HashiCorp 保险库集成

HashiCorp 保险库是一个插件，您可以将其用作 Orchestrator 的凭据存储。

包含两个插件：

HashiCorp 保险库 – 读写插件（通过 Orchestrator 创建密码）
HashiCorp 保险库（只读） – 只读插件（必须直接在保险库中配置密码）

先决条件

您必须配置其中一种受支持的身份验证方法：
- AppRole（推荐）
- 用户名密码
- LDAP
- 令牌
  
  了解如何配置身份验证。
您必须配置其中一个受支持的密码引擎：
- KeyValueV1 - 可用于 HashiCorp 保险库插件和 HashiCorp 保险库（只读）插件
- KeyValueV2 - 可用于 HashiCorp 保险库插件和 HashiCorp 保险库（只读）插件
- ActiveDirectory - 仅适用于 HashiCorp 保险库（只读）插件
所选的身份验证方法必须具有允许在您计划存储密码的路径上使用以下功能的策略：
- 对于 HashiCorp 保险库（只读）插件：read
- 对于 HashiCorp 保险库插件：create、read、update、delete、（可选，如果使用 KeyValueV2 密码引擎）对元数据路径的delete

配置集成

以下示例说明了如何配置在 Docker 容器中运行的 HashiCorp 保险库开发版本，以将其用作 Orchestrator 的凭据存储。这些示例应适合您自己的环境。详情请参阅 HashiCorp Vault 的官方文档。

配置身份验证

要开始创建和读取密码，您首先需要通过以下步骤配置身份验证方法：

打开容器内的 Shell：
```
docker exec -it dev-vault shdocker exec -it dev-vault sh
```
以根用户身份登录。通过运行以下命令，确保日志中显示了根令牌，以使用该令牌设置环境变量：
```
export VAULT_TOKEN=s.hA7RJ5lBqSnKUPd8nrQBaK1fexport VAULT_TOKEN=s.hA7RJ5lBqSnKUPd8nrQBaK1f
```
通过运行以下命令检查保险库状态：
```
vault statusvault status
```

在 KV 存储中为 Orchestrator 添加虚拟密码：

vault kv put secret/applications/orchestrator/testSecret supersecretpassword=123456vault kv put secret/applications/orchestrator/testSecret supersecretpassword=123456

向 Orchestrator 授予对新创建的 secret/applications/orchestrator 路径的访问权限。为此，您必须首先通过运行以下命令来创建用于读取和写入此路径及其所有子路径的策略：
```
cat <<EOF | vault policy write orchestrator-policy -
path "secret/data/applications/orchestrator/*" {
  capabilities = ["create", "read", "update", "delete"]
}
path "secret/metadata/applications/orchestrator/*" {
  capabilities = ["delete"]
}
EOFcat <<EOF | vault policy write orchestrator-policy -
path "secret/data/applications/orchestrator/*" {
  capabilities = ["create", "read", "update", "delete"]
}
path "secret/metadata/applications/orchestrator/*" {
  capabilities = ["delete"]
}
EOF
```
备注：
使用 KeyValueV2 密码引擎时，密码在路径 <mount>/data/<secret-path> 中写入和获取，而不是在 KeyValueV1 中的 <mount>/<secret-path>。它不会更改任何 CLI 命令（即，不在路径中指定数据）。

但是，它确实会更改策略，因为功能已应用于实际路径。在上一个示例中，路径为 secret/data/applications/orchestrator/*，因为我们使用的是 KeyValueV2 密码引擎。如果使用 KeyValueV2，则路径将为 secret/applications/orchestrator/*。

仅当您要确保 Orchestrator 在验证连接性时不会留下测试密钥时，才需要在元数据路径上使用删除功能。如果未授予此功能，则在 Orchestrator 中创建凭据存储时将创建并保留一个密钥。
使用 userpass 身份验证方法启用身份验证，然后为 Orchestrator 创建用户并分配先前创建的策略：
```
vault auth enable userpass
vault write auth/userpass/users/orchestrator password=123456 policies=orchestrator-policyvault auth enable userpass
vault write auth/userpass/users/orchestrator password=123456 policies=orchestrator-policy
```
注意：Orchestrator 支持多种身份验证模式。有关如何配置它们，请参阅 HashiCorp 保险库文档我们的文档。

登录并尝试读取之前创建的密码，以检查您是否已正确配置所有内容：

vault login -method=userpass username=orchestrator password=123456vault login -method=userpass username=orchestrator password=123456

此命令的输出：

WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestratorWARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestratorWARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestratorWARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key                    Value
---                    -----
token                  s.nwombWQH3gGPDhJumRzxKqgI
token_accessor         aGJL6Pzc6fRRuP8d8tTjS2Kj
token_duration         768h
token_renewable        true
token_policies         ["default" "orchestrator-policy"]
identity_policies      []
policies               ["default" "orchestrator-policy"]
token_meta_username    orchestrator

获取此令牌并将其设置为根令牌，然后尝试读取测试密码：

export VAULT_TOKEN=s.nwombWQH3gGPDhJumRzxKqgI
vault kv get secret/applications/orchestrator/testSecretexport VAULT_TOKEN=s.nwombWQH3gGPDhJumRzxKqgI
vault kv get secret/applications/orchestrator/testSecret

此命令的输出：

====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456====== Metadata ======
Key              Value
---              -----
created_time     2020-10-12T06:24:41.7827631Z
deletion_time    n/a
destroyed        false
version          1
=========== Data ===========
Key                    Value
---                    -----
supersecretpassword    123456

备注：

您还可以通过运行以下命令来启用 appRole Orchestrator：

/ # vault auth enable approle 
/ # vault write auth/approle/role/orchestrator policies=orchestrator-policy 
/ # vault read auth/approle/role/orchestrator/role-id 
/ # vault write -f auth/approle/role/orchestrator/secret-id/ # vault auth enable approle 
/ # vault write auth/approle/role/orchestrator policies=orchestrator-policy 
/ # vault read auth/approle/role/orchestrator/role-id 
/ # vault write -f auth/approle/role/orchestrator/secret-id

现在，您将拥有可在 Orchestrator 中进行配置的角色 ID 和密码 ID。

配置 Active Directory 密码引擎

要配置 Active Directory 密码引擎，请执行以下步骤：

通过运行以下命令启用 Active Directory 密码引擎：
```
vault secrets enable advault secrets enable ad
```

配置 HashiCorp 保险库用于与 Active Directory 通信以生成密码的凭据：

vault write ad/config \
    binddn=$USERNAME \
    bindpass=$PASSWORD \
    url=ldaps://138.91.247.105 \
    userdn='dc=example,dc=com'vault write ad/config \
    binddn=$USERNAME \
    bindpass=$PASSWORD \
    url=ldaps://138.91.247.105 \
    userdn='dc=example,dc=com'

配置将 HashiCorp 保险库中的名称映射到 Active Directory 中的帐户的角色。当应用程序请求密码时，密码轮换设置将由此角色管理。
```
vault write ad/roles/orchestrator service_account_name="my-application@example.com"vault write ad/roles/orchestrator service_account_name="my-application@example.com"
```

使用身份验证方法（例如 AppRole）授予 orchestrator 访问其 ad/creds/orchestrator 凭据的权限。

cat <<EOF | vault policy write orchestrator-policy -
path "ad/creds/orchestrator" {
  capabilities = ["read"]
}
EOFcat <<EOF | vault policy write orchestrator-policy -
path "ad/creds/orchestrator" {
  capabilities = ["read"]
}
EOF