Skip to content

Commit

Permalink
feat: integrate documentation with NR Broker (#71)
Browse files Browse the repository at this point in the history 
* feat: integrate documentation with NR Broker

* fix: improve instructions and catch error with no approles
  • Loading branch information
@mbystedt
mbystedt authored Jul 20, 2024
1 parent 6e586b4 commit ddf2ae5
Show file tree
Hide file tree
Showing 19 changed files with 1,316 additions and 1,167 deletions.
3 changes: 1 addition & 2 deletions .dockerignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,10 @@
# No docs
*.md

/config/envconsul
/config/config.json
/coverage
/e2e
/dist
/node_modules
/setenv*
/setenv/*
/vault-policy.hcl
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ VAULT_UNSEAL_KEY
/intention.json
/config/envconsul/env.hcl
/config/config.json
/setenv/*
128 changes: 128 additions & 0 deletions README-config.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
# Vault Sync Tool - Configuration

This document is aimed at Vault Administrators looking to alter the policies and access the Vault Sync Tool configures.

For users, the Vault Sync Tool maps client roles coming from OIDC to internal groups with policies that manage what the group can do. For services, it maps App Roles to policies that manage what the service can do.

## Defined Groups

The 'group' here refers to a grouping of policies and not a Vault group. This allows for the syncing of a specific group of policies (like apps or system) by themselves. A group is a collection of policies aimed at solving a class of access.

| Group | Definition | Examples | Typical Usage |
| --- | --- | --- | --- |
| system | Policies that provide broad access of Vault or a specific part. | system/admin-super | Admin users |
| apps | Policies that an individual application needs for itself. | apps/fidq/prod-kv-read | Applications or developers of an application |
| groups | Policies for a group of end users (humans) | groups/appdelivery-user | A group of end users (application delivery, DBA, etc) |

### Policy Naming Pattern

The tool uses a naming pattern that Vault admins need to be aware of. The pattern for policy names is a simple 'group/name' pattern.

**Warning:** The tool will delete policies not generated by the tool starting with '<group>/' if that group is sync'ed.

## Configuration Folder

This repo includes a generic configuration in [./config](./config/). If you have specific needs, you can copy this folder to another repository and make your changes there.

## File: config.json

This is a key value object. Each of the root keys will be described in a separate section.

### Key: db

**Creates:** Databases

This is an array of database names along with their type. Applications configured in the 'apps' key first need a database defined here to use it. There is no defined list of types as new types of databases may come along.

#### Database Configuration Contents

| Property | Type | Req | Description |
| --- | --- | --- | --- |
| name | String | Required | The lowercase name of the database. Alphanumeric and dashes only. |
| type | String | Required | The type (lowercase name) of the database. Alphanumeric only.Examples: postgresql, oracle, mysql, mariadb, orientdb |

### Key: kv

**Creates:** Policies

This is simply an array of the paths to the kv roots. Only root level paths are tested (no slashes, please!). This drives creations of admin policies for these kv secret engines.

### Key: appActorDefaults

**Creates:** Nothing. See Type: AppActorPolicies.

### Key: groups

**Creates:** Policies & external groups

This is an array of team configurations. This drives creation of policies for team groups access to team kv secret access. It also is used to generate external groups to link the groups with the client roles in the OIDC used to connect.

The Vault Sync Tool also reads all teams from NR Broker that are setup to "use" Vault in addition to the groups here.

#### Groups Configuration Contents

| Property | Type | Req | Description |
| --- | --- | --- | --- |
| kv | String | Optional | The name of the kv root for this team's kv secret engine |
| name | String | Required | The... uh... name of the name? Used to create the external group. |
| policies | String[] | Required | An array of policies to attach. Other properties like kv will attach policies as well. It is preferred that this only be for one-off grants. Patterns should be added as extension of the team configuration. |

## Application Configuration

The only implement source from applications and their configuration is retrieves the information from NR Broker.

When on boarding an application:

* Confirm the service is in Broker
* Confirm instances that link to the service to environments have been added

The vault configuration from NR Broker drives creation of policies for access to application secrets. Both users (especially developers) and the application itself will use these policies.

### Vault Configuration Contents

| Property | Type | Req | Description |
| --- | --- | --- | --- |
| actor | AppActorPolicies | Optional | Per-environment overrides of policies for each type of actor. See: AppActorPolicies |
| approle | AppRole | Optional | Enables creating an approle for the application. Sets the policies and parameters applied to the approle. |
| db | String[] | Optional | An array of database names (see db key) that this application uses.|
| enabled | Boolean | Required | If this is enabled or not |
| policyOptions | Object | Optional | Options that alter the content of policies. Only has kvReadProject which controls if an application kv policies should be able to read project kv secrets. |

### Type: AppRole

**Creates:** Approles that use the policies generated for apps

Each application can have an approle created for each environment it is configured for. This approles are created on the mount point /auth/vs_apps_approle.

#### Approle Configuration Contents

| Property | Type | Req | Description |
| --- | --- | --- | --- |
| enabled | Boolean | Required | If this is enabled or not |
| secret_id_ttl, etc | * | Optional | See Vault documentation. Every approle parameter can be specified except for role_name and policies. |

If you do not set a parameter, the default is usually used. The following have been given non-standard defaults:

* token_max_ttl - 768h
* token_period - 48h
* secret_id_num_uses - 1

### Type: AppActorPolicies

Defines the policy each application actor gets per environment. An application actor is something that uses application secrets like a developer or the application's approle.

It is best illustrated with an example.

```
{
"approle": {
...
},
"developer": {
"dev": ["project-kv-read", "project-kv-write", "app-db-readwrite"],
"test": ["project-kv-read", "app-db-read"]
}
}
```

The developer actor is granted policies based on the environment. The policy is named based on the filename (minus any suffix like hcl.tpl) rather than the name of the policy in Vault.
52 changes: 52 additions & 0 deletions README-dev.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Vault Sync Tool - Development

Back: [README.md](README.md)

This document is aimed at developers looking to setup the Vault Sync Tool to run or make modifications to it.

See: [Oclif CLI](https://oclif.io)

## Requirements

* Podman
* Node.js

## Supported NPM commands

* npm run lint - lint source code
* npm run test - Run unit tests
* npm run prepack - Build and update CLI README

## Build with Podman

```
podman build . -t vsync
```

## Hashicorp Vault Setup for local testing

### With NR Broker

NR Broker's local setup will start a Vault container and run a setup script. No further setup should be required.

This is currently the only practical way to run the Vault Sync Tool because NR Broker is the only implemented data source for applications.

### Without NR Broker

The following will start up Vault in Podman. The Vault Sync Tool defaults to localhost:8200 for the address and myroot for the token.

`podman run --rm -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' --name=dev-vault -p 8200:8200 vault`

You will need to ensure the expected auth and kv mounts exist in Vault.

```
source setenv-local.sh
vault auth enable oidc
vault auth enable -path=vs_apps_approle approle
vault secrets enable -path=apps -version=2 kv
vault secrets enable -path=groups -version=2 kv
```

## Running with Broker

See: [Running Vault Sync Tool](https://bcgov-nr.github.io/nr-broker/#/development?id=running-vault-sync-tool)
77 changes: 35 additions & 42 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,57 +1,50 @@
# Vault Sync Tool

The Vault Sync tool or VST is for generating and syncing vault policies, groups and appRoles.

See: [Confluence Documentation](https://apps.nrs.gov.bc.ca/int/confluence/x/m4FvBQ)
The Vault Sync Tool configures HashiCorp Vault using data sources to allow applications and users to access Vault securely. It can read a static configuration or read dynamic data from the business intelligence tool, [NR Broker](https://github.com/bcgov-nr/nr-broker). It can monitor for changes in its datasources or be run on-demand.

<!-- toc -->
* [Vault Sync Tool](#vault-sync-tool)
* [Usage](#usage)
* [Commands](#commands)
<!-- tocstop -->

## Building the Docker image
## Running

`podman build . -t vsync`
The tool can be run from the source using Node.js or a release container image by using Podman or Docker.

## Environment Variables
```
./bin/dev health
```

The tool can use the following environment variables in place of command arguments. The default is in the brackets. The defaults are for testing with a local Vault instance.
```
podman run --rm ghcr.io/bcgov-nr/vault-sync-app:v1.0.4 health
```

* VAULT_ADDR - The address of the vault server ('http://127.0.0.1:8200')
* VAULT_TOKEN - The token to use when connecting to vault (myroot)
The sample command runs the health command. All the commands will probably require some arguments set up to work with your Vault.

To set the environment variables, source the target environment's setenv-*.sh file. For example, to set the address and token for the dev environment, run the following command:
The container expects to recieve a VAULT_ADDR and VAULT_TOKEN to load

`source setenv-dev.sh`
## Environment Variables

You will need vault and jq installed to run the above.
The tool can use environment variables in place of most command arguments. It is recommended that all confidential paramaters (tokens, etc.) be set using environment variables.

## Supported npm commands
These can be found by looking in the [src/flags.ts](src/flags.ts) file.

* npm start - deploy configuration to provided vault instance
* npm run lint - lint source code
* npm run test - Run unit tests
* npm run e2e - Run end-to-end tests
A sample env file is provided. To setup for running the tool using a local dev environment, run the following command:

## Configuration
`source setenv-local.sh`

See: [Confluence Documentation](https://apps.nrs.gov.bc.ca/int/confluence/x/m4FvBQ)
## Development

## Local testing
This document is aimed at developers looking to setup the Vault Sync Tool to run or make modifications to it.

The following will start up vault in docker. The Vault Sync Tool defaults for the address and token should work with it.
See: [Development](README-dev.md)

`podman run --rm -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' --name=dev-vault -p 8200:8200 vault`
## Configuration

You will need to add an OIDC authentication method to do local testing of group syncs.
This document is aimed at Vault Administrators looking to alter the policies and access the Vault Sync Tool configures.

```
source setenv-local.sh
vault auth enable oidc
vault auth enable -path=vs_apps_approle approle
vault secrets enable -path=apps -version=2 kv
```
See: [Configuration](README-config.md)

# Usage
<!-- usage -->
Expand All @@ -60,7 +53,7 @@ $ npm install -g vstool
$ vstool COMMAND
running command...
$ vstool (--version)
vstool/1.0.0 darwin-arm64 node-v22.1.0
vstool/1.0.0 darwin-x64 node-v20.11.1
$ vstool --help [COMMAND]
USAGE
$ vstool COMMAND
Expand Down Expand Up @@ -109,7 +102,7 @@ USAGE
FLAGS
-h, --help Show CLI help.
--broker-api-url=<value> [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
--broker-api-url=<value> [default: https://broker.io.nrs.gov.bc.ca/] The broker api base url
--broker-token=<value> The broker JWT
--vault-addr=<value> [default: http://127.0.0.1:8200] The vault address
--vault-token=<value> [default: myroot] The vault token
Expand Down Expand Up @@ -146,7 +139,7 @@ USAGE
FLAGS
-h, --help Show CLI help.
--broker-api-url=<value> [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
--broker-api-url=<value> [default: https://broker.io.nrs.gov.bc.ca/] The broker api base url
--broker-token=<value> The broker JWT
--vault-addr=<value> [default: http://127.0.0.1:8200] The vault address
--vault-token=<value> [default: myroot] The vault token
Expand Down Expand Up @@ -190,7 +183,7 @@ DESCRIPTION
Display help for vstool.
```

_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.0/src/commands/help.ts)_
_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.6/src/commands/help.ts)_

## `vstool init`

Expand Down Expand Up @@ -223,7 +216,7 @@ USAGE
FLAGS
-h, --help Show CLI help.
--broker-api-url=<value> [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
--broker-api-url=<value> [default: https://broker.io.nrs.gov.bc.ca/] The broker api base url
--broker-token=<value> The broker JWT
--root=<value>... [default: ] The root to constrict the policy sync to. Some roots can be further
constricted such as -root=apps -root=cool-app-war
Expand Down Expand Up @@ -255,7 +248,7 @@ EXAMPLES
$ vstool plugins
```

_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.2.3/src/commands/plugins/index.ts)_
_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.3.7/src/commands/plugins/index.ts)_

## `vstool plugins:add PLUGIN`

Expand Down Expand Up @@ -329,7 +322,7 @@ EXAMPLES
$ vstool plugins:inspect myplugin
```

_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.2.3/src/commands/plugins/inspect.ts)_
_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.3.7/src/commands/plugins/inspect.ts)_

## `vstool plugins:install PLUGIN`

Expand Down Expand Up @@ -378,7 +371,7 @@ EXAMPLES
$ vstool plugins:install someuser/someplugin
```

_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.2.3/src/commands/plugins/install.ts)_
_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.3.7/src/commands/plugins/install.ts)_

## `vstool plugins:link PATH`

Expand Down Expand Up @@ -408,7 +401,7 @@ EXAMPLES
$ vstool plugins:link myplugin
```

_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.2.3/src/commands/plugins/link.ts)_
_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.3.7/src/commands/plugins/link.ts)_

## `vstool plugins:remove [PLUGIN]`

Expand Down Expand Up @@ -449,7 +442,7 @@ FLAGS
--reinstall Reinstall all plugins after uninstalling.
```

_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.2.3/src/commands/plugins/reset.ts)_
_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.3.7/src/commands/plugins/reset.ts)_

## `vstool plugins:uninstall [PLUGIN]`

Expand Down Expand Up @@ -477,7 +470,7 @@ EXAMPLES
$ vstool plugins:uninstall myplugin
```

_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.2.3/src/commands/plugins/uninstall.ts)_
_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.3.7/src/commands/plugins/uninstall.ts)_

## `vstool plugins:unlink [PLUGIN]`

Expand Down Expand Up @@ -521,7 +514,7 @@ DESCRIPTION
Update installed plugins.
```

_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.2.3/src/commands/plugins/update.ts)_
_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.3.7/src/commands/plugins/update.ts)_

## `vstool policy-sync`

Expand All @@ -534,7 +527,7 @@ USAGE
FLAGS
-h, --help Show CLI help.
--broker-api-url=<value> [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
--broker-api-url=<value> [default: https://broker.io.nrs.gov.bc.ca/] The broker api base url
--broker-token=<value> The broker JWT
--root=<value>... [default: ] The root to constrict the policy sync to. Some roots can be further
constricted such as -root=apps -root=cool-app-war
Expand Down
Loading

0 comments on commit ddf2ae5

Please sign in to comment.