault.html
• [ ] ~~How does DB reject secret management by Vault operator ? Use annotation on DB appbinding to reject access?~~ Filed new issue

[tamalsaha]

• Discussion on how to update Policies for Vault Server Policy Controller Role

[tamalsaha]

Fixed in https://github.com/kubevault/operator/releases/tag/v0.3.0