Skip to content

Latest commit

 

History

History
61 lines (52 loc) · 1.9 KB

README.markdown

File metadata and controls

61 lines (52 loc) · 1.9 KB

[WIP] vault-plugin-kafka-secret

CircleCI

A Vault plugin for generating credentials for Apache Kafka clients.

Generates a dynamic username and ACL that can be used to create a uniq SSL certificate for a Kafka client.

Use this in combination with the vault pki backend.

Pre-Install

🔌 Installation

  • Download the plugin to Vault's plugin directory.
  • Register the plugin with Vault
    • vault write sys/plugins/catalog/vault-plugin-secrets-kafka \
        sha_256="$SHASUM" \
        command="vault-plugin-secrets-kafka"
  • Enable the plugin mount
    • vault secrets enable -path=kafka -plugin-name=vault-plugin-secrets-kafka plugin

🛠 Configure

  • Configure the plugin

    • vault write kafka/config/access address="localhost:9092" ca_certificate="$CA" client_certificate="$CERT" client_key="$PRIVATE_KEY"
    • The client must be capable of writing creating and deleting ACLs.
  • Write a policy

    • {
        "acl": {
          "host": "*",
          "operation": "Read",
          "permission_type": "Allow"
        },
        "resource": {
          "type": "Topic",
          "name": "*",
          "pattern_type_filter": "any"
        }
      }
  • Write the role

    • vault write kafka/roles/read-all-topics policy=$(cat bin/policy.json)
  • Read the credentials, pick the username

    • vault read kafka/creds/read-all-topics
  • Generate a SSL certificate for this client

    •   NAME=$(vault read -field=user kafka/creds/read-all-topics)
        DATA=$(vault write -format=json pki/issue/kafka-clients common_name="$NAME" ttl=$TTL | jq -r .data)
        printf "%s" "$DATA" | jq -r .private_key > private.key
        printf "%s" "$DATA" | jq -r .certificate > client.cert
        printf "%s" "$DATA" | jq -r .issuing_ca  > ca.cert