• Stars
    star
    364
  • Rank 117,101 (Top 3 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created almost 7 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simplified secrets management solution

logo

T-Vault

T-Vault is built to simplify the process of secrets management. We wanted to build an intuitive and easy to use tool that application developers can easily adopt without sacrificing their agility while still following best practices for secrets management. It uses a few open source products internally including, at its heart Hashicorp Vault. Hashicorp vault provides the core functionality of safely storing secrets at rest and access control to those secrets. T-Vault builds on that base to provide a higher-level of abstraction called Safe. Safes are logical abstractions, internally using the concept of paths within vault. T-Vault simplifies the access management to secrets by hiding away all the complexities of managing policies.

A very intuitive web UI provides a nice layer of abstraction and hides all the complexities of managing paths, policies, token management, etc. T-Vault introduces two new personas, a 'Safe User' and 'Safe Administrator'. Both can create Safes and grant access to individuals or LDAP group or an application. They can also create and Manage Approles to use in their applications. Safe Administrators can manage Safes and AppRoles created by all the users. But non admin users can manage only the Safes and AppRoles created by himself. Individuals with access to a Safe can use the web UI or API to do CRUD operations on secrets within their Safe.

When a Safe is created, T-Vault automatically creates the paths and boilerplate policies for that path. It also saves metadata about the Safe internally within the vault. Granting access to an individual for Safe involves associating user to the predefined policy for the path associated with the Safe. App roles and AWS App roles creation and granting access to them works the same way.

This readme file provides instructions to download, install, configure and use T-Vault API and user portal.

Here is a quick demo video.

IMAGE ALT TEXT HERE

Table of Contents

  1. Installation
  2. Configuration
  3. Install in Production
  4. License

Installation

Installation on Linux

Installation-Prerequisites

Below are the dependencies required to build T-Vault from source.

  • JDK - Required to compile/build java source code
  • Maven - Required to build/package
  • Docker - Required if docker based deployment is preferred
  • Node and build tools (sudo yum install gcc-c++ make, sudo yum groupinstall 'Development Tools', bzip2)
  • Bower
  • Gulp

Installation Steps

You can build T-Vault from source using build_vault.sh. There are two packaging options available. The script can create a tar file or a docker image.

  • In case you choose 'tar' option, please make sure all the development tools are installed on Linux.
  • For the case of docker image, make sure docker service is running locally.

Tar based installation

  • Download source code (https://github.com/tmobile/t-vault).
  • Go to the parent directory of the source code tree and run the command
    ./build_tvault.sh --build all --package tar
  • This will build both T-Vault API and user portal and generate tar file tvault_all.tar.gz
  • Run the command
    ./install_tvault.sh
    to install and start T-Vault and all of the dependent services.

Docker container based installation

Docker needs to be installed and running before performing this.

  • Download source code (https://github.com/tmobile/t-vault).
  • Go to the parent directory of the source code tree and run the command
    ./build_tvault.sh --build all --package docker
  • This will build both T-Vault API and user portal and push the docker image to local docker hub
  • Run the command
    docker run --privileged -it -p 443:443 -p 8200:8200  your_tvault_docker_image_id /bin/bash
    to start cloud vault and all of the dependent services

How to access T-Vault Services

After completing the installation, you can access

  • The T-Vault User Portal using the URL https://your_ip_address
  • The T-Vault API using the URL https://your_ip_address:8080
  • The Vault Service using the URL https://your_ip_address:8200

T-Vault Configuration

Default Installation

Default installation, sets up vault with

  • AUTH BACKEND : Username Password
  • STORAGE BACKEND : File System

Default installation should be used only to test drive the tool, it should not be used in production environments. HA is not supported with the default installation.

The default installation sets up few default users so that you can explore the tool right away.

  1. safeadmin/safeadmin

    Safe Admin user. This user has all the privileges to create and manage safes. Post installation login with safeadmin to create safes and grant access to testuser1 & 2.

  2. vaultadmin/vaultadmin

    This is a Vault Admin user. By default this user is attached with policies to manage all the paths excepts for secret store mounts.

  3. testuser1/testuser1, testuser2/testuser2

    These two testusers doesnt have any previleges by default. You can grant access to these users and try out the functionalities of T-Vault.

T-Vault Configuration Options

T-Vault supports Following Auth Backends and Storage Backends.

Auth Backends

* Username Password
* LDAP
* AWS Authentication

Storage Backends

* Consul
* File System
* Dynamo DB

You can configure your installation with combination of any of the Auth Backend and Storage Backend listed above.

The installation script requires the vault configuration information. These configurations are managed from the parameters file. Sample T-Vault configuration parameters file.

###########################################################################
#                            Auth Backend                                 #
###########################################################################

# Allowed values for AUTH_BACKEND are userpass, ldap
AUTH_BACKEND=userpass
ENABLE_AWS=yes

###########################################################################
#                      LDAP Credentials                                   #
###########################################################################

#LDAP_URL='ldap://hostname.com:port'
#LDAP_GROUP_ATTR_NAME='cn'
#LDAP_USR_ATTR_NAME='---'
#USER_DN='---'
#GROUP_DN='----'
#BIND_DN='---'
#BIND_DN_PASS='---'
#TLS_ENABLED='false'
#VAULT_ADMIN_GROUP='---'
#SAFE_ADMIN_GROUP='---'

## The value for USE_UPNDOMAIN is either 'yes' or 'no'

#USE_UPNDOMAIN='yes'
#UPN_DOMAIN_URL='---'


##########################################################################
#                        Storage Backend                                 #
##########################################################################
# The possible values are 'File System' or 'Consul'
BACKEND='File System'

##########################################################################
#                         Consul Parameters                              #
##########################################################################

CONSUL_DATACENTER='dc1'
#CONSUL_ENCRYPT=''
CONSUL_RETRY_JOIN='127.0.0.1'
CONSUL_STORAGE_ADDRESS='127.0.0.1:8500'
CONSUL_STORAGE_PATH='tvault/tvault'
CONSUL_STORAGE_SERVICE_NAME='tvault'

##########################################################################
#                       Global                                           #
##########################################################################

SELF_SIGNED='y'

##########################################################################
#                         DynamoDB Parameters                            #
##########################################################################

#AWS_DYNAMODB_TABLE='tvault'
#AWS_DEFAULT_REGION='us-west-2'

Install in Production

Setup

For production installations use

1. AUTH BACKEND : LDAP
2. STORAGE BACKEND : Consul

Consul is the only storage backend that supports HA. When using LDAP as auth backend, you need to configure additional LDAP related parameters, two group names should be configured for setting up admin users for the T-Vault.

* SAFE_ADMIN_GROUP: All the members of this group will get safe admin privileges.
* VAULT_ADMIN_GROUP: All the members of this group will get vault admin privileges.

High Availability

T-Vault has following components

Component Description
Nginx Hosts the UI, acts as a proxy for T-Vault API and Vault's native http rest interface.
Springboot App T-Vault API layer
Hashicorp Vault As is Hashicorp Vault

Hashicorp Vault supports high availability with Consul as storage backend.

T-Vault UI, API and Vault is all bundled together into one unit. You can horizontally scale this unit and point it towards an HA Consul Cluster. If required you could split it up into multiple tiers and have load balancing and horizontal scaling for each of the layer.

Internally we have deployed our T-Vault on a container platform. The build scripts will create a readily usable tvault docker container (assuming with correct configuration file) which is then pushed to our container platform. We maintain a Consul cluster outside of the container platform.

Un-sealing

One of the challenges with open source version of vault is, how to unseal a new instance of vault in case of HA setup. We have built an automated unsealing process using KMS and IAM Roles. You can come up with a solution that works for you. Same way the distribution of the master keys can be added to the installation script based on your preference.

For standalone installations on VMs, where automatic un-sealing is not preferred, T-Vault has web pages to un-seal vault instances manually(https://host:port/#/unseal). Users have to enter 3 out of 5 keys in the un-seal web form (or whatever the threshold that was used). Key holders can go to the unseal page and enter the IP address of the sealed vault and enter their master key to start unsealing.

License

T-Vault is released under the Apache 2.0 License.

More Repositories

1

pacbot

PacBot (Policy as Code Bot)
Java
1,288
star
2

jazz

Platform to develop and manage serverless applications at an enterprise scale!
JavaScript
298
star
3

r-tensorflow-api

A small Docker container for using R and TensorFlow as an enterprise API
R
261
star
4

kardio

Service Health Dashboard for Kubernetes, Containers and more...
Java
222
star
5

magtape

MagTape Policy-as-Code for Kubernetes
Python
145
star
6

loadtest

an R package that automates performance testing of ML models and summarizes the results in a dashboard w/ rad visualizations
R
93
star
7

magentaA11y

Magenta A11y is a tool built to simplify the process of accessibility testing.
HTML
60
star
8

POET-pipeline-library

POET pipeline framework automation code.
Groovy
46
star
9

hyperdirectory

Blockchain-based, highly auditable access management solution (directory service)
TypeScript
34
star
10

monarch

App-level Chaos Engineering
Python
28
star
11

tmus-geofeed

26
star
12

jazz-installer

Installer for Jazz Serverless Developer Platform!
Python
25
star
13

casquatch

Casquatch: an open source Java abstraction layer for Cassandra databases
Java
21
star
14

faas-java-templates

Java templates for OpenFaas, a serverless functions as a service platform built on Docker
Java
19
star
15

themes-platform-vendor-tmobile-apps-ThemeChooser

Java
18
star
16

DevEdge-IoTDevKit-ZephyrSDK

ZephyrSDK (TMO_shell) is a Zephyr application built by T-Mobile and comes shipped on the DevEdge - IoT Developer Kit
C
18
star
17

codeless

ETP codeless project allows you to quickly write tests using basic yaml and spreadsheet files without having to have in-depth understanding of writing Java automation tests.
Java
18
star
18

themes-platform-vendor-tmobile-themes-Androidian

13
star
19

DevEdge-IoTDevKit-ZephyrRTOS

T-Mobile Zephyr OS is a fork of zephyrproject-rtos/zephyr that is shipped on the DevKit and used for contributing upstream.
C
13
star
20

developer-puzzle

T-Mobile Developer Candidate Puzzles. Do not Fork, Do not submit a PR. Simply clone to your local and create a new repo in your public account. Solve the puzzle and send us the address of your repo. DO NOT FORK THIS REPO OR SUBMIT PULL REQUEST (your submission will be deleted!)
TypeScript
13
star
21

jest-jsdom-browser-compatibility

This is a matrix of issues and risks of using Jest with JSDOM to test browser applications. This will include several sub projects with example tests to demonstrate the failures.
TypeScript
12
star
22

passport-tmobileid

T-Mobile ID enabled authentication strategy for Passport and Node.js
JavaScript
12
star
23

percy-cake

Percival: A Configuration As Kode Editor to simplify managing distributed applications and services.
TypeScript
12
star
24

docinator

Build a website from your code's documentation with zero configuration.
JavaScript
11
star
25

pi-alarm

Raspberry Pi Alarm
Python
11
star
26

chaostoolkit-turbulence

Tools and resources to support Chaos Engineering
Python
11
star
27

themes-platform-vendor-tmobile-libs-com.tmobile.themes

Java
11
star
28

springboot-restapi-generator

Custom yoman generator for scaffolding REST API projects based on springboot
JavaScript
10
star
29

keybiner

Entitlements compression and validation library
Java
9
star
30

themes-platform-manifest

8
star
31

themes-platform-vendor-tmobile-providers-ThemeManager

Java
8
star
32

developer-kata

Some coding exercises for developers. There is not sample code here, only descriptions of problems to solve.
8
star
33

stf_ios_mirrorfeed

Stream IOS mirroring via USB to websocket
Go
7
star
34

themes-platform-frameworks-base

Java
7
star
35

opensource

t-mobile's open source microsite
CSS
7
star
36

cf-smoke-tests

Python
7
star
37

qapi

Query API
Java
5
star
38

orchestration-desk

Node module to connect to orchestration services like marathon to get details about applications, containers and more.
TypeScript
5
star
39

ducklett

Ducklett: managing all the little nodes of a Conducktor cluster
Go
5
star
40

themes-platform-vendor-tmobile-products-themes

Shell
5
star
41

parallelizer

A go library for building work pools.
Go
4
star
42

t-rover

Java
4
star
43

node-red-contrib-sms-send

JavaScript
4
star
44

DevEdge-IoTDevKit-Binaries

Zephyr DevKit Supporting Binaries
Makefile
4
star
45

themes-platform-packages-apps-Settings

Java
3
star
46

themes-platform-packages-apps-Contacts

Java
3
star
47

themes-platform-vendor-tmobile-libs-com.tmobile.themehelper

Java
3
star
48

DevEdge-IoTDevKit-SiLabs-WiseConnect

WiSeConnect Wi-Fi and Bluetooth Software used as a supporting module to DevEdge-IoTDevKit-ZephyrRTOS
C
3
star
49

node-red-contrib-yolo-object-detection

Node-RED contrib module that uses YOLO3 object detection to identify items in images.
Python
3
star
50

themes-platform-frameworks-policies-base

Java
3
star
51

node-red-contrib-object-to-array

Given a JavaScript object, when this node is executed it will transform the object key/value properties to an array of object properties with specified property names..
TypeScript
3
star
52

DevEdge-IoTDevKit-Sony-cxd5605

Zephyr module supporting Sony CXD5605 GNSS
C
3
star
53

node-red-contrib-rpi-adeept-motor

HTML
2
star
54

node-red-contrib-summarizer

Node-RED node to summarize arrays of data
HTML
2
star
55

themes-platform-packages-apps-Launcher2

Java
2
star
56

themes-platform-packages-apps-Email

Java
2
star
57

depaginator

Go
2
star
58

common-platform-vendor-tmobile-build-common

Shell
2
star
59

node-red-contrib-differences

A Node-RED node to detect differences between two sets of data
TypeScript
2
star
60

jazz-content

Static content for Jazz - https://github.com/tmobile/jazz
Dockerfile
2
star
61

node-red-contrib-array-iterator

Given an array input, when this node is executed it will pass the β€œnext” value of the array to the succeeding connected node(s).
TypeScript
2
star
62

qlkube-client

JS library to make interacting with qlkube easier
JavaScript
2
star
63

themes-platform-packages-apps-Music

Java
2
star
64

themes-platform-packages-apps-Mms

Java
2
star
65

emerald-platform-vendor-tmobile-themes-Androidian

Java
1
star
66

t-racer-legacy

consolidate t-racer projects into one repo
C++
1
star
67

gatsby-starter-gitlab

A Gatsby starter to generate a website from a list of Gitlab groups and/or projects.
TypeScript
1
star
68

node-red-contrib-tm-mjpg-server

Node red module to start a python mjpg server
Python
1
star
69

gatsby-source-gitlab

A Gatsby starter to generate a website from a list of Gitlab groups and/or projects.
TypeScript
1
star