scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

add HCP Vault tab for venafi + minor format update (#23467) (#23593)

Browse Source 
Co-authored-by: xka5h <74259424+xka5h@users.noreply.github.com>
This commit is contained in:
Jonathan Frappier
2023-10-10 16:18:44 -04:00
committed by GitHub
parent e77e593557
commit 301f3a7070
1 changed files with 91 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
website/content/docs/secrets/venafi.mdx
View File

@@ -101,6 +101,9 @@ and any other dependencies that appear in the Venafi Cloud documentation.
## Setup
<Tabs>
<Tab heading="Vault" group="vault">
Before certificates can be issued, you must complete these steps to configure the
Venafi secrets engine:
@@ -114,47 +117,46 @@ Venafi secrets engine:
[release package](https://github.com/Venafi/vault-pki-backend-venafi/releases/latest)
for your operating system. Unzip the binary to the plugin directory. Note
that the URL for the zip file, referenced below, changes as new versions of the
plugin are released.
plugin are released. Replace the version (0.12.0) of the release in the command below to
download the desired version.
```text
$ wget https://github.com/Venafi/vault-pki-backend-venafi/releases/download/v0.0.1/venafi-pki-backend_v0.0.1+1_linux.zip
$ unzip venafi-pki-backend_v0.0.1+1_linux.zip
```shell-session
$ wget https://github.com/Venafi/vault-pki-backend-venafi/releases/download/v0.12.0/venafi-pki-backend_v0.12.0_darwin.zip
$ unzip venafi-pki-backend_v0.12.0_darwin.zip
$ mv venafi-pki-backend /etc/vault/vault_plugins
```
1. Update the Vault [server configuration](/vault/docs/configuration/)
to specify the plugin directory:
```text
plugin_directory = "/etc/vault/vault_plugins"
```shell-session
$ plugin_directory = "/etc/vault/vault_plugins"
```
1. Start your Vault using the [server command](/vault/docs/commands/server).
1. Get the SHA-256 checksum of the `venafi-pki-backend` plugin binary:
```text
```shell-session
$ SHA256=$(sha256sum /etc/vault/vault_plugins/venafi-pki-backend| cut -d' ' -f1)
```
1. Register the `venafi-pki-backend` plugin in the Vault
[system catalog](/vault/docs/plugins/plugin-architecture#plugin-catalog):
```text
```shell-session
$ vault write sys/plugins/catalog/secret/venafi-pki-backend \
sha_256="${SHA256}" command="venafi-pki-backend"
Success! Data written to: sys/plugins/catalog/secret/venafi-pki-backend
sha_256="${SHA256}" command="venafi-pki-backend"
```
1. Enable the Venafi secrets engine:
```text
```shell-session
$ vault secrets enable -path=venafi-pki -plugin-name=venafi-pki-backend plugin
Success! Enabled the pki-backend-venafi secrets engine at: venafi-pki/
```
1. Configure a Venafi secret that maps a name in Vault to connection and authentication
settings for enrolling certificate using Venafi. The zone is a policy folder for Trust
settings for enrolling certificates using Venafi. The zone is a policy folder for Trust
Protection Platform or a DevOps project zone for Venafi Cloud.
Obtain the `access_token` and `refresh_token` for Trust Protection Platform using the
@@ -167,23 +169,21 @@ Venafi secrets engine:
**Trust Protection Platform**:
```
```shell-session
$ vault write venafi-pki/venafi/tpp \
url="https://tpp.venafi.example" \
access_token="tn1PwE1QTZorXmvnTowSyA==" \
refresh_token="MGxV7DzNnclQi9CkJMCXCg==" \
zone="DevOps\\HashiCorp Vault" \
trust_bundle_file="/path-to/bundle.pem"
Success! Data written to: venafi-pki/venafi/tpp
```
**Venafi Cloud**:
```
```shell-session
$ vault write venafi-pki/venafi/cloud \
apikey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
zone="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
Success! Data written to: venafi-pki/roles/cloud
```
1. Lastly, configure a [role](/vault/docs/secrets/pki)
@@ -194,26 +194,77 @@ Venafi secrets engine:
**Trust Protection Platform**:
```text
```shell-session
$ vault write venafi-pki/roles/tpp \
venafi_secret=tpp \
store_by=serial store_pkey=true \
allowed_domains=example.com \
allow_subdomains=true
Success! Data written to: venafi-pki/roles/tpp
```
**Venafi Cloud**:
```text
```shell-session
$ vault write venafi-pki/roles/cloud \
venafi_secret=cloud \
store_by=serial store_pkey=true \
allowed_domains=example.com \
allow_subdomains=true
Success! Data written to: venafi-pki/roles/cloud
```
</Tab>
<Tab heading="HCP Vault" group="hcp">
~> The Venafi Secrets Engine on HCP Vault currently supports Venafi Cloud or Trust Protection Platform instances secured using a certificate from a publicly trusted CA.
Support for uploading a certificate signed by a private CA using trust_bundle_file parameter is not available on HCP Vault and requires running a self-managed Vault to use.
Before certificates can be issued, you must complete these steps to configure the Venafi secrets engine:
1. Navigate to your HCP Vault cluster's [Integrations](/hcp/docs/vault/integrations#hashicorp-partner-plugins) page within the HCP portal
to add the Venafi secrets engine to your cluster.
1. After the Venafi plugin has been successfully added to your cluster, you can use the Vault CLI to configure the Venafi secrets engine
for use.
1. Enable the Venafi secrets engine:
```shell-session
$ vault secrets enable -path=venafi-pki -plugin-name=venafi-pki-backend plugin
```
Configure a Venafi secret that maps a name in Vault to connection and authentication
settings for enrolling certificates using Venafi. The zone is a DevOps project zone for Venafi Cloud.
To see all options available for venafi secrets, use
`vault path-help venafi-pki/venafi/:name` after creating the secret.
**Venafi Cloud**:
```shell-session
$ vault write venafi-pki/venafi/cloud \
apikey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
zone="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"
```
1. Lastly, configure a [role](/vault/docs/secrets/pki)
that maps a name in Vault to a Venafi secret for enrollment. To see all
options available for roles, including `ttl`, `max_ttl` and `issuer_hint`
(for validity), use `vault path-help venafi-pki/roles/:name` after
creating the role.
**Venafi Cloud**:
```shell-session
$ vault write venafi-pki/roles/cloud \
venafi_secret=cloud \
store_by=serial store_pkey=true \
allowed_domains=example.com \
allow_subdomains=true
```
</Tab>
</Tabs>
## Usage
After the Venafi secrets engine is configured and a user/machine has a Vault
@@ -228,10 +279,13 @@ To see all of the options available when requesting a certificate, including
**Trust Protection Platform**:
```text
```shell-session
$ vault write venafi-pki/issue/tpp common_name="common-name.example.com" \
alt_names="dns-san-1.example.com,dns-san-2.example.com"
```
**Example output:**
```text
Key Value
--- -----
lease_id venafi-pki/issue/tpp/oLih42SCFzyjntxGc00vqmWH
@@ -246,10 +300,14 @@ To see all of the options available when requesting a certificate, including
**Venafi Cloud**:
```text
```shell-session
$ vault write venafi-pki/issue/cloud common_name="common-name.example.com" \
alt_names="dns-san-1.example.com,dns-san-2.example.com"
```
**Example output:**
```text
Key Value
--- -----
lease_id venafi-pki/issue/cloud/1WCNvXKiwboWfRRfjzlPAwEi
@@ -267,9 +325,13 @@ To see all of the options available when requesting a certificate, including
**Trust Protection Platform**:
```text
```shell-session
$ vault write venafi-pki/sign/tpp csr=@example.req
```
**Example output:**
```text
Key Value
--- -----
lease_id venafi-pki/sign/tpp/tQq3QNY45e4sJMqTTI9DXEGK
@@ -283,9 +345,13 @@ To see all of the options available when requesting a certificate, including
**Venafi Cloud**:
```text
```shell-session
$ vault write venafi-pki/sign/cloud csr=@example.req
```
**Example output:**
```text
Key Value
--- -----
lease_id venafi-pki/sign/cloud/fF44FdMAjuCdC29w3Ff81hes