All geek questions in one place

Hashicorp Vault - Customization / Architecture in Production

I am ready to configure the Hashicorp repository using my web application, and although the Hashicorp examples make sense, I don’t understand a bit what should be in accordance with the intended production setup.

In my case, I have:

  • a small fraction of AWS EC2 instances serving my web application.
  • multiple EC2 instances serving Jenkins for continuous deployment

they do not need:

  • My configuration software (Ansible) and Jenkins to read secrets during deployment
  • so that employees in the company can read secrets as necessary and, possibly, generate temporary access for certain types of access.

I will probably use S3 as storage for storage.

The types of questions I have are:

  • If storage should run on all my EC2 instances and listen on 127.0.0.1:8200?

  • Or can I create an instance (possibly 2 for accessibility) that just launches Vault, and other instances / services connect to those that are needed for secret access?

  • If I need employees to access secrets from their local computers, how does it work? Do they install the repository locally in the S3 repository, or should they remove the REST API of the remote servers from step 2 to access their secrets?

  • And to be clear, any machine running the vault, if it restarts, then the vault must be opened again, which seems to be a manual process related to the number x of key holders?

+5
source share
1 answer

Vault works in a client-server architecture, so you must have a dedicated cluster of Vault servers (usually 3 is suitable for small to medium installations) operating in the availability mode .

Vault servers should probably communicate with the internal private IP address, not 127.0.0.1, since they will not be available in your VPC. You definitely don't want to bind 0.0.0.0, as that could make Vault public if your instance has a public IP address.

You want to bind to the IP address that is advertised in the certificate, whether it is an IP address or a DNS name. You should only communicate with Vault over TLS in a production-class infrastructure.

Any and all requests go through these Vault servers. If other users need to contact Vault, they must connect to the VPC through a VPN or bastion host and cause requests against it.

When the computer on which the repository is running reboots, you must uninstall Vault. This is why you must run Vault in HA mode, so another server can accept requests. You can set up monitoring and alerts to notify you when the server needs to print (Vault returns a special status code).

You can also read the simplification guide for more tips.

0
source

Source: https://habr.com/ru/post/1268855/

More articles:


All Articles