Configuring HashiCorp Vault in Bamboo
Vault のセットアップ方法
The steps below assume you already have a Hashicorp Vault instance running. For more details, see the Hashicorp Vault documentation.
To configure Bamboo to work with HashiCorp Vault:
HashiCorp Vault インスタンスにシークレットを作成します。
シークレットを読み取る権限を含むポリシーを作成します。
Authenticate Bamboo with Vault.
Add the Vault configuration data to the
<home-directory>/bamboo.cfg.xml
file.
Important
It's quite common for Vault deployments to have a KV V2 Secret Engine enabled under the secret mount. If you are using a different Vault deployment, please see the HashiCorp documentation for enabling a new KV V2 Secret Engine:
https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2
The steps above are explained in more detail below.
ステップ 1: HashiCorp Vault インスタンスにシークレットを作成する
If you haven’t created a secret in the KV V2 Secret Engine of your Vault instance before, take a look at the Hashicorp Vault documentation for more information.
このシークレットには、JDBC パスワードの値を 1 つ含める必要があります。
Step 2: Create a policy with permission to read your secret
If you need detailed instructions on creating a policy in Vault, see the Hashicorp Vault documentation. The details below provide additional information from the Bamboo perspective.
To retrieve your secret from the Vault, Bamboo must have a policy with the read
permission.
以下は、KV V2 Secret Engine 内のシークレットを読み取る権限を含む Vault ポリシーの例です。
path "secret/data/sample/secret" {
capabilities = ["read"]
}
In the sample path above, there are three components:
コンポーネント | 説明 |
---|---|
| KV V2 Secret Engine がマウントされている場所です。 |
| これが KV V2 シークレットであることを示すプレフィックスです。 |
| このシークレットを含むパスです。 |
If the previous policy is located in ./sample_policy.hcl
, this command will create the policy on the server:
vault policy write sample_policy ./sample_policy.hcl
Step 3: Authenticate Bamboo with Vault
トークンで認証するか、Kubernetes 認証方式で認証するか (Kubernetes 環境を使用している場合) を選択できます。両方の方式について以下で説明します。
トークンで認証する
The information below assumes you’re familiar with creating a Vault token. Refer to the HashiCorp Vault documentation for more information and token options.
次のコマンドを使用して新しいトークンを作成します。
vault token create -policy=sample_policy
To confirm that your token and policy allow access to the secret, run the commands:
export VAULT_TOKEN=<YOUR_TOKEN> vault kv get -mount=secret sample/secret
You should see the following output:
====== Secret Path ====== secret/data/sample/secret ======= Metadata ======= Key Value --- ----- ~~~~ ~~~~~ ====== Data ====== Key Value --- ----- ~~~~ ~~~~~
If you don’t see the output above, refer to the Hashicorp documentation to troubleshoot the issue.
To complete the process, an environment variable associated with the token must be present on Bamboo.Define the environment variable
SECRET_STORE_VAULT_TOKEN
in the context of the Bamboo instance. A simple way to do this is to add the following line to the~/.bashrc
file for the user running Bamboo:export SECRET_STORE_VAULT_TOKEN=<YOUR_TOKEN>
Kubernetes サービス アカウント トークンを使用して認証する
If Bamboo is operating within a Kubernetes environment, you can leverage the Kubernetes auth method. This method uses a Kubernetes Service Account Token to confirm the identity of the pod that runs Bamboo and to grant the appropriate access.
Refer to the Hashicorp Vault documentation for more information on how to set up Kubernetes auth method in your Vault instance. Make sure you have enabled Kubernetes auth method on your Vault server before you start the steps below.
また、次の手順でいくつかの環境変数を設定する必要があります。以下の表で、これらについて説明します。
環境変数 | 説明 |
---|
環境変数 | 説明 |
---|---|
| The name of the role defined in Vault that’s attached to Kubernetes auth method. |
| Kubernetes 認証方式で定義されたパス。 既定値: |
| The location of the Service Account Token file in the pod for Bamboo. 既定値: |
If you used custom path to create a Kubernetes auth method, replace
kubernetes
in the CLI command in the following step with your path name.Define a role to link the auth method with the
sample_policy
you created with the following command:vault write auth/kubernetes/role/<YOUR_NEW_ROLE_NAME> \ bound_service_account_names=<YOUR_PRODUCT_SERVICE_ACCOUNT_NAME> \ bound_service_account_namespaces=<YOUR_PRODUCT_SERVICE_NAMESPACE> \ policies=sample_policy
Ensure that your Bamboo pod has access to the secret.
Currently, Vault CLI doesn’t offer support for logging in with Kubernetes auth method, but you can log in to retrieve client token using HTTP API and then use this generated token to test for access.f you can’t retrieve the secret with the generated token, refer to Hashicorp’s documentation to troubleshoot the issue.
Refer to the table at the start of these steps to set the following environment variables for Bamboo:
SECRET_STORE_VAULT_KUBE_AUTH_ROLE
SECRET_STORE_VAULT_KUBE_AUTH_PATH
(optional)SECRET_STORE_VAULT_KUBE_AUTH_JWT_PATH
(optional)
If there are any problems with your configurations (for example, the secret is not accessible with the authentication token), check the log file <home-directory>/log/atlassian-bamboo.log
for any related error messages.
Step 4: Add the Vault configuration data to bamboo.cfg.xml
Vault is configured via a JSON object that is added to the <home-directory>/bamboo.cfg.xml
file. The JSON configuration object has a number of fields. Make sure you refer to the following table for details on each of these properties.
セキュリティをさらに強化するため、すべての Vault インスタンスで HTTPS を使用することを強くお勧めします。
フィールド | 必須かどうか | 説明 |
---|---|---|
| 必須 | KV V2 Secret Engine のマウント パス。 |
| 必須 | シークレットのパス。 |
| 必須 | キー名。 |
| 必須 | The base URL of your Vault instance. This accepts both HTTP and HTTPS. We highly recommend you always use HTTPS. URL の末尾にスラッシュがある場合、そのスラッシュは省略します。 |
| 任意 | 使用する認証の種類。 サポートされているオプションは、 既定は |
In the Bamboo home directory, back up the
bamboo.cfg.xml
file. Move the backup file to a safe place outside of your Bamboo server.bamboo.cfg.xml
ファイルで、次の内容を含むようにjdbc.password.decrypter.classname
プロパティを追加または変更します。com.atlassian.secrets.store.vault.VaultSecretStore
In the
bamboo.cfg.xml
file, add or modify thehibernate.connection.password
property to contain your JSON configuration object. Use the table at the start of these steps for further information on these fields.
Here is an example of how it might look:{"mount": "secret", "path": "sample/secret", "key": "password", "endpoint": "https://127.0.0.1:8200"}
- Bamboo を再起動します。