From e21ccbcc9828a0be8839dfb72834e59d1286a0d1 Mon Sep 17 00:00:00 2001 From: ltamaster Date: Thu, 7 Jan 2021 18:31:04 -0300 Subject: [PATCH] update docs --- README.md | 42 ++++++++++++++++++++++++++++++++++++-- docker/docker-compose.yaml | 6 +++--- 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9bd9c93..c6ae8dd 100644 --- a/README.md +++ b/README.md @@ -169,7 +169,7 @@ Default value: 1 ### Configuration Examples -* **example basic settings** +#### **example basic settings** ``` rundeck.storage.provider.1.type=vault-storage rundeck.storage.provider.1.path=keys @@ -179,7 +179,7 @@ rundeck.storage.provider.1.config.address=$VAULT_URL rundeck.storage.provider.1.config.token=$VAULT_TOKEN ``` -* **existing vault storage** +#### **existing vault storage** For existing vault storage, probably you will need to remove the default `keys` path added by default for rundeck. You can use these settings for an existing vault storage: @@ -194,6 +194,44 @@ rundeck.storage.provider.1.config.token=$VAULT_TOKEN rundeck.storage.provider.1.config.storageBehaviour=vault ``` +#### **Using APPROLE authentication** + +You can use these settings for an existing vault storage: + +``` +rundeck.storage.provider.1.type=vault-storage +rundeck.storage.provider.1.path=keys +rundeck.storage.provider.1.config.prefix=app +rundeck.storage.provider.1.config.secretBackend=secret +rundeck.storage.provider.1.config.address=$VAULT_URL +rundeck.storage.provider.1.config.engineVersion=2 +rundeck.storage.provider.1.config.storageBehaviour=vault + +#auth +rundeck.storage.provider.1.config.authBackend=approle +rundeck.storage.provider.1.config.approleAuthMount=approle +rundeck.storage.provider.1.config.approleId=$VAULT_APPROLE_ID +rundeck.storage.provider.1.config.approleSecretId=$VAULT_APPROLE_SECRET_ID + +#timeouts +rundeck.storage.provider.1.config.maxRetries=500 +rundeck.storage.provider.1.config.retryIntervalMilliseconds=2 +rundeck.storage.provider.1.config.openTimeout=2500 +rundeck.storage.provider.1.config.readTimeout=2500 +``` + +**Enabling APPROLE Vault using API** + +``` +curl --header "X-Vault-Token: $TOKEN" --request POST --data '{"type": "approle"}' http://localhost:8200/v1/sys/auth/approle +curl --header "X-Vault-Token: $TOKEN" --request POST --data '{"policies": "rundeck", "token_ttl": "2m", "token_max_ttl": "2m"}' http://localhost:8200/v1/auth/approle/role/rundeck +# get $VAULT_APPROLE_ID +curl --header "X-Vault-Token: $TOKEN" http://localhost:8200/v1/auth/approle/role/rundeck/role-id | jq +# get $VAULT_APPROLE_SECRET_ID +curl --header "X-Vault-Token: $TOKEN" --request POST http://localhost:8200/v1/auth/approle/role/rundeck/secret-id | jq +``` + + ## Vault API versions Since version 1.3.1, this plugin can work with `kV Secrets Engine - Version 2`. diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml index 4d041fe..ebdda05 100644 --- a/docker/docker-compose.yaml +++ b/docker/docker-compose.yaml @@ -34,12 +34,12 @@ services: - RUNDECK_STORAGE_PROVIDER_1_TYPE=vault-storage - RUNDECK_STORAGE_PROVIDER_1_PATH=keys - RUNDECK_STORAGE_PROVIDER_1_REMOVEPATHPREFIX=true - - RUNDECK_STORAGE_PROVIDER_1_CONFIG_SECRETBACKEND=kv - - RUNDECK_STORAGE_PROVIDER_1_CONFIG_PREFIX=test + - RUNDECK_STORAGE_PROVIDER_1_CONFIG_SECRETBACKEND=secret + - RUNDECK_STORAGE_PROVIDER_1_CONFIG_PREFIX=app - RUNDECK_STORAGE_PROVIDER_1_CONFIG_ADDRESS=http://vault:8200 - RUNDECK_STORAGE_PROVIDER_1_CONFIG_TOKEN=${VAULT_TOKEN} - RUNDECK_STORAGE_PROVIDER_1_CONFIG_BEHAVIOUR=vault - - RUNDECK_STORAGE_PROVIDER_1_CONFIG_ENGINEVERSION=1 + - RUNDECK_STORAGE_PROVIDER_1_CONFIG_ENGINEVERSION=2 - RUNDECK_STORAGE_PROVIDER_1_CONFIG_MAXRETRIES=500 - RUNDECK_STORAGE_PROVIDER_1_CONFIG_RETRYINTERVAL=2 - RUNDECK_STORAGE_PROVIDER_1_CONFIG_OPENTIMEOUT=2500