Skip to content

Commit bb5e26c

Browse files
author
Harish Kumar
committed
fixes for enrolling recovery keys
* add machine id entity metadata for a node in the vault * Add policy so node token can write (not update or read) recovery key in vault kv
1 parent 9a127f5 commit bb5e26c

File tree

2 files changed

+27
-1
lines changed

2 files changed

+27
-1
lines changed

mkosi.images/terraform/share/terraform/pki.tf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,7 @@ resource "vault_cert_auth_backend_role" "node" {
245245
vault_policy.lookup-self.name,
246246
vault_policy.node-cert-self-renew.name,
247247
vault_policy.consul-gossip.name,
248+
vault_policy.node-recovery-keys.name,
248249
]
249250
}
250251

@@ -258,6 +259,22 @@ resource "vault_policy" "node-cert-self-renew" {
258259
EOP
259260
}
260261

262+
resource "vault_policy" "node-recovery-keys" {
263+
name = "node-recovery-keys"
264+
265+
policy = <<-EOP
266+
# Allow nodes to create recovery keys for their own machine-id only (write-once, no read/update)
267+
# No read allowed because node does not need to read its own recovery key,
268+
# it is only needed to be read by admins to recover the node
269+
# No update allowed to avoid compromised node may update recovery key
270+
# Any update of recovery keys (even for rotating recovery keys) need admin actions
271+
# For which admin key should be used
272+
path "secrets/mangos/recovery-keys/{{identity.entity.metadata.machine_id}}/*" {
273+
capabilities = ["create"]
274+
}
275+
EOP
276+
}
277+
261278
resource "vault_identity_group" "vault-servers" {
262279
name = "vault-servers"
263280
type = "internal"

resources/mangosctl/mangosctl.sh

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -463,6 +463,11 @@ do_enroll() {
463463
entity_name=$(vault write -field=name identity/lookup/entity alias_name=${HOSTNAME}.mangos alias_mount_accessor=${node_auth_accessor})
464464
echo $entity_name
465465

466+
step "Setting machine-id as entity metadata"
467+
machine_id=$(cat /etc/machine-id)
468+
vault write identity/entity/name/${entity_name} metadata=machine_id="${machine_id}"
469+
greenln Success
470+
466471
for group in ${!groups[@]}
467472
do
468473
do_step "Adding host to group '${group}'" chronic do_entity addgroup ${entity_name} ${group}
@@ -1028,7 +1033,11 @@ do_bootstrap() {
10281033
CONSUL_HTTP_TOKEN=${consul_mgmt_token} \
10291034
do_step "Final Terraform run" chronic run_terraform_apply
10301035

1031-
do_step "Enrolling recovery keys for encrypted partitions" enroll_recovery_keys "$(systemd-creds decrypt /var/lib/private/vault.root_token)"
1036+
echo
1037+
echo "Bootstrap complete! Next steps:"
1038+
echo " 1. Run: mangosctl sudo enroll -g vault-server -g consul-server -g nomad-server 127.0.0.1"
1039+
echo " 2. This will enroll the bootstrap node's identity and recovery keys"
1040+
echo
10321041
}
10331042

10341043
set_agent_token() {

0 commit comments

Comments
 (0)