Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Bastian Hofman Compliance & Hardware Security Module (HSM) integration ● Costs, scalability & productivity HashiCorp Vault Provides the foundation for cloud security that leverages trusted sources of identity to keep gartner.com/en/documents/3988410/critical-capabilities-for-privileged-access-management Vault Workflow Overview Vault Principles API (HTTP Rest / KMIP) Identity Policy / Governance Audit Dynamic Secrets

或更高版本部署的新集群才支持加密。没有使用外部 密钥管理系统 (KMS) 的现有加密集群无法迁移为使用外部 KMS。 以前，HashiCorp Vault 是唯一支持集群范围的 KMS 和持久性卷加密的 KMS。在 OpenShift Data Foundation 4.7.0 和 4.7.1 中，只支持 HashiCorp Vault Key/Value (KV) secret engine API，支持版本 1。 从 OpenShift OpenShift Data Foundation 4.7.2 开始，支持 HashiCorp Vault KV secret engine API、版本 1 和 2。从 OpenShift Data Foundation 4.12 开始，Thales CipherTrust Manager 已被作为额外支持的 KMS 被引进。 重要 重要 Red Hat OpenShift Data Foundation 订阅。如需更多信息，请参阅 OpenShift Data Foundation 订阅中的知 识库文章。 红帽与技术合作伙伴合作，将本文档作为为客户提供服务。但是，红帽不为 Hashicorp 产品提供支持。有 关此产品的技术协助，请联系 Hashicorp。 5.3.1. 集群范围的加密 Red Hat OpenShift Data Foundation 支持存储集群中所有磁盘和多云对象网关操作的集群范围加密

Kubernetes secrets: HashiCorp Vault Watch: https://www.youtube.com/watch?v=B16YTeSs1hI HashiCorp Vault KMS plugin for Kubernetes ● Secrets are in etcd, with root of trust in Vault Kubernetes auth backend backend for HashiCorp Vault ● Authenticate to Vault using a K8s service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 Azure Key Vault: https://github.com/Azure/kubernetes-kms ● AWS KMS: https://github.com/kubernetes-sigs/aws-encryption-provider ● HashiCorp Vault: https://github.com/oracle/kubernetes-vault-kms-plugin

some sensitive information from Zabbix in CyberArk Vault CV2. Similarly to storing secrets in HashiCorp Vault, introduced in Zabbix 5.2, CyberArk Vault can be used for: • user macro values 8 • database database access credentials Zabbix provides read-only access to the secrets in vault. See also: CyberArk configuration Secure password hashing In Zabbix 5.0 the password hashing algorithm was changed from no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear

via RetryPolicy of state components (Medium) DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) Orchestration Hardening Network Policy Zero-Trust Concepts RBAC Secrets Management DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) It was found that the SecretStore implementation of the Hashicorp’s secret vault is vulnerable to a HTTP Parameter Pollution vulnerability unintended for Dapr. Affected File: github.com/dapr/components-contrib@v0.8.0/secretstores/hashicorp/vault/vault.go Affected Code: func (v *vaultSecretStore) GetSecret(req secretstores.GetSecretRequest)

Remote commands Templates New templates are available: • Acronis Cyber Protect Cloud by HTTP • HashiCorp Nomad by HTTP • MantisBT by HTTP You can get these templates: • In Data collection → Templates no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear set to HashiCorp Vault or CyberArk Vault, additional parameters will become available: • for HashiCorp Vault: Vault API endpoint, secret path and authentication token; • for CyberArk Vault: Vault API endpoint

skip server config verify which is unsafe!") } Not all components follow this practice. The Hashicorp Vault Secretstore component labels the option “Insecure” but does not log a warning. Other components requests it. The attacker is likely to be an insider who has certain privileges. Example 1: Vault If the Vault SecretStore component does not receive a successful response from the remote store, Dapr copies https://github.com/dapr/components-contrib/blob/cfbac4d794b35e5da28d65a13369d33383fb6ad4/sec retstores/hashicorp/vault/vault.go#L247 19 Dapr security audit 2023 if httpresp.StatusCode != http.StatusOK { var b bytes

no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear set to HashiCorp Vault or CyberArk Vault, additional parameters will become available: • for HashiCorp Vault: Vault API endpoint, secret path and authentication token; • for CyberArk Vault: Vault API endpoint endpoint, secret query string and certificates. Upon marking Vault certificates checkbox, two new fields for specifying paths to SSL certificate file and SSL key file will appear. Settings Entering

另请参阅升级说明。 在配置文件中添加了 Vault 前缀参数 配置文件 zabbix_server.conf 和 zabbix_proxy.conf 已补充了一个新的可选参数 Vault Prefix；zabbix.conf.php 已补充了选项 $DB['VAULT_PREFIX']，并且已相应地更新了 setup.php。 因此，CyberArk 和HashiCorp的 vault 路径不再是硬编码的，以便允许使用非标准路径进行 路径不再是硬编码的，以便允许使用非标准路径进行 vault 部署。 Agent2 配置 缓冲区大小 Zabbix agent 2 的BufferSize配置参数的默认值已从 100 增加到 1000。 允许空值 现在，Zabbix agent 2 上与插件相关的配置参数允许为空值。 Proxy 内存缓存 Zabbix proxy 已经支持内存缓存。内存缓存允许将新的数据（监控值、网络发现、主机自动注册）存储在缓存中，并在不访问数据库的情 target>] 重新加载 proxy 配置缓存。 target - 逗号分隔的 proxy 名称的列表。 如果没有指定，则重新加载所有 proxy 的配置 secrets_reload 从 Vault 重新加载机密。 service_cache_reload重新加载服务管理器缓存。 snmp_cache_reload重新加载 SNMP 缓存，清除所有主机的 SNMP 属性 （引擎时间、引擎启动、引擎

external secret management systems such as AWS Secrets Manager [7.3], HashiCorp Vault [7.4], Google Secrets Manager [7.5], and Azure Key Vault [7.6] using a plug-in model. The External Secrets controller reads reads information from external APIs (for example, HashiCorp Vault) and injects the values from the external system into Kubernetes as a secret. This process works by providing the controller with an 5] https://cloud.google.com/secret-manager [7.6] https://azure.microsoft.com/en-us/services/key-vault/ The Path to GitOps | 41 Chapter 8 Other Considerations In this book, I have taken you on a step-by-step