Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Bastian Hofman Compliance & Hardware Security Module (HSM) integration ● Costs, scalability & productivity HashiCorp Vault Provides the foundation for cloud security that leverages trusted sources of identity to keep gartner.com/en/documents/3988410/critical-capabilities-for-privileged-access-management Vault Workflow Overview Vault Principles API (HTTP Rest / KMIP) Identity Policy / Governance Audit Dynamic Secrets

Kubernetes secrets: HashiCorp Vault Watch: https://www.youtube.com/watch?v=B16YTeSs1hI HashiCorp Vault KMS plugin for Kubernetes ● Secrets are in etcd, with root of trust in Vault Kubernetes auth backend backend for HashiCorp Vault ● Authenticate to Vault using a K8s service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 Azure Key Vault: https://github.com/Azure/kubernetes-kms ● AWS KMS: https://github.com/kubernetes-sigs/aws-encryption-provider ● HashiCorp Vault: https://github.com/oracle/kubernetes-vault-kms-plugin

some sensitive information from Zabbix in CyberArk Vault CV2. Similarly to storing secrets in HashiCorp Vault, introduced in Zabbix 5.2, CyberArk Vault can be used for: • user macro values 8 • database database access credentials Zabbix provides read-only access to the secrets in vault. See also: CyberArk configuration Secure password hashing In Zabbix 5.0 the password hashing algorithm was changed from no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear

via RetryPolicy of state components (Medium) DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) Orchestration Hardening Network Policy Zero-Trust Concepts RBAC Secrets Management DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) It was found that the SecretStore implementation of the Hashicorp’s secret vault is vulnerable to a HTTP Parameter Pollution vulnerability unintended for Dapr. Affected File: github.com/dapr/components-contrib@v0.8.0/secretstores/hashicorp/vault/vault.go Affected Code: func (v *vaultSecretStore) GetSecret(req secretstores.GetSecretRequest)

Remote commands Templates New templates are available: • Acronis Cyber Protect Cloud by HTTP • HashiCorp Nomad by HTTP • MantisBT by HTTP You can get these templates: • In Data collection → Templates no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear set to HashiCorp Vault or CyberArk Vault, additional parameters will become available: • for HashiCorp Vault: Vault API endpoint, secret path and authentication token; • for CyberArk Vault: Vault API endpoint

skip server config verify which is unsafe!") } Not all components follow this practice. The Hashicorp Vault Secretstore component labels the option “Insecure” but does not log a warning. Other components requests it. The attacker is likely to be an insider who has certain privileges. Example 1: Vault If the Vault SecretStore component does not receive a successful response from the remote store, Dapr copies https://github.com/dapr/components-contrib/blob/cfbac4d794b35e5da28d65a13369d33383fb6ad4/sec retstores/hashicorp/vault/vault.go#L247 19 Dapr security audit 2023 if httpresp.StatusCode != http.StatusOK { var b bytes

no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear set to HashiCorp Vault or CyberArk Vault, additional parameters will become available: • for HashiCorp Vault: Vault API endpoint, secret path and authentication token; • for CyberArk Vault: Vault API endpoint endpoint, secret query string and certificates. Upon marking Vault certificates checkbox, two new fields for specifying paths to SSL certificate file and SSL key file will appear. Settings Entering

external secret management systems such as AWS Secrets Manager [7.3], HashiCorp Vault [7.4], Google Secrets Manager [7.5], and Azure Key Vault [7.6] using a plug-in model. The External Secrets controller reads reads information from external APIs (for example, HashiCorp Vault) and injects the values from the external system into Kubernetes as a secret. This process works by providing the controller with an 5] https://cloud.google.com/secret-manager [7.6] https://azure.microsoft.com/en-us/services/key-vault/ The Path to GitOps | 41 Chapter 8 Other Considerations In this book, I have taken you on a step-by-step

Parameter Pollution in Hashicorp secret vault (Low) Status: Open While reviewing the Dapr source code, it was noticed that the HTTP parameter pollution inside the Hashicorp vault code is still possible

New templates are available: • CockroachDB by HTTP • Envoy Proxy by HTTP • HashiCorp Consul Cluster by HTTP • HashiCorp Consul Node by HTTP See setup instructions for HTTP templates. You can get these Remote commands Templates New templates are available: • Acronis Cyber Protect Cloud by HTTP • HashiCorp Nomad by HTTP • MantisBT by HTTP You can get these templates: • In Configuration → Templates suffixes are supported, e.g. 10s, 1m. 35 Option Description Target secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear