Saltstack and Vault integration

First install and configure vault using this tutorial:
https://apassionatechie.wordpress.com/2017/03/05/hashicorp-vault/

Use the latest version of vault.

Then install salt using the steps given here:
https://docs.saltstack.com/en/latest/topics/installation/

If you face any issues then refer these links:
https://apassionatechie.wordpress.com/2017/07/31/salt-issues/

https://apassionatechie.wordpress.com/2017/08/03/salt-stack-formulas/

Now let's integrate vault and salt so that we can access vault secrets from inside salt state.

1. First let's add some key values into our vault.
  vault write secret/ssh/user1 password="abc123"
  Then you can check it by reading: vault read secret/ssh/user1
2. To allow salt to access your secrets you must firstly create a policy as follows:
  salt-policy.hcl
  [code]
  path "secret/*" {
  capabilities = ["read", "list"]
  }
  
  path "auth/*" {
  capabilities = ["read", "list","sudo","create","update","delete"]
  }
  [/code]
  
  You can also point to your secret like secret/ssh/*
  We have added auth/* so that our token can create other tokens.
3. Then create a new policy with the following command:
  vault policy-write salt-policy salt-policy.hcl
4. Then we will create a token from the new salt-policy
  vault token-create -policy=salt-policy
  Save the token created.
5. Then in the salt-master create a file:
  /etc/salt/master.d/vault.conf with the follwoing contents:
  [code]
  vault:
  url: http://127.0.0.1:8200
  auth:
  method: token
  token: xxxxxx48-xxxx-xxxx-xxxx-xxxx1xxxx<span data-mce-type="bookmark" id="mce_SELREST_start" data-mce-style="overflow:hidden;line-height:0" style="overflow:hidden;line-height:0" ></span>c4a
  policies:
  - salt-policy
  
  [/code]
  
  Then create a file /etc/salt/master.d//peer_run.conf
  
  [code]
  peer_run:
  .*:
  - vault.generate_token
  
  [/code]
  
  Then restart the salt-master with service salt-master restart
6. Then execute the following command to access the secret stored in vault:
  salt '*' vault.read_secret "secret/ssh/user1"
7. To access the secret from inside jinja:
  my-secret: {{ salt['vault'].read_secret('secret/ssh/user1', 'password') }}
  OR
  {% set supersecret = salt['vault'].read_secret('secret/ssh/user1') %}
  secrets:
  my_secret: {{ supersecret.password }}
8. If you want to access the secret as pillar then add the following in salt master configuration:
  ext_pillar:
  - vault: sdb_vault path=secret/ssh/user1
  Restart the salt-master and salt-minion
  Then access the data with the following command:
  salt '*' pillar.get 'password'
  Then refresh the pillar data with: salt '*' saltutil.refresh_pillar
9. If your vault policy is not configured correctly you might get an error as:
  ERROR: {'error': 'Forbidden'}
  2017-09-21 06:51:39,320 [salt.loaded.int.utils.vault][ERROR ][26333] Failed to get token from master! An error was returned: Forbidden
  2017-09-21 06:51:39,350 [salt.pillar ][ERROR ][26333] Execption caught loading ext_pillar 'vault':
  File "/usr/lib/python2.7/site-packages/salt/pillar/__init__.py", line 822, in ext_pillar
  key)
  File "/usr/lib/python2.7/site-packages/salt/pillar/__init__.py", line 765, in _external_pillar_data
  val)
  File "/usr/lib/python2.7/site-packages/salt/pillar/vault.py", line 91, in ext_pillar
  response = __utils__['vault.make_request']('GET', url)
  File "/usr/lib/python2.7/site-packages/salt/utils/vault.py", line 124, in make_request
  connection = _get_vault_connection()
  File "/usr/lib/python2.7/site-packages/salt/utils/vault.py", line 113, in _get_vault_connection
  return _get_token_and_url_from_master()
  File "/usr/lib/python2.7/site-packages/salt/utils/vault.py", line 89, in _get_token_and_url_from_master
  raise salt.exceptions.CommandExecutionError(result)2017-09-21 06:51:39,351 [salt.pillar ][CRITICAL][26333] Pillar render error: Failed to load ext_pillar vault: {'error': 'Forbidden'}
  
  Make sure you have added auth/* in the policy.
10. If you get the following error:
  Failed to get token from master! No result returned - is the peer publish configuration correct?
  OR
  ERROR: {}
  Then make sure you have peer_run.conf created and configured.
11. You can also access your secret with command:
  salt-call sdb.get 'sdb://vault/secret/ssh/user1?password'

Terraform

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions. Configuration files describe to Terraform the components needed to run a single application or your entire datacenter. Terraform generates an execution plan describing what it will do to reach the desired state, and then executes it to build the described infrastructure. As the configuration changes, Terraform is able to determine what changed and create incremental execution plans which can be applied. The infrastructure Terraform can manage includes low-level components such as compute instances, storage, and networking, as well as high-level components such as DNS entries, SaaS features, etc. The key features of Terraform are: Infrastructure as Code : Infrastructure is described using a high-level configuration syntax. This allows a blueprint of your datacenter to be versioned and

Java 8 coding challenge: Roy and Profile Picture

Problem: Roy wants to change his profile picture on Facebook. Now Facebook has some restriction over the dimension of picture that we can upload. Minimum dimension of the picture can be L x L , where L is the length of the side of square. Now Roy has N photos of various dimensions. Dimension of a photo is denoted as W x H where W - width of the photo and H - Height of the photo When any photo is uploaded following events may occur: [1] If any of the width or height is less than L, user is prompted to upload another one. Print " UPLOAD ANOTHER " in this case. [2] If width and height, both are large enough and (a) if the photo is already square then it is accepted. Print " ACCEPTED " in this case. (b) else user is prompted to crop it. Print " CROP IT " in this case. (quotes are only for clarification) Given L, N, W and H as input, print appropriate text as output. Input: First line contains L . Second line contains N , number of

Salt stack issues

The function “state.apply” is running as PID Restart salt-minion with command: service salt-minion restart No matching sls found for ‘init’ in env ‘base’ Add top.sls file in the directory where your main sls file is present. Create the file as follows: 1 2 3 base: 'web*' : - apache If the sls is present in a subdirectory elasticsearch/init.sls then write the top.sls as: 1 2 3 base: '*' : - elasticsearch.init How to execute saltstack-formulas create file /srv/pillar/top.sls with content: base : ' * ' : - salt create file /srv/pillar/salt.sls with content: salt : master : worker_threads : 2 fileserver_backend : - roots - git gitfs_remotes : - git://github.com/saltstack-formulas/epel-formula.git - git://github.com/saltstack-formulas/git-formula.git - git://github.com/saltstack-formulas/nano-formula.git - git://github.com/saltstack-f

A Passionate Techie

Search This Blog