web/lukegbcom: add a diagram to illustrate the token hierarchy

This commit is contained in:
Luke Granger-Brown 2022-04-09 20:46:48 +01:00
parent 675b65b5da
commit a3ef78701e
2 changed files with 32 additions and 0 deletions

View file

@ -140,6 +140,37 @@ to `kv/server/$HOSTNAME`, and to issue ACME certificates, and the Nix binary
cache credentials. They also have the power to issue subtokens with
lesser-power than themselves.
### ...how about as a diagram?
The description of the above might be a little confusing in terms of the Vault
policy hierarchy, so here's an example:
![Diagram illustrating token hierarchy](token-hierarchy.svg)
1. Vault issues the Vault Agent on `clouvider-lon01` a token. This token
includes the Vault policies `default`, `server`, `server-user`,
`server/clouvider-lon01`, `server/clouvider-lon01/app/gitlab-runner`, and
`app/deployer`. The app policies (`server/clouvider-lon01/app/gitlab-runner`
and `app/deployer`) are attached because the server configuration in the
repository states that those two applications are intended to be deployed on
that server.
2. `secretsmgr` on `clouvider-lon01` uses the token held by the Vault Agent
directly to refresh any TLS or SSH certificates needed by the server.
3. `tokend` on `clouvider-lon01` has no token of its own, but uses the one held
by the Vault Agent to issue app- or user-specific sub-tokens, with a subset
of the policies attached to the initial token.
4. `gitlab-runner` on `clouvider-lon01` talks to `tokend`, which issues it a
subtoken with **just** the `default` and
`server/clouvider-lon01/app/gitlab-runner` policies.
5. `deployer` on `clouvider-lon01` also talks to `tokend`, but it gets a
different subtoken which instead has the `default` and `app/deployer`
policies.
6. My own personal user account, `lukegb`, can also talk to `tokend` to get a
subtoken with the `default` and `server-user` policies. This token is very
limited compared to a standard `user`-policy token, which needs to be issued
by using the Vault API directly to authenticate as a user based on some
OpenID Connect credentials.
## Vault App ID credentials
I use the "App ID" mode in Vault to provision secrets to servers; when setting

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 276 KiB