Secrets Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Compliance & Hardware Security Module (HSM) integration ● Costs, scalability & productivity HashiCorp Vault Provides the foundation for cloud security that leverages trusted sources of identity to keep secrets gartner.com/en/documents/3988410/critical-capabilities-for-privileged-access-management Vault Workflow Overview Vault Principles API (HTTP Rest / KMIP) Identity Policy / Governance Audit Dynamic Secrets

以前，HashiCorp Vault 是唯一支持集群范围的 KMS 和持久性卷加密的 KMS。在 OpenShift Data Foundation 4.7.0 和 4.7.1 中，只支持 HashiCorp Vault Key/Value (KV) secret engine API，支持版本 1。 从 OpenShift Data Foundation 4.7.2 开始，支持 HashiCorp Vault KV Foundation 4.6 中被支 持。从 OpenShift Data Foundation 4.7 开始，使用和不使用 HashiCorp Vault KMS 都被支持。从 OpenShift Data Foundation 4.12 开始，使用和不使用 HashiCorp Vault KMS 和 Thales CipherTrust Manager KMS 都被支持。 注意 注意 需要有效的 Red Hat HashiCorp Vault KMS 进行集群范围内的加密提供了两种身份验证方法： 令牌 令牌 ：此方法允许使用 vault 令牌进行身份验证。在 openshift-storage 命名空间中创建包含 vault 令牌的 kubernetes secret，用于身份验证。如果选择了这个验证方法，那么管理员必须提 供 vault 中后端路径（其中存储了加密密钥）的 vault 令牌。 Kubernetes

some sensitive information from Zabbix in CyberArk Vault CV2. Similarly to storing secrets in HashiCorp Vault, introduced in Zabbix 5.2, CyberArk Vault can be used for: • user macro values 8 • database database access credentials Zabbix provides read-only access to the secrets in vault. See also: CyberArk configuration Secure password hashing In Zabbix 5.0 the password hashing algorithm was changed from no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear

no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear HashiCorp Vault or CyberArk Vault, additional parameters will become available: • for HashiCorp Vault: Vault API endpoint, secret path and authentication token; • for CyberArk Vault: Vault API endpoint endpoint, secret query string and certificates. Upon marking Vault certificates checkbox, two new fields for specifying paths to SSL certificate file and SSL key file will appear. Settings Entering a name

no target is specified, reload configuration for all proxies secrets_reload Reload secrets from Vault. service_cache_reloadReload the service manager cache. snmp_cache_reloadReload SNMP cache, clear HashiCorp Vault or CyberArk Vault, additional parameters will become available: • for HashiCorp Vault: Vault API endpoint, secret path and authentication token; • for CyberArk Vault: Vault API endpoint endpoint, secret query string and certificates. Upon marking Vault certificates checkbox, two new fields for specifying paths to SSL certificate file and SSL key file will appear. Settings Entering a name

Kubernetes secrets: HashiCorp Vault Watch: https://www.youtube.com/watch?v=B16YTeSs1hI HashiCorp Vault KMS plugin for Kubernetes ● Secrets are in etcd, with root of trust in Vault Kubernetes auth backend backend for HashiCorp Vault ● Authenticate to Vault using a K8s service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 KMS Azure Key Vault: https://github.com/Azure/kubernetes-kms ● AWS KMS: https://github.com/kubernetes-sigs/aws-encryption-provider ● HashiCorp Vault: https://github.com/oracle/kubernetes-vault-kms-plugin

server config verify which is unsafe!") } Not all components follow this practice. The Hashicorp Vault Secretstore component labels the option “Insecure” but does not log a warning. Other components do requests it. The attacker is likely to be an insider who has certain privileges. Example 1: Vault If the Vault SecretStore component does not receive a successful response from the remote store, Dapr copies com/dapr/components-contrib/blob/cfbac4d794b35e5da28d65a13369d33383fb6ad4/sec retstores/hashicorp/vault/vault.go#L247 19 Dapr security audit 2023 if httpresp.StatusCode != http.StatusOK { var b bytes.Buffer

另请参阅升级说明。 在配置文件中添加了 Vault 前缀参数 配置文件 zabbix_server.conf 和 zabbix_proxy.conf 已补充了一个新的可选参数 Vault Prefix；zabbix.conf.php 已补充了选项 $DB['VAULT_PREFIX']，并且已相应地更新了 setup.php。 因此，CyberArk 和HashiCorp的 vault 路径不再是硬编码的，以便允许使用非标准路径进行 路径不再是硬编码的，以便允许使用非标准路径进行 vault 部署。 Agent2 配置 缓冲区大小 Zabbix agent 2 的BufferSize配置参数的默认值已从 100 增加到 1000。 允许空值 现在，Zabbix agent 2 上与插件相关的配置参数允许为空值。 Proxy 内存缓存 Zabbix proxy 已经支持内存缓存。内存缓存允许将新的数据（监控值、网络发现、主机自动注册）存储在缓存中，并在不访问数据库的情 target>] 重新加载 proxy 配置缓存。 target - 逗号分隔的 proxy 名称的列表。 如果没有指定，则重新加载所有 proxy 的配置 secrets_reload 从 Vault 重新加载机密。 service_cache_reload重新加载服务管理器缓存。 snmp_cache_reload重新加载 SNMP 缓存，清除所有主机的 SNMP 属性 （引擎时间、引擎启动、引擎

in HashiCorp Vault KV Secrets Engine - Version 2. Secrets can be saved for: • user macro values • database access credentials Zabbix provides read-only access to the secrets in Vault. See also: Storage filled with the resolved macro value, however, if the value (or part of the value) is a secret or Vault macro, the field will be empty and will need to be filled manually. To be able to tell that a secret out-of-the-box monitoring: • Apache ActiveMQ by JMX - see setup instructions for JMX templates; • HashiCorp Vault by HTTP - see setup instructions for HTTP templates; • Microsoft Exchange Server 2016 by Zabbix agent

RetryPolicy of state components (Medium) DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) Orchestration Hardening Network Policy Zero-Trust Concepts RBAC Secrets Management Conclusions DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) It was found that the SecretStore implementation of the Hashicorp’s secret vault is vulnerable to a HTTP Parameter Pollution vulnerability unintended for Dapr. Affected File: github.com/dapr/components-contrib@v0.8.0/secretstores/hashicorp/vault/vault.go Affected Code: func (v *vaultSecretStore) GetSecret(req secretstores.GetSecretRequest) (secretstores