website/integrations: add hashicorp vault integration to website (#2363)
* add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
This commit is contained in:
parent
50ded723d1
commit
13adca0763
85
website/integrations/services/hashicorp-vault/index.md
Normal file
85
website/integrations/services/hashicorp-vault/index.md
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
---
|
||||||
|
title: Hashicorp Vault
|
||||||
|
---
|
||||||
|
|
||||||
|
## What is Vault
|
||||||
|
|
||||||
|
From https://vaultproject.io
|
||||||
|
|
||||||
|
:::note
|
||||||
|
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
|
||||||
|
:::
|
||||||
|
|
||||||
|
:::note
|
||||||
|
This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in depth vault guide
|
||||||
|
:::
|
||||||
|
|
||||||
|
## Preparation
|
||||||
|
|
||||||
|
The following placeholders will be used:
|
||||||
|
|
||||||
|
- `authentik.company` is the FQDN of authentik.
|
||||||
|
- `vault.company` is the FQDN of Vault.
|
||||||
|
|
||||||
|
### Step 1
|
||||||
|
|
||||||
|
In authentik, create an _OAuth2/OpenID Provider_ (under _Resources/Providers_) with these settings:
|
||||||
|
|
||||||
|
:::note
|
||||||
|
Only settings that have been modified from default have been listed.
|
||||||
|
:::
|
||||||
|
|
||||||
|
**Protocol Settings**
|
||||||
|
|
||||||
|
- Name: Vault
|
||||||
|
- Signing Key: Select any available key
|
||||||
|
|
||||||
|
- Redirect URIs/Origins:
|
||||||
|
```
|
||||||
|
https://vault.company/ui/vault/auth/oidc/oidc/callback
|
||||||
|
https://vault.company/oidc/callback
|
||||||
|
http://localhost:8250/oidc/callback
|
||||||
|
```
|
||||||
|
:::note
|
||||||
|
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
|
||||||
|
:::
|
||||||
|
|
||||||
|
### Step 2
|
||||||
|
|
||||||
|
In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
|
||||||
|
|
||||||
|
:::note
|
||||||
|
Only settings that have been modified from default have been listed.
|
||||||
|
:::
|
||||||
|
|
||||||
|
- Name: Vault
|
||||||
|
- Slug: vault-slug
|
||||||
|
- Provider: Vault
|
||||||
|
|
||||||
|
### Step 3
|
||||||
|
|
||||||
|
Enable the oidc auth method
|
||||||
|
```vault auth enable oidc```
|
||||||
|
|
||||||
|
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
|
||||||
|
```
|
||||||
|
vault write auth/oidc/config \
|
||||||
|
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
|
||||||
|
oidc_client_id="Client ID" \
|
||||||
|
oidc_client_secret="Client Secret" \
|
||||||
|
default_role="reader"
|
||||||
|
```
|
||||||
|
|
||||||
|
Create the reader role
|
||||||
|
```
|
||||||
|
vault write auth/oidc/role/reader \
|
||||||
|
bound_audiences="Client ID" \
|
||||||
|
allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \
|
||||||
|
allowed_redirect_uris="https://vault.company/oidc/callback" \
|
||||||
|
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
|
||||||
|
user_claim="sub" \
|
||||||
|
policies="reader"
|
||||||
|
```
|
||||||
|
|
||||||
|
You should then be able to sign in via OIDC
|
||||||
|
```vault login -method=oidc role="reader"```
|
|
@ -18,6 +18,7 @@ module.exports = {
|
||||||
"services/gitlab/index",
|
"services/gitlab/index",
|
||||||
"services/grafana/index",
|
"services/grafana/index",
|
||||||
"services/harbor/index",
|
"services/harbor/index",
|
||||||
|
"services/hashicorp-vault/index",
|
||||||
"services/hedgedoc/index",
|
"services/hedgedoc/index",
|
||||||
"services/home-assistant/index",
|
"services/home-assistant/index",
|
||||||
"services/matrix-synapse/index",
|
"services/matrix-synapse/index",
|
||||||
|
|
Reference in a new issue