Skip to content

Update Trousseau's dedicated Vault token

Romdalf edited this page Jun 5, 2022 · 1 revision

Intro

Updating the Vault token used by Trousseau to access to the Transit Key Engine is considered a Vault day 2 operation.

Since the max TTL is capped to 768h or any lower value, the renewal of the token is not possible as it would exceed that setting. Instead, a new token needs to be created and inject within the Trousseau config key-value store.

Notes

  • This operation requires the root token or a high privileged token to renew the related token.
  • Considering the above, from a security perspective, Trousseau can't solve this day 2 operation from a code as this would fail the Zero-Trust model.
  • Do not restart any services (like the rke-server on RKE2 before full successful restart of all Trousseau's pods)
  • Do not recreate any of Trousseau's configuration in case of failure - open a GitHub issue for help.

Steps

On Vault, create a new token

[root@tdevhvc-01 trousseau-demo]# vault token create -policy=trousseau-transit-ro
Key                  Value
---                  -----
token                s.Vhc1rXyveyc4Vn8Upd2M1g9H
token_accessor       RTk81akLCLOy2JDyzuAQawDk
token_duration       768h
token_renewable      true
token_policies       ["default" "trousseau-transit-ro"]
identity_policies    []
policies             ["default" "trousseau-transit-ro"]

On Vault, check the Trousseau config key-value store:

[root@tdevhvc-01 trousseau-demo]# vault kv get /secret/trousseau/config
======= Metadata =======
Key                Value
---                -----
created_time       2022-05-18T00:25:03.155739032Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

========= Data =========
Key               Value
---               -----
transitkeyname    trousseau-kms-vault
ttl               30s
vaultaddress      http://tdevhvc-01.trousseau.io:8200
vaulttoken        s.CkUWvzQamSIiRRzYiY8Jibfy

On Vault, update the Trousseau config key-value store:

[root@tdevhvc-01 trousseau-demo]# vault kv put /secret/trousseau/config transitkeyname=trousseau-kms-vault ttl=30s vaultaddress=http://tdevhvc-01.trousseau.io:8200 vaulttoken=s.Vhc1rXyveyc4Vn8Upd2M1g9H
Key                Value
---                -----
created_time       2022-06-05T15:31:39.881547821Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

On Vault, verify the Trousseau config key-value store:

[root@tdevhvc-01 trousseau-demo]# vault kv get /secret/trousseau/config
======= Metadata =======
Key                Value
---                -----
created_time       2022-06-05T15:31:39.881547821Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

========= Data =========
Key               Value
---               -----
transitkeyname    trousseau-kms-vault
ttl               30s
vaultaddress      http://tdevhvc-01.trousseau.io:8200
vaulttoken        s.Vhc1rXyveyc4Vn8Upd2M1g9H

On the Kubernetes cluster, restart the Trousseau DaemonSet Pods:

[root@tdevk8s-01 ~]# kubectl rollout restart -n kube-system  daemonset vault-kms-provider
daemonset.apps/vault-kms-provider restarted

This last part re-initiate the redeployment of the Pods by starting the Vault Agent to fetch the configuration file which includes the new token.