-
Notifications
You must be signed in to change notification settings - Fork 11
Update Trousseau's dedicated Vault token
Romdalf edited this page Jun 5, 2022
·
1 revision
Updating the Vault token used by Trousseau to access to the Transit Key Engine is considered a Vault day 2 operation.
Since the max TTL is capped to 768h or any lower value, the renewal of the token is not possible as it would exceed that setting. Instead, a new token needs to be created and inject within the Trousseau config key-value store.
- This operation requires the root token or a high privileged token to renew the related token.
- Considering the above, from a security perspective, Trousseau can't solve this day 2 operation from a code as this would fail the Zero-Trust model.
- Do not restart any services (like the rke-server on RKE2 before full successful restart of all Trousseau's pods)
- Do not recreate any of Trousseau's configuration in case of failure - open a GitHub issue for help.
On Vault, create a new token
[root@tdevhvc-01 trousseau-demo]# vault token create -policy=trousseau-transit-ro
Key Value
--- -----
token s.Vhc1rXyveyc4Vn8Upd2M1g9H
token_accessor RTk81akLCLOy2JDyzuAQawDk
token_duration 768h
token_renewable true
token_policies ["default" "trousseau-transit-ro"]
identity_policies []
policies ["default" "trousseau-transit-ro"]
On Vault, check the Trousseau config key-value store:
[root@tdevhvc-01 trousseau-demo]# vault kv get /secret/trousseau/config
======= Metadata =======
Key Value
--- -----
created_time 2022-05-18T00:25:03.155739032Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
========= Data =========
Key Value
--- -----
transitkeyname trousseau-kms-vault
ttl 30s
vaultaddress http://tdevhvc-01.trousseau.io:8200
vaulttoken s.CkUWvzQamSIiRRzYiY8Jibfy
On Vault, update the Trousseau config key-value store:
[root@tdevhvc-01 trousseau-demo]# vault kv put /secret/trousseau/config transitkeyname=trousseau-kms-vault ttl=30s vaultaddress=http://tdevhvc-01.trousseau.io:8200 vaulttoken=s.Vhc1rXyveyc4Vn8Upd2M1g9H
Key Value
--- -----
created_time 2022-06-05T15:31:39.881547821Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
On Vault, verify the Trousseau config key-value store:
[root@tdevhvc-01 trousseau-demo]# vault kv get /secret/trousseau/config
======= Metadata =======
Key Value
--- -----
created_time 2022-06-05T15:31:39.881547821Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
========= Data =========
Key Value
--- -----
transitkeyname trousseau-kms-vault
ttl 30s
vaultaddress http://tdevhvc-01.trousseau.io:8200
vaulttoken s.Vhc1rXyveyc4Vn8Upd2M1g9H
On the Kubernetes cluster, restart the Trousseau DaemonSet Pods:
[root@tdevk8s-01 ~]# kubectl rollout restart -n kube-system daemonset vault-kms-provider
daemonset.apps/vault-kms-provider restarted
This last part re-initiate the redeployment of the Pods by starting the Vault Agent to fetch the configuration file which includes the new token.