{"id":13295492,"url":"https://github.com/avoidik/experience-with-vault","last_synced_at":"2025-03-10T08:31:44.662Z","repository":{"id":88739876,"uuid":"264693472","full_name":"avoidik/experience-with-vault","owner":"avoidik","description":"HashiCorp Vault advanced topics in one place","archived":false,"fork":false,"pushed_at":"2020-05-23T18:30:41.000Z","size":26,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-07-29T17:42:24.476Z","etag":null,"topics":["authenticaion","cfssl","concourse-ci","consul","dex","dexidp","docker","docker-containers","hashicorp-vault","ldap","oidc","openldap","pki","secrets","tls-certificate","vault"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/avoidik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-17T15:06:58.000Z","updated_at":"2023-10-11T04:13:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"8e9cf42e-776e-4931-834b-1b1cad720a4b","html_url":"https://github.com/avoidik/experience-with-vault","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avoidik%2Fexperience-with-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avoidik%2Fexperience-with-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avoidik%2Fexperience-with-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avoidik%2Fexperience-with-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/avoidik","download_url":"https://codeload.github.com/avoidik/experience-with-vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242819141,"owners_count":20190390,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authenticaion","cfssl","concourse-ci","consul","dex","dexidp","docker","docker-containers","hashicorp-vault","ldap","oidc","openldap","pki","secrets","tls-certificate","vault"],"created_at":"2024-07-29T17:17:06.241Z","updated_at":"2025-03-10T08:31:44.626Z","avatar_url":"https://github.com/avoidik.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Experiments with Vault\n\n## Prerequisites\n\n* installed VirtualBox\n* docker \u0026 docker-machine binaries\n* cfssl \u0026 cfssljson binaries\n* vault \u0026 consul binaries\n* curl\n* fly\n\n## What is this\n\nAn ideal playground to play with HashiCorp Vault authenticaion methods, secrets backend, etc.\n\nThe following advanced topics covered in this repo:\n\n* Docker-Machine \u0026 Docker-Containers - how to build and run them\n* TLS - how to generate certificates with cfssl and Vault itself, configure TLS communication between components\n* Vault Server, Consul Client, Consul Server, OpenLDAP (with phpLDAPadmin \u0026 self-service portal), DEX (with static-client \u0026 OpenLDAP) configuration\n* Concourse CI Server and Workers configuration - its credential manager authenticates in Vault authomatically by using PKI certificate, user will be able to use OIDC or LDAP to authenticate\n* OIDC (authenticaion) - using OpenLDAP as a central users directory, roundtrip authentication with OpenLDAP credentials over OIDC\n* Identity (both Groups \u0026 Entities) - map LDAP groups to Vault identity backend\n* LDAP (both authenticaion \u0026 secrets) - rotate OpenLDAP secrets and authenticate in Vault or Concourse\n* PKI (both authenticaion \u0026 secrets) - configure PKI and use it for authentication purposes\n* DB (secrets) - rotate database secrets\n* KV (secrets) - static secrets\n\n## How to run\n\nJust follow along from top to bottom:\n\n1. `docker-machine create dex` - create test vm\n1. `./ca.sh` - generate all required TLS certificates\n1. `./prep.sh` - prepare all required docker images (build)\n1. `./run.sh` - run test stack on top of test vm\n1. `source ./vault.env` - inject required environment variables (without token)\n1. `./init.sh` - initialize vault\n1. `./unseal.sh` - unseal vault\n1. `source ./vault.env` - inject required environment variables (with token)\n1. `./policy.sh` - write policies\n1. `./oidc_auth.sh` - configure OIDC authenticaion\n1. `./entity.sh` - configure identity groups\n1. `./ldap_auth.sh` - configure LDAP authenticaion\n1. `./ldap_secrets.sh` - configure LDAP secrets (take a look on dynamically generated credentials for Carl)\n1. `./kv.sh` - configure KV secrets\n\n## How to test PKI\n\n1. `./pki_auth.sh` - configure PKI authenticaion \u0026 login with cfssl generate certificate\n1. `./pki_secrets.sh` - configure PKI secrets, generate TLS authenticaion certificate, and login with it (login with Vault generated PKI certificate into Vault)\n\n## How to test OIDC and LDAP\n\n1. `source ./vault.env` - inject required environment variables\n1. `vault login -method=oidc role=oidc-reader` - login with OIDC (and LDAP as identities directory)\n1. `vault login -method=ldap username=carl` - login with LDAP (by using Carl's dynamically generated credentials)\n\n## How to start CI\n\n1. `./run_ci.sh` - start Concourse CI server (login via OpenLDAP, OIDC, or static credentials)\n1. `./team.sh` - set demo team in Concourse\n\n*It will not work without initializing, unsealing and configuring Vault and related authentication services (LDAP, DEX), hence `./run.sh` and all associated scripts must be executed before*\n\n## How to test Postgres\n\n1. `./postgres_secrets.sh` - configure database secrets (Postgres)\n1. `./postgres_roles.sh` - configure database roles (Postgres)\n\n## How to elevate identity entity\n\n1. `./carl.sh` - an example on how to elevate someone having access to identity backend\n1. `./uncarl.sh` - take elevated privileges back\n\n## How to read from Consul\n\n1. `source ./consul.env` - inject required environment variables\n1. `consul kv get -keys -recurse vault/core/` - list consul keys\n1. `consul kv get vault/core/lock` - read consul key\n\n## How to interact with DEX\n\n1. `./dex.sh` - view DEX configuration\n1. `./login_dex.sh` - retrieve JWT token from DEX\n1. `./login_dex_public.sh` - retrive JWT token from DEX (if Public Client configured)\n\n## How to stop\n\n1. `./stop.sh` or `./stop_ci.sh` - stop test stack\n1. `./unca.sh` - remove all TLS certificates\n1. `docker-machine rm -f dex` - destroy vm\n\n## Special note\n\nPlease consider reviewing configuration and processes provided in this repository if you are going to use it, e.g. hardcoded secrets, passwords, etc.\n\n## Credits\n\nFound something interesting and want to reuse it in your own project? Please give proper credits to HashiCorp, Concourse CI, Docker-Containers maintainers, OSS authors, and me **Viacheslav** :-)\n\n- [HashiCorp](https://www.hashicorp.com/) ([Consul](https://www.consul.io/) \u0026 [Vault](https://www.vaultproject.io/)), respective [Vault Docker Container](https://hub.docker.com/_/vault) and [Consul Docker Container](https://hub.docker.com/_/consul)\n- [Concourse CI](https://concourse-ci.org/) and respective [Concourse CI Container](https://hub.docker.com/r/concourse/concourse)\n- [DEX](https://github.com/dexidp/dex) and respective [Docker Container](https://quay.io/repository/dexidp/dex)\n- [LDAP Self-Service Portal](https://ltb-project.org/documentation/self-service-password) and respective [Docker Container](https://hub.docker.com/r/tiredofit/self-service-password)\n- [phpLDAPadmin](http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page) and respective [Docker Container](https://hub.docker.com/r/osixia/phpmyadmin)\n- [OpenLDAP](https://www.openldap.org/) and respective [Docker Container](https://hub.docker.com/r/osixia/openldap)\n- [PostgreSQL](https://www.postgresql.org/) and respective [Docker Container](https://hub.docker.com/_/postgres)\n- [CFSSL](https://github.com/cloudflare/cfssl)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Favoidik%2Fexperience-with-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Favoidik%2Fexperience-with-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Favoidik%2Fexperience-with-vault/lists"}