Collaborate Disseminate
HashiCorp Vault Agent creates a sidecar that talks to the Vault server and injects secrets as files into containers, where the files are located under /vault/secrets/.
"render all defined templates to the ephemeral in-memory mount at … Continue reading Root takeover attack on Kubernetes host despite Vault agent
Background
Hashicorp Vault provides an auth method to enable Kubernetes Pods to authenticate to Vault by configuring integration between a Kubernetes cluster and Vault.
Question
The docs recommend setting up OIDC discovery endpoint integra… Continue reading Risks in using JWKS URL over OIDC discovery endpont?
I’m trying to understand where TLS is required. I’ve heard that TLS encrypts data when a client communicates with a server through HTTP by verifying the server and passing encryption keys. This protection is done through a TLS certificate signed by a CA (Certificate Authority). I can imagine a hacker trying to claim who they are while communicating through the web.
But will this apply to a LAN system? For example, in Hashicorp’s Vault, they mentioned: “End-to-End TLS. Vault should always be used with TLS in production.”. If system A (say Vault) tries to communicate with system B (say Backend Service) connected through LAN how can the systems be verified through a CA? (or perhaps the question should be, does it need one?)
The image below helps illustrate the question I’m facing.
Reference:
https://www.cloudflare.com/learning/ssl/what-is-ssl/
What’s the point of certificates in SSL/TLS?
https://developer.hashicorp.com/vault/tutorials/operations/production-hardening
Oxeye discovered a new vulnerability (CVE-2023-0620) in the HashiCorp Vault Project, an identity-based secrets and encryption management system that controls access to API encryption keys, passwords, and certificates. The vulnerability was an SQL injec… Continue reading HashiCorp Vault vulnerability could lead to RCE, patch today! (CVE-2023-0620)
I have deployed HashiCorp Vault in a Linux VM, and I want it to connect to an instance of MySQL database running on my host machine.
In my database (host machine IP 100.101.102.103), I have created a user especially for this purpose:
CREAT… Continue reading Unsupported operation when trying to remotely create new MySQL user via HashiCorp Vault [migrated]
HashiCorp Vault Agent creates a sidecar that talks to Vault server and injects secrets as files into containers. The agent presumably uses Kubernetes Service Account in some way. But ultimately there must be a secret zero somewhere, protec… Continue reading How Vault agent solves Secret Zero challenge in Kubernetes?
I downloaded Hashicorp Vault. I "installed" it which is just unzipping the archive and moving the vault application to wherever I want to run it from. I also added the path to the PATHS environment variable so that I can run the … Continue reading I started a vault server with the -dev flag and the UI is empty. What am I doing wrong? [closed]
One the Hashicorp Vault basic feature is secret leasing. They state:
Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to re… Continue reading What are the advantages of password "leasing"
One the Hashicorp Vault basic feature is secret leasing. They state:
Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to re… Continue reading What are the advantages of password "leasing"
Is it common practice or are there pitfalls to using Vault by HashiCorp not only for storing secret parameters but for other app configuration key-values?