将大厅与Vault集成在一起

时间:2018-07-19 12:31:25

标签: concourse hashicorp-vault

环境: 

OS: Ubuntu 18.04 LTS
Concourse: 3.14.0 - install type: binary
Vault: 0.10.3
Using approle

问候,

尝试使用Vault配置凭据管理。 Consul + Vault运行正常。我已经将Concourse服务器配置为具有以下参数:

文件:concourse-web 

CONCOURSE_SESSION_SIGNING_KEY=/etc/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/etc/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/etc/concourse/authorized_worker_keys
CONCOURSE_POSTGRES_DATABASE=concourse
CONCOURSE_POSTGRES_HOST=127.0.0.1
CONCOURSE_POSTGRES_PASSWORD=XXXXXXXX
CONCOURSE_POSTGRES_SSLMODE=disable
CONCOURSE_POSTGRES_USER=concourse
CONCOURSE_TSA_LOG_LEVEL=debug
CONCOURSE_LOG_LEVEL=debug
CONCOURSE_BAGGAGECLAIM_LOG_LEVEL=debug
CONCOURSE_BASIC_AUTH_USERNAME=concourse
CONCOURSE_BASIC_AUTH_PASSWORD=XXXXXXXXXX
CONCOURSE_EXTERNAL_URL=http://server001.cglab.localnet.local:8080
CONCOURSE_VAULT_URL="http://192.168.163.134:8200"
CONCOURSE_VAULT_PATH_PREFIX="/concourse"
CONCOURSE_VAULT_AUTH_BACKEND="approle"
CONCOURSE_VAULT_AUTH_PARAM="role_id=XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3,secret_id=XXXXXXX-XXXX-08ae-a356-edca9006d04a"
CONCOURSE_VAULT_INSECURE_SKIP_VERIFY=true

已创建策略,已启用approlecreated role_id, secret_id

现在,当我启动Concourse时,日志显示以下内容:

日记条目:

Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.749084949","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.259793043","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.232575417","source":"atc","message":"atc.build-tracker.track.done","log_lev
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.219762087","source":"atc","message":"atc.listening","log_level":1,"data":{"
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.218845844","source":"atc","message":"atc.build-tracker.track.start","log_le
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.216697931","source":"tsa","message":"tsa.listening","log_level":1,"data":{}
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.113752604","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:31 server001 systemd[1]: Started Concourse CI web process (ATC and TSA).

文件:/ var / log / syslog 

Jul 18 13:52:50 server001 concourse[1461]: {"timestamp":"1531936370.941136837","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3745"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021310568","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3746"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021309853","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"22.3385"}}

我想念什么?为什么Concourse无法解开保险库?我可能会把client_token放开,虽然它会开封(CONCOURSE_VAULT_CLIENT_TOKEN="XXXXX-XXXX-3797-6194-8bc92b65231d"),但没有帮助。

我可以使用API​​调用来确认role_idsecret_id是否有效:

curl -k -XPOST -d '{"role_id":"XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3","secret_id":"XXXXXXX-XXXX-08ae-a356-edca9006d04a "}' http://192.168.163.132:8200/v1/auth/approle/login | jq

{
  "request_id": "82f2e7f8-821e-0a17-acbb-e79f88bbc4b3",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": [
    "period of \"10h0m0s\" exceeded the effective max_ttl of \"30m0s\"; period value is capped accordingly"
  ],
  "auth": {
    "client_token": "XXXXXXX-XXX-fdf7-34d9-305e413fa2c7",
    "accessor": "5f267fb8-e3ac-7e13-adbb-bf4445725d78",
    "policies": [
      "concourse",
      "default"
    ],
    "token_policies": [
      "concourse",
      "default"
    ],
    "metadata": {
      "role_name": "concourse"
    },
    "lease_duration": 1800,
    "renewable": true,
    "entity_id": "11a0d4ac-10aa-0d62-2385-9e8071fc4185"
  }
}

如上所示,一切都很好。为什么Concourse无法验证和解封Vaul?

任何方向,反馈和帮助,我们将不胜感激!

2 个答案:

答案 0 :(得分:1)

密封和开封几乎都是手动过程。 Concourse无法解封保管箱(甚至无法到达auth后端),因此您必须自己处理此过程。

如果要在不使用Councourse的情况下使Vault保持密封,则应编写一些简单的脚本;否则,您可以将其保持密封状态:无论如何,数据将受到保护,只有授权的请求才能检索数据,只有在紧急情况下才将Vault密封。

(VAULT_CLIENT_TOKEN不是解封密钥)

答案 1 :(得分:0)

您的保管库群集中有多少个节点?
您是否已全部密封?

解封是在保管库中的每个节点上,而不是在每个群集中。

此外,请确保您通过HTTPS与Vault通信,以确保数据不会以未加密的方式发送。

相关问题
最新问题