This GitHub repository contains code for deploying a proof of concept of Vault as a credential broker for Boundary, with a PostgreSQL database as target.
This article explains the code: https://security.padok.fr/blog/vault-credential-broker
You should have all these tools installed:
-
terraform: https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
-
AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
-
direnv: https://direnv.net/
-
Clone this repository
-
Have a VPC with 2 subnets and an EKS cluster deployed on AWS
-
Create AWS profile "padok_school" in ~/.aws/config, or if you want to use a profile of yours, search each occurence of "padok_school" and replace them with your profile name
- then
direnv allow
- then
-
Login to AWS:
aws sso login -
Replace domain name with your domain name: search each occurence of "padok.school" and replace them with your domain name
- Create terraform backend for remote state: in folder
terraform/layers/0-bootstrapterraform initterraform apply
- Create EKS, RDS, EIP and KMS keys: in folder
terraform/layers/1-backboneterraform initterraform apply
- Set up
kubectlto use the newly deployed EKS cluster by runningaws eks update-kubeconfig --name boundary-eks
-
Create POSTGRESQL database for Boundary
helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update helm install postgresql bitnami/postgresql -n boundary --create-namespace kubectl get secret --namespace boundary postgresql -o jsonpath="{.data.postgres-password}" | base64 -d
-
/!\ WARNING: If you have a single node cluster, you need to check in which zone your node is:
kubectl get nodes kubectl describe node <NODE_ID>
Look for zone in result, for example:
topology.kubernetes.io/zone=eu-west-3a
-
-
In helm/boundary-controller, edit values.yaml file:
-
service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-xxxxxxxx,eipalloc-yyyyyyyy
- write eip ids of both boundary-controller eip
-
public_cluster_ip: "xx.xx.xx.xx"
-
change ip with a controller elastic ip created for controller in backbone/eip.tf
/!\ WARNING: If you have a single node cluster, you need to use the first elastic ip you wrote in the controller load balancer config if your node is in the first zone, else the second elastic ip
-
-
postgres_url: "postgresql://postgres:xxxxxxxx@postgresql.boundary.svc.cluster.local:5432/postgres"
- write password of your POSTGRESQL database that you got at the end of the previous step when you created the database
-
kms: root: "xxxxxxxx" worker: "xxxxxxxx" recovery: "xxxxxxxx"
- write kms key ids
-
-
In helm/boundary-worker, edit values.yaml file:
-
service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-xxxxxxxx,eipalloc-yyyyyyyy
- write eip ids of both boundary-worker eip
-
controller: ip: "xx.xx.xx.xx"
- change ip with the same controller elastic ip you used in values.yaml of boundary controller
-
kms: worker: "xxxxxxxx"
- write worker kms key id
-
config.hostname + ingress.hosts.host :
- change both ips with the worker elastic ip in the zone where your node is (eip created for worker in backbone/eip.tf)
/!\ WARNING: If you have a single node cluster, you need to use the first elastic ip you wrote in the worker load balancer config if your node is in the first zone, else the second elastic ip
-
-
Install boundary
helm install boundary-controller -n boundary . #in helm/boundary-controller
helm install boundary-worker -n boundary . #in helm/boundary-worker- Wait for network load balancers to be active, then restart boundary-controller and boundary-worker deployments
- Open a shell in a
boundarypod - Install postgresql :
apk add postgresql - Copy both files of rds folder in pod : northwind-database.sql et northwind-roles.sql
- Populate RDS with these commands ($PG_URL is connexion url to RDS: postgresql://{user}:{password}@{rds_endpoint}:5432/postgres)
$ psql -d $PG_URL -f database.sql
$ psql -d $PG_URL -f roles.sqlCreate an ingress-controller in your cluster
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
kubectl create namespace ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginxCreate the ingress for Vault :
kubectl apply -f ingress_vault.yamlCreate a cert-manager in your cluster
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.12.0 \
kubectl create --edit -f kube/cluster-issuer.yaml-
In AWS console, get the name of the Load Balancer created by the ingress-nginx and copy it in data.aws_elb.lb-vault.name (file :
2-dns/main.tf) -
Apply the
2-dnslayer
- Install vault
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault -n vault --create-namespace --version 1.16.0- Initialize vault
kubectl exec -it vault-0 -n vault -- /bin/sh
$ vault operator init # /!\ Note three unseal keys and initial root token
$ vault operator unseal <key1>
$ vault operator unseal <key2>
$ vault operator unseal <key3>-
In
3-vault/providers.tf, edit token with your initial root token -
Apply
3-vaultlayer
- /!\ WARNING: As stated in this documentation, you need to provide access_key, secret_key and session token from SSO and export is as env variables
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_SESSION_TOKEN="..."- Apply
4-boundarylayer
To log into Boundary (password: $uper$ecure):
boundary authenticate password -addr http://boundary-api.padok.school -auth-method-id <AUTH_METHOD_ID> -login-name jeff
To list organization:
boundary scopes list -addr http://boundary-api.padok.school
To list projects in organization:
boundary scopes list -addr http://boundary-api.padok.school -scope-id <ORG_ID>
To list targets in project:
boundary targets list -addr http://boundary-api.padok.school -scope-id <PROJECT_ID>
To connect to PostgreSQL target:
boundary connect postgres -target-id <TARGET_ID> -addr http://boundary-api.padok.school -dbname postgres