Configuring SRE Vault and managing your credentials using vaultfeeder
By Shrinath Thube, Software Developer, IBM Cloud and Cognitive Software
The Cloud Pak for Multicloud Management enables organization to securely manage applications, no matter how they are designed or where they are deployed. The Cloud Pak for Multicloud Management is a set of open, pluggable tools built around a core application and governance model. This core architecture helps organizations model applications and application dependencies, manage the lifecycles of both applications and infrastructure, consistently govern and secure applications and their deployment models; and deliver observability for the application’s full stack.
You can use IBM Cloud Pak for Multicloud Management to track your virtual machine (VM) compliance by taking advantage of the IBM Management Ansible operator. The operator monitors your VMs against CIS benchmarks for Red Hat Enterprise Linux (RHEL) 7. You can tag your policies to build relationships between your VMs and the policies that manage them. For all of this to work, you need your Ansible execution path configured so that those playbbooks can scan your VMs.
The Ansible engine execution path uses SSH to connect to remote virtual machines and runs Ansible playbooks to scan VMs. The Ansible engine needs SSH keys and privileged user access to connect by SSH to remote VMs. Here’s where SRE Vault comes in. IBM Cloud Pak for Multicloud Management uses SRE Vault to store login credentials and secrets. If the Ansible engine doesn’t have that access, routed by Vault, you won’t be able to perform CIS scans on your VMs.
That means that you also have to configure Vault to enable its use. Normally, to accomplish this, you’d have to configure Vault to store your VM credentials, then add those credentials back into Vault. It’s a pretty involved process. Currently, we’ve documented a manual process to accomplish this. It’s long, it’s involved, and you’ve got to have a lot of information up front and ready to be placed in the right locations or else your VMs won’t show up when you try monitoring them. Since GA, we’ve introduced a script that removes both the manual configuration step and adding credentials. While not officially supported, the new vaultfeeder script makes life noticeably easier.
The vaultfeeder script performs the following functions:
1) Creates an empty YAML template that you can add your VM credentials
2) Configures SRE Vault for the IBM Cloud Pak for Multicloud Management VMPolicy controller
3) Pushes VM credentials from the YAML template to Vault
4) Encodes SSH private keys in base64
This covers the end-to-end workflow detailed in our IBM Documentation in a click of the Enter key.
To execute the script, all you have to do is download the script from the IBM Cloud Pak for Multicloud Management sample repository, and enter whichever task you want to complete with the following command:
vaultfeeder <command> [options]
The available sub-commands are as follows:
- template: Creates an empty YAML template to add your target VM information and credentials to
- configure: Automatically configures Vault for use with the IBM Cloud Pak
- feed: Pushes YAML template data to Vault
- base64: Encodes all SSH private keys from a directory that you provide in base64
The positional arguments are:
- command: The sub-command to run
And the optional arguments are as follows:
- -h or — help: Shows the available commands and subcommands
For example, if you want to run a command to encode your keys in base64, after you’ve downloaded the script, you just have to issue the following command:
vaultfeeder base64 -h
For more information about manually configuring Vault, see Enabling SRE Vault for CIS benchmark for RHEL 7 policy enforcement. If you run into any trouble with your Vault implementation, see Governance and risk dashboard not returning CIS benchmark results to troubleshoot your Vault related issues.
