使用 approle 将 Concourse 与 Vault 集成
Integrating Concourse with Vault with approle
环境:
OS: Ubuntu 18.04 LTS
Concourse: 3.14.0 - install type: binary
Vault: 0.10.3
Using approle
你好,
正在尝试使用 Vault 配置凭据管理。 Consul + Vault 运行正常。我已将我的 Concourse 服务器配置为具有以下参数:
文件:大厅网络
CONCOURSE_SESSION_SIGNING_KEY=/etc/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/etc/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/etc/concourse/authorized_worker_keys
CONCOURSE_POSTGRES_DATABASE=concourse
CONCOURSE_POSTGRES_HOST=127.0.0.1
CONCOURSE_POSTGRES_PASSWORD=XXXXXXXX
CONCOURSE_POSTGRES_SSLMODE=disable
CONCOURSE_POSTGRES_USER=concourse
CONCOURSE_TSA_LOG_LEVEL=debug
CONCOURSE_LOG_LEVEL=debug
CONCOURSE_BAGGAGECLAIM_LOG_LEVEL=debug
CONCOURSE_BASIC_AUTH_USERNAME=concourse
CONCOURSE_BASIC_AUTH_PASSWORD=XXXXXXXXXX
CONCOURSE_EXTERNAL_URL=http://server001.cglab.localnet.local:8080
CONCOURSE_VAULT_URL="http://192.168.163.134:8200"
CONCOURSE_VAULT_PATH_PREFIX="/concourse"
CONCOURSE_VAULT_AUTH_BACKEND="approle"
CONCOURSE_VAULT_AUTH_PARAM="role_id=XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3,secret_id=XXXXXXX-XXXX-08ae-a356-edca9006d04a"
CONCOURSE_VAULT_INSECURE_SKIP_VERIFY=true
已创建策略,已启用 approle、created role_id, secret_id。
现在,当我启动我的 Concourse 时,日志显示如下:
日记条目:
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.749084949","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.259793043","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.232575417","source":"atc","message":"atc.build-tracker.track.done","log_lev
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.219762087","source":"atc","message":"atc.listening","log_level":1,"data":{"
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.218845844","source":"atc","message":"atc.build-tracker.track.start","log_le
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.216697931","source":"tsa","message":"tsa.listening","log_level":1,"data":{}
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.113752604","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:31 server001 systemd[1]: Started Concourse CI web process (ATC and TSA).
文件:/var/log/syslog
Jul 18 13:52:50 server001 concourse[1461]: {"timestamp":"1531936370.941136837","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3745"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021310568","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3746"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021309853","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"22.3385"}}
我错过了什么?为什么 Concourse 无法解封 Vault ?我虽然可能是如果我输入 client_token,它会解封它 (CONCOURSE_VAULT_CLIENT_TOKEN="XXXXX-XXXX-3797-6194-8bc92b65231d"),但它没有帮助。
我可以确认 role_id 和 secret_id 工作,使用 API 调用:
curl -k -XPOST -d '{"role_id":"XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3","secret_id":"XXXXXXX-XXXX-08ae-a356-edca9006d04a "}' http://192.168.163.132:8200/v1/auth/approle/login | jq
{
"request_id": "82f2e7f8-821e-0a17-acbb-e79f88bbc4b3",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"period of \"10h0m0s\" exceeded the effective max_ttl of \"30m0s\"; period value is capped accordingly"
],
"auth": {
"client_token": "XXXXXXX-XXX-fdf7-34d9-305e413fa2c7",
"accessor": "5f267fb8-e3ac-7e13-adbb-bf4445725d78",
"policies": [
"concourse",
"default"
],
"token_policies": [
"concourse",
"default"
],
"metadata": {
"role_name": "concourse"
},
"lease_duration": 1800,
"renewable": true,
"entity_id": "11a0d4ac-10aa-0d62-2385-9e8071fc4185"
}
}
如你所见,一切都很好。为什么 Concourse 无法验证和解封 Vaul?
非常感谢任何指导、反馈和帮助!!
密封和开封几乎都是手动过程。 Concourse 无法解封 Vault(它甚至无法到达 auth 后端),所以你必须自己处理这个过程。
如果您想在不使用 Councourse 时保持 Vault 密封,您应该制作一些简单的脚本;否则你可以保持不密封:数据无论如何都会受到保护,只有授权的请求才能检索数据,只有在紧急情况下才会密封 Vault。
(VAULT_CLIENT_TOKEN不是解封密钥)
您的 Vault 集群中有多少个节点?
你都解封了吗?
解封是在 Vault 中的每个节点,而不是每个集群。
此外,请确保您通过 HTTPS 与保管库通信,这样数据就不会在未加密的情况下发送。
环境:
OS: Ubuntu 18.04 LTS
Concourse: 3.14.0 - install type: binary
Vault: 0.10.3
Using approle
你好,
正在尝试使用 Vault 配置凭据管理。 Consul + Vault 运行正常。我已将我的 Concourse 服务器配置为具有以下参数:
文件:大厅网络
CONCOURSE_SESSION_SIGNING_KEY=/etc/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/etc/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/etc/concourse/authorized_worker_keys
CONCOURSE_POSTGRES_DATABASE=concourse
CONCOURSE_POSTGRES_HOST=127.0.0.1
CONCOURSE_POSTGRES_PASSWORD=XXXXXXXX
CONCOURSE_POSTGRES_SSLMODE=disable
CONCOURSE_POSTGRES_USER=concourse
CONCOURSE_TSA_LOG_LEVEL=debug
CONCOURSE_LOG_LEVEL=debug
CONCOURSE_BAGGAGECLAIM_LOG_LEVEL=debug
CONCOURSE_BASIC_AUTH_USERNAME=concourse
CONCOURSE_BASIC_AUTH_PASSWORD=XXXXXXXXXX
CONCOURSE_EXTERNAL_URL=http://server001.cglab.localnet.local:8080
CONCOURSE_VAULT_URL="http://192.168.163.134:8200"
CONCOURSE_VAULT_PATH_PREFIX="/concourse"
CONCOURSE_VAULT_AUTH_BACKEND="approle"
CONCOURSE_VAULT_AUTH_PARAM="role_id=XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3,secret_id=XXXXXXX-XXXX-08ae-a356-edca9006d04a"
CONCOURSE_VAULT_INSECURE_SKIP_VERIFY=true
已创建策略,已启用 approle、created role_id, secret_id。
现在,当我启动我的 Concourse 时,日志显示如下:
日记条目:
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.749084949","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.259793043","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.232575417","source":"atc","message":"atc.build-tracker.track.done","log_lev
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.219762087","source":"atc","message":"atc.listening","log_level":1,"data":{"
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.218845844","source":"atc","message":"atc.build-tracker.track.start","log_le
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.216697931","source":"tsa","message":"tsa.listening","log_level":1,"data":{}
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.113752604","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:31 server001 systemd[1]: Started Concourse CI web process (ATC and TSA).
文件:/var/log/syslog
Jul 18 13:52:50 server001 concourse[1461]: {"timestamp":"1531936370.941136837","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3745"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021310568","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3746"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021309853","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"22.3385"}}
我错过了什么?为什么 Concourse 无法解封 Vault ?我虽然可能是如果我输入 client_token,它会解封它 (CONCOURSE_VAULT_CLIENT_TOKEN="XXXXX-XXXX-3797-6194-8bc92b65231d"),但它没有帮助。
我可以确认 role_id 和 secret_id 工作,使用 API 调用:
curl -k -XPOST -d '{"role_id":"XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3","secret_id":"XXXXXXX-XXXX-08ae-a356-edca9006d04a "}' http://192.168.163.132:8200/v1/auth/approle/login | jq
{
"request_id": "82f2e7f8-821e-0a17-acbb-e79f88bbc4b3",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"period of \"10h0m0s\" exceeded the effective max_ttl of \"30m0s\"; period value is capped accordingly"
],
"auth": {
"client_token": "XXXXXXX-XXX-fdf7-34d9-305e413fa2c7",
"accessor": "5f267fb8-e3ac-7e13-adbb-bf4445725d78",
"policies": [
"concourse",
"default"
],
"token_policies": [
"concourse",
"default"
],
"metadata": {
"role_name": "concourse"
},
"lease_duration": 1800,
"renewable": true,
"entity_id": "11a0d4ac-10aa-0d62-2385-9e8071fc4185"
}
}
如你所见,一切都很好。为什么 Concourse 无法验证和解封 Vaul?
非常感谢任何指导、反馈和帮助!!
密封和开封几乎都是手动过程。 Concourse 无法解封 Vault(它甚至无法到达 auth 后端),所以你必须自己处理这个过程。
如果您想在不使用 Councourse 时保持 Vault 密封,您应该制作一些简单的脚本;否则你可以保持不密封:数据无论如何都会受到保护,只有授权的请求才能检索数据,只有在紧急情况下才会密封 Vault。
(VAULT_CLIENT_TOKEN不是解封密钥)
您的 Vault 集群中有多少个节点?
你都解封了吗?
解封是在 Vault 中的每个节点,而不是每个集群。
此外,请确保您通过 HTTPS 与保管库通信,这样数据就不会在未加密的情况下发送。