【譯】Vault 學習資源：1.0, 自動解印, 代理, Kubernetes

2018年12月20日 HYAKUNA YKO

咱們很高興地宣佈更多的動手指南, 以幫助您學習和集成 vault 做爲您的機密管理解決方案。一些預先存在的指南也已更新。

新指南:

• 使用 GCP 雲 KMS 自動解印
• 帶有 AWS 的 Vault 代理
• Kubernetes 的 Vault 代理
• Vault 入門視頻指南

更新的指南:

• 入門-安裝Vault
• Tokens
• Cubbyhole Response Wrapping
• Versioned Key/Value Secret Engine
• Policies

使用 GCP 雲 KMS 自動解印

在 vault 1.0 中, 咱們開放了之前須要* vault enterprise pro* 的自動解封功能。如今, 您能夠經過受信任的雲提供商 (阿里雲 KMS、亞馬遜 KMS、Azure Key Vault 和 谷歌雲 KMS) 選擇自動解封。

本指南演示了一個使用 Terraform 設置 Vault 節點的示例, 該節點配置爲使用GCP 雲 KMS加密密鑰自動取消密封。

請注意:使用 AWS KMS 指南的自動解印已更新, 以運行 Vault 1.0 OSS。

AWS 的 Vault 代理

Vault Agent 是一個客戶端後臺駐留程序, 它自動執行客戶端登陸和令牌刷新的工做流, 以管理令牌生命週期, 而無需自定義邏輯。

本指南將引導您完成使用 AWS auth 方法配置 Vault 代理所需的步驟。

Kubernetes 的 Vault 代理

KubeCon 最重要的要求之一是如何與 Kubernetes 一塊兒使用 Vault。本指南演示如何從 Kubernetes 環境中利用 Vault 代理。

您將學習如何設置 Kubernetes auth 方法, 而後配置 Vault 代理以獲取和管理在 pod 中運行的客戶端的 Vault 令牌。

保管庫入門-安裝保管庫視頻

咱們現有的 Vault

入門

指南是在本地計算機上嘗試 Vault 並瞭解核心概念的最簡單方法。但咱們明白, 你的時間很寶貴, 在文本旁邊或代替文本觀看視頻每每更容易。咱們建立了一個2分鐘的視頻, 您能夠在臺式機、平板電腦或移動設備上查看。

令 牌

Vault 1.0 引入了批量令牌，這些令牌支持臨時、高性能的工做負載。本指南已更新, 以突出顯示和比較

服務令牌

和

批處理令牌

的特徵.

請注意:也有提供 Katacoda 互動教程。

Cubbyhole Response Wrapping

從 Vault 1.0 開始, Web UI 支持響應包裝。附加討論: 添加了 Web ui部分, 以指導您完成經過 UI 利用響應包裝的端到端示例。

政策

添加了一個列出根保護 API endpoints 的表, 以闡明哪些策略路徑應包括sudo功能。

【原文】Vault Learning Resources: 1.0, Auto-unseal, Agent, Kubernetes

DEC 20 2018 YOKO HYAKUNA

We are excited to announce additional hands-on guides to help you learn and integrate Vault as your secrets management solution. Some of the pre-existing guides have also been updated.

New guides:

• Auto-unseal using GCP Cloud KMS
• Vault Agent with AWS
• Vault Agent with Kubernetes
• Vault Getting Started video guides

Updated guides:

• Getting Started - Install Vault
• Tokens
• Cubbyhole Response Wrapping
• Versioned Key/Value Secret Engine
• Policies

Auto-Unseal Using GCP Cloud KMS

In Vault 1.0 we open sourced the auto-unseal feature which previously required

Vault Enterprise Pro

. Now you can opt-in to automatic unsealing via your trusted cloud provider: AliCloud KMS, Amazon KMS, Azure Key Vault, and Google Cloud KMS.

This guide demonstrates an example of using Terraform to provision a Vault node which is configured to auto-unseal using a GCP Cloud KMS encryption key.

NOTE: The Auto-unseal using AWS KMS guide has been updated to run Vault 1.0 OSS as well.

Vault Agent With AWS

Vault Agent is a client daemon which automates the workflow of client login and token refresh to manage the token lifecycle without requiring custom logic.

This guide walks you through the steps needed to configure Vault Agent using the AWS auth method.

Vault Agent With Kubernetes

One of the top requests from KubeCon was how to use Vault with Kubernetes. This guide demonstrates how to leverage the Vault Agent from a Kubernetes environment.

You will learn how to set up the Kubernetes auth method and then configure the Vault Agent to acquire and manage Vault tokens for the clients running in a pod.

Vault Getting Started - Install Vault Video

Our existing Vault

Getting Started

guides are the easiest way to try Vault on your local machine and learn the core concepts. But we understand that your time is valuable and it's often easier to watch a video alongside or in place of the text. We created a 2-minute video which you can view on desktop, tablet, or mobile.

Tokens

Vault 1.0 introduced batch tokens which support ephemeral, high performance workloads. This guide has been updated to highlight and compare the characteristics of

service tokens

and

batch tokens

.

NOTE: A Katacoda interactive tutorial is also available.

Cubbyhole Response Wrapping

As of Vault 1.0, the Web UI supports response wrapping. The Additional Discussion: Web UI section has been added to walk you through an end-to-end example of leveraging response wrapping via the UI.

Policies

A table listing the root protected API endpoints has been added to clarify which policy paths should include the sudocapability.