improved ad secret management documentation

Signed-off-by: Rod Anami <[email protected]>

Author: rod4n4m1

container/docker-compose.yaml

@@ -18,5 +18,5 @@ services:
       - IPC_LOCK
     entrypoint: vault server -config=/vault/config/vault.hcl
     extra_hosts:
-      - "ldap.chatopsknight.com:10.88.0.10"
+      - "ldap.chatopsknight.com:10.88.0.11"
 

docs/AD-Functions.md

@@ -1,5 +1,9 @@
 # Hashi Vault JS
 
+## Important Notice
+
+The Active Directory (AD) secrets engine has been deprecated as of the Vault v1.13 release. HashiCorp will continue to support the AD secrets engine in maintenance mode for six major Vault releases, meaning up to v1.19.
+
 ## AD Functions List
 
 * Vault document [reference](https://www.vaultproject.io/api-docs/secret/ad)

docs/Test-environment.md

@@ -15,7 +15,7 @@
   export PATH=$PATH:/path/to/vault
   ```
 
-* Modify Docker compose configuration on this file: `docker-compose.yaml`
+### Modify Docker compose configuration on this file: `docker-compose.yaml`
 
 ```yaml
 version: '3'
@@ -37,7 +37,7 @@ services:
     entrypoint: vault server -config=/vault/config/vault.hcl
 ```
 
-* Create a Vault server configuration file named: `vault.hcl`
+### Create a Vault server configuration file named: `vault.hcl`
 
 ```hcl
 storage "file" {
@@ -56,7 +56,7 @@ default_lease_ttl = "12h"
 api_addr = "http://127.0.0.1:8200"
 ```
 
-* Create volumes and copy any certificate/key that you have
+### Create volumes and copy any certificate/key that you have
 
   ```shell
   # Create volumes on your local filesystem, for cloud environments you'll need a private volume
@@ -246,86 +246,98 @@ api_addr = "http://127.0.0.1:8200"
   EOF
   ```
 
-  * Create an AppRole with role_id and secret_id
+## Create an AppRole with role_id and secret_id
 
-  ```shell
-  # Policy indicates the permissions and scopes an AppRole will have
-  vault policy write my-policy my-policy-permissions.hcl
+```shell
+# Policy indicates the permissions and scopes an AppRole will have
+vault policy write my-policy my-policy-permissions.hcl
 
-  # Create an AppRole, usually one per application
-  vault write auth/approle/role/my-role secret_id_ttl="720h"  token_ttl="12h"\
-  token_max_tll="12h"  policies="my-policy"
+# Create an AppRole, usually one per application
+vault write auth/approle/role/my-role secret_id_ttl="720h"  token_ttl="12h"\
+token_max_tll="12h"  policies="my-policy"
 
-  # Get the AppRole role-id
-  vault read auth/approle/role/my-role/role-id
+# Get the AppRole role-id
+vault read auth/approle/role/my-role/role-id
 
-  # Get the initial secret-id tied to the role-id
-  vault write -f auth/approle/role/my-role/secret-id
+# Get the initial secret-id tied to the role-id
+vault write -f auth/approle/role/my-role/secret-id
   ```
 
-  * Enable kubernetes auth method and create a role
+## Enable kubernetes auth method and create a role
 
-  ```shell
-  # Enable kubernetes auth method and mount it on default auth/kubernetes
-  vault auth enable kubernetes
-
-  # Get you K8s cluster info
-  kubectl cluster-info
-
-  # Configure a service account for the vault
-  kubectl apply -f ./tests/k8s-service-account.yaml
-
-  # Find out the vault-auth service account token
-  kubectl get secret <secret_name> -o jsonpath={.data.token} | base64 -d
-
-  # Configure Vault K8s auth method
-  vault write auth/kubernetes/config \
-    token_reviewer_jwt="<your reviewer service account JWT>" \
-    kubernetes_host=https://192.168.99.119:8443 \
-    [email protected]
-
-  # Create a named role
-  vault write auth/kubernetes/role/my-role \
-    bound_service_account_names=vault-auth \
-    bound_service_account_namespaces=default \
-    policies=default \
-    ttl=1h
-
-  # Test a login using K8s auth method
-  vault write auth/kubernetes/login \
-    role=my-role \
-    jwt="<your reviewer service account JWT>"
-  ```
+```shell
+# Enable kubernetes auth method and mount it on default auth/kubernetes
+vault auth enable kubernetes
 
-* Enable TLS cert auth method and create a cert
+# Get you K8s cluster info
+kubectl cluster-info
 
-  ```shell
-  # Enable TLS Certificate auth method
-  vault auth enable cert
-
-  # Create a PKI role to issue certificates
-  vault write pki_int/roles/vault-cert \
-    allow_any_name=true \
-    max_ttl=720h \
-    generate_lease=true
-
-  # Create a policy for the certificates issued
-  vault policy write cert-policy ./policies/cert-policy.hcl
-
-  # Issue a certificate based on the create role
-  vault write -format=json pki_int/issue/vault-cert \
-  common_name=vault-cert | tee \
-  >(jq -r .data.certificate > vault-cert-certificate.pem) \
-  >(jq -r .data.issuing_ca > vault-cert-issuing-ca.pem) \
-  >(jq -r .data.private_key > vault-cert-private-key.pem)
-
-  # Create a cert for authentication
-  vault write auth/cert/certs/vault-cert \
-    display_name=vault-cert \
-    policies=cert \
-    [email protected]
-
-  # Test cert login
-  vault login -method=cert -client-cert=vault-cert-certificate.pem \
-  -client-key=vault-cert-private-key.pem
-  ```
+# Configure a service account for the vault
+kubectl apply -f ./tests/k8s-service-account.yaml
+
+# Find out the vault-auth service account token
+kubectl get secret <secret_name> -o jsonpath={.data.token} | base64 -d
+
+# Configure Vault K8s auth method
+vault write auth/kubernetes/config \
+  token_reviewer_jwt="<your reviewer service account JWT>" \
+  kubernetes_host=https://192.168.99.119:8443 \
+  [email protected]
+
+# Create a named role
+vault write auth/kubernetes/role/my-role \
+  bound_service_account_names=vault-auth \
+  bound_service_account_namespaces=default \
+  policies=default \
+  ttl=1h
+
+# Test a login using K8s auth method
+vault write auth/kubernetes/login \
+  role=my-role \
+  jwt="<your reviewer service account JWT>"
+```
+
+## Enable TLS cert auth method and create a cert
+
+```shell
+# Enable TLS Certificate auth method
+vault auth enable cert
+
+# Create a PKI role to issue certificates
+vault write pki_int/roles/vault-cert \
+  allow_any_name=true \
+  max_ttl=720h \
+  generate_lease=true
+
+# Create a policy for the certificates issued
+vault policy write cert-policy ./policies/cert-policy.hcl
+
+# Issue a certificate based on the create role
+vault write -format=json pki_int/issue/vault-cert \
+common_name=vault-cert | tee \
+>(jq -r .data.certificate > vault-cert-certificate.pem) \
+>(jq -r .data.issuing_ca > vault-cert-issuing-ca.pem) \
+>(jq -r .data.private_key > vault-cert-private-key.pem)
+
+# Create a cert for authentication
+vault write auth/cert/certs/vault-cert \
+  display_name=vault-cert \
+  policies=cert \
+  [email protected]
+
+# Test cert login
+vault login -method=cert -client-cert=vault-cert-certificate.pem \
+-client-key=vault-cert-private-key.pem
+```
+
+## Enable AD secret engine and configure it
+
+```shell
+vault write ad/config \
+    binddn="cn=admin,dc=chatopsknight,dc=com" \
+    bindpass=$LDAP_ADMIN_PASSWORD \
+    url=ldaps://ldap.chatopsknight.com \
+    userdn="dc=chatopsknight,dc=com" \
+    [email protected] \
+    insecure_tls=false
+```

tests/AD-smoke-test.js

@@ -16,7 +16,7 @@ const vault = new Vault( {
     cacert: CACert,
     baseUrl: VaultUrl,
     rootPath: 'ad',
-    timeout: 3000,
+    timeout: 5000,
     proxy: false
 });
 
@@ -38,14 +38,14 @@ const SetName = "sre-team";
 
 const LibraryPayload1 = {
   name: SetName,
-  service_account_names: ['mathias.thulmann@chatopsknight.com'],
+  service_account_names: ['john.kane@chatopsknight.com'],
   ttl: '1h',
   max_ttl: '2h',
   disable_check_in_enforcement: false
 };
 const LibraryPayload2 = {
   name: SetName,
-  service_account_names: ['mathias.thulmann@chatopsknight.com', '[email protected]'],
+  service_account_names: ['john.kane@chatopsknight.com', '[email protected]'],
   ttl: '6h',
   max_ttl: '12h',
   disable_check_in_enforcement: false
@@ -58,7 +58,7 @@ const CredCheckOut = {
 
 const CredCheckIn1 = {
   name: SetName,
-  service_account_names: ['mathias.thulmann@chatopsknight.com']
+  service_account_names: ['john.kane@chatopsknight.com']
 }
 
 const CredCheckIn2 = {
@@ -106,10 +106,12 @@ vault.createADLibrary(RootToken, LibraryPayload1).then(function(data){
     console.error('2> updateADLibrary error:\n',updateError.response.data);
   });
 }).catch(function(createError){
-  console.error('3> createADLibrary error:\n',createError);
-  console.error('3> createADLibrary error:\n',createError.response.data);
+  console.error('1> createADLibrary error:\n',createError);
+  console.error('1> createADLibrary error:\n',createError.response.data);
 });
 
 // Forcing the credential checkin manually
 // vault write ad/library/sre-team/check-in [email protected]
-// vault write ad/library/sre-team/check-in [email protected]
+// vault write ad/library/sre-team/check-in [email protected]
+// Cleaning up the AD library
+// vault lease revoke -prefix -force ad/library/sre-team/check-out/