{"id":4127,"date":"2025-07-07T12:24:06","date_gmt":"2025-07-07T09:24:06","guid":{"rendered":"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/vault\/"},"modified":"2025-07-07T12:28:23","modified_gmt":"2025-07-07T09:28:23","slug":"vault","status":"publish","type":"docs","link":"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/vault\/","title":{"rendered":"Vault(\u0421\u0438\u0441\u0442\u0435\u043c\u0430 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0441\u0435\u043a\u0440\u0435\u0442\u043e\u0432)"},"content":{"rendered":"\n<p><strong>Vault<\/strong> \u2014 \u044d\u0442\u043e \u0432\u044b\u0441\u043e\u043a\u043e\u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u0435\u043a\u0440\u0435\u0442\u0430\u043c\u0438 \u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c, \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0430\u043d\u043d\u0430\u044f \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0435\u0439 <strong>HashiCorp<\/strong>. \u041e\u043d\u0430 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0435 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u0435, \u0432\u044b\u0434\u0430\u0447\u0443 \u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438: \u043f\u0430\u0440\u043e\u043b\u044f\u043c, \u0442\u043e\u043a\u0435\u043d\u0430\u043c, <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/api\/\" data-internallinksmanager029f6b8e52c=\"226\" title=\"API (Application Programming Interface)\">API<\/a>-\u043a\u043b\u044e\u0447\u0430\u043c, \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430\u043c \u0438 \u0434\u0440\u0443\u0433\u0438\u043c \u0447\u0443\u0432\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u044b\u043c \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u0438 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b.<\/p>\n\n\n\n<p>Vault \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u0442 \u043a\u0430\u043a <strong>\u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0435<\/strong>, \u0442\u0430\u043a \u0438 <strong>\u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u0438\u0435 \u0441\u0435\u043a\u0440\u0435\u0442\u044b<\/strong>, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044f \u0446\u0435\u043d\u0442\u0440\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0436\u0438\u0437\u043d\u0435\u043d\u043d\u044b\u043c \u0446\u0438\u043a\u043b\u043e\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0434\u043e\u0441\u0442\u0443\u043f\u0430. \u042d\u0442\u043e \u0434\u0435\u043b\u0430\u0435\u0442 Vault \u043e\u0434\u043d\u0438\u043c \u0438\u0437 \u043a\u043b\u044e\u0447\u0435\u0432\u044b\u0445 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0445 DevOps- \u0438 cloud-native-\u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u0430\u0445.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u041e\u0441\u043d\u043e\u0432\u043d\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 Vault<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u0426\u0435\u043d\u0442\u0440\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0435 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449\u0435 \u0441\u0435\u043a\u0440\u0435\u0442\u043e\u0432<\/strong> \u0441 \u0442\u043e\u043d\u043a\u043e\u0439 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u043e\u0439 \u043f\u043e\u043b\u0438\u0442\u0438\u043a \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (ACL\/RBAC);<\/li>\n\n\n\n<li><strong>\u0414\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u044f \u0441\u0435\u043a\u0440\u0435\u0442\u043e\u0432<\/strong> \u2014 \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 \u043b\u043e\u0433\u0438\u043d\u044b \u0434\u043b\u044f \u0411\u0414, \u043e\u0431\u043b\u0430\u043a\u043e\u0432 \u0438 API;<\/li>\n\n\n\n<li><strong>\u0428\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043a\u0430\u043a \u0441\u0435\u0440\u0432\u0438\u0441<\/strong> (<div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>Transit Secrets Engine<\/code><\/div>) \u2014 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u0435\/\u0434\u0435\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0431\u0435\u0437 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445;<\/li>\n\n\n\n<li><strong>PKI<\/strong> \u2014 \u0432\u044b\u0434\u0430\u0447\u0430 \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/tls\/\" data-internallinksmanager029f6b8e52c=\"220\" title=\"TLS (Transport Layer Security)\">TLS<\/a>-\u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430\u043c\u0438;<\/li>\n\n\n\n<li><strong>\u0410\u0443\u0434\u0438\u0442<\/strong> \u2014 \u0437\u0430\u043f\u0438\u0441\u044c \u0432\u0441\u0435\u0445 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0439 \u0432 \u0436\u0443\u0440\u043d\u0430\u043b \u0434\u043b\u044f \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u0438 \u043a\u043e\u043c\u043f\u043b\u0430\u0435\u043d\u0441\u0430;<\/li>\n\n\n\n<li><strong>\u0418\u043d\u0442\u0435\u0433\u0440\u0430\u0446\u0438\u044f \u0441 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0435\u0439<\/strong>: LDAP, GitHub, <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/kubernetes\/\" data-internallinksmanager029f6b8e52c=\"259\" title=\"Kubernetes (K8s)\">Kubernetes<\/a>, AWS IAM, <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/json-web-token\/\" data-internallinksmanager029f6b8e52c=\"379\" title=\"JSON Web Token\u00a0(JWT)\">JWT<\/a>;<\/li>\n\n\n\n<li><strong>\u0420\u043e\u0442\u0430\u0446\u0438\u044f \u0438 TTL<\/strong> \u2014 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0435 \u0438\u0441\u0442\u0435\u0447\u0435\u043d\u0438\u0435 \u0438 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043a\u043b\u044e\u0447\u0435\u0439;<\/li>\n\n\n\n<li><strong>Secrets Injection<\/strong> \u2014 \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0430 \u0441\u0435\u043a\u0440\u0435\u0442\u043e\u0432 \u0432 \u0440\u0430\u043d\u0442\u0430\u0439\u043c\u0435 \u0431\u0435\u0437 \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u043d\u0430 \u0434\u0438\u0441\u043a (\u0447\u0435\u0440\u0435\u0437 sidecar \u0438\u043b\u0438 env-injection).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u041f\u0440\u0438\u043c\u0435\u0440\u044b \u0442\u043e\u0433\u043e, \u0447\u0435\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 Vault<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u041f\u0430\u0440\u043e\u043b\u0438 \u043a \u0431\u0430\u0437\u0430\u043c \u0434\u0430\u043d\u043d\u044b\u0445 (PostgreSQL, MySQL, MongoDB);<\/li>\n\n\n\n<li>\u041a\u043b\u044e\u0447\u0438 API \u0438 <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/oauth\/\" data-internallinksmanager029f6b8e52c=\"312\" title=\"OAuth (\u041f\u0440\u043e\u0442\u043e\u043a\u043e\u043b \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438)\">OAuth<\/a>-<a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/token-based-authentication\/\" data-internallinksmanager029f6b8e52c=\"311\" title=\"Token-based Authentication\">\u0442\u043e\u043a\u0435\u043d\u044b<\/a>;<\/li>\n\n\n\n<li><a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/ssh\/\" data-internallinksmanager029f6b8e52c=\"197\" title=\"SSH (Secure Shell)\">SSH<\/a>-\u043a\u043b\u044e\u0447\u0438 \u0434\u043b\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432;<\/li>\n\n\n\n<li>TLS\/<a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/ssl\/\" data-internallinksmanager029f6b8e52c=\"219\" title=\"SSL (Secure Sockets Layer)\">SSL<\/a>-<a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/certificate-pinning\/\" data-internallinksmanager029f6b8e52c=\"284\" title=\"Certificate Pinning (\u0417\u0430\u0449\u0438\u0442\u0430 \u043a\u0430\u043d\u0430\u043b\u0430 \u0441\u0432\u044f\u0437\u0438)\">\u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b<\/a> \u0434\u043b\u044f \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432;<\/li>\n\n\n\n<li>AWS access credentials \u0438 IAM tokens;<\/li>\n\n\n\n<li>\u041a\u043b\u044e\u0447\u0438 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0438 JWT-\u0441\u0435\u043a\u0440\u0435\u0442\u044b.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u041a\u0430\u043a \u044d\u0442\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u0425\u0440\u0430\u043d\u0438\u043b\u0438\u0449\u0435<\/strong>: \u0432\u0441\u0435 \u0441\u0435\u043a\u0440\u0435\u0442\u044b \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u044b \u0438 \u0445\u0440\u0430\u043d\u044f\u0442\u0441\u044f \u0432 backend&#8217;\u0435 (\u0444\u0430\u0439\u043b\u043e\u0432\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, Consul, S3 \u0438 \u0434\u0440.);<\/li>\n\n\n\n<li><strong>Secrets Engines<\/strong>: \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u044e\u0442, \u043a\u0430\u043a \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442\u0441\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u2014 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449\u0435, \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u044f, \u043f\u0440\u043e\u043a\u0441\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435;<\/li>\n\n\n\n<li><strong>Auth Methods<\/strong>: \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u044e\u0442, \u043a\u0442\u043e \u0438 \u043a\u0430\u043a \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f (Kubernetes, LDAP, AppRole, GitHub \u0438 \u0434\u0440.);<\/li>\n\n\n\n<li><strong>Policies (ACL)<\/strong>: \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0442, \u043a\u0442\u043e \u0438\u043c\u0435\u0435\u0442 \u043f\u0440\u0430\u0432\u043e \u0447\u0438\u0442\u0430\u0442\u044c, \u043f\u0438\u0441\u0430\u0442\u044c \u0438\u043b\u0438 \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u0442\u044c \u0441\u0435\u043a\u0440\u0435\u0442\u044b;<\/li>\n\n\n\n<li><strong>Audit Devices<\/strong>: \u0436\u0443\u0440\u043d\u0430\u043b\u0438\u0440\u0443\u044e\u0442 \u043a\u0430\u0436\u0434\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u0438 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u044e \u2014 \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u044d\u043b\u0435\u043c\u0435\u043d\u0442 \u043a\u043e\u043c\u043f\u043b\u0430\u0435\u043d\u0441\u0430.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u041f\u0440\u0438\u043c\u0435\u0440: \u0432\u044b\u0434\u0430\u0447\u0430 \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u043e\u043b\u044f PostgreSQL<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>vault write database\/roles\/readonly \\\n  db_name=postgres \\\n  creation_statements=\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\" \\\n  default_ttl=\"1h\" \\\n  max_ttl=\"24h\"\n\nvault read database\/creds\/readonly\n<\/code><\/div><\/pre>\n\n\n\n<p>\ud83d\udccc Vault \u0441\u0430\u043c \u0441\u043e\u0437\u0434\u0430\u0451\u0442 \u043b\u043e\u0433\u0438\u043d\/\u043f\u0430\u0440\u043e\u043b\u044c, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u0435\u0442 1 \u0447\u0430\u0441, \u043f\u043e\u0442\u043e\u043c \u0438\u0441\u0442\u0435\u043a\u0430\u0435\u0442. \u041d\u0435\u0442 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u043f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u044b\u0445 \u043a\u043b\u044e\u0447\u0430\u0445.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u0418\u043d\u0442\u0435\u0433\u0440\u0430\u0446\u0438\u044f \u0441 Kubernetes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Vault Agent Injector<\/strong>: \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442 \u0432 \u043f\u043e\u0434\u044b \u0441\u0435\u043a\u0440\u0435\u0442\u044b \u0447\u0435\u0440\u0435\u0437 <div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>initContainer<\/code><\/div> \u0438\u043b\u0438 <div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>sidecar<\/code><\/div>;<\/li>\n\n\n\n<li><strong>Kubernetes Auth Method<\/strong>: \u0432\u044b\u0434\u0430\u0447\u0430 \u0442\u043e\u043a\u0435\u043d\u043e\u0432 \u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u0432 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 serviceAccount;<\/li>\n\n\n\n<li><strong>Vault CSI Provider<\/strong>: \u043c\u043e\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0435\u043a\u0440\u0435\u0442\u043e\u0432 \u043a\u0430\u043a \u0442\u043e\u043c\u0430.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u0422\u0438\u043f\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DevSecOps<\/strong>: \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0430\u044f \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0430 \u0441\u0435\u043a\u0440\u0435\u0442\u043e\u0432 \u0432 <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/gitlab-ci-cd\/\" data-internallinksmanager029f6b8e52c=\"372\" title=\"GitLab CI\/CD (\u041d\u0435\u043f\u0440\u0435\u0440\u044b\u0432\u043d\u0430\u044f \u0438\u043d\u0442\u0435\u0433\u0440\u0430\u0446\u0438\u044f \u0438 \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0430 \u0432 GitLab)\">CI\/CD<\/a> \u043f\u0430\u0439\u043f\u043b\u0430\u0439\u043d\u044b;<\/li>\n\n\n\n<li><strong>Cloud Security<\/strong>: \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 AWS credentials \u0447\u0435\u0440\u0435\u0437 Vault AWS Engine;<\/li>\n\n\n\n<li><strong>Zero Trust \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u0430<\/strong>: \u043a\u0430\u0436\u0434\u044b\u0439 \u0441\u0435\u0440\u0432\u0438\u0441 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0443\u0436\u043d\u044b\u0435 \u0441\u0435\u043a\u0440\u0435\u0442\u044b;<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/argo-cd\/\" data-internallinksmanager029f6b8e52c=\"352\" title=\"Argo CD\">GitOps<\/a> \u0438 Sealed Secrets<\/strong>: \u0434\u0435\u0448\u0438\u0444\u0440\u043e\u0432\u043a\u0430 secrets \u043d\u0430 \u044d\u0442\u0430\u043f\u0435 apply \u0431\u0435\u0437 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0432 git.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u041f\u0440\u0435\u0438\u043c\u0443\u0449\u0435\u0441\u0442\u0432\u0430 Vault<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u041f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430 \u0441\u043b\u043e\u0436\u043d\u044b\u0445 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432 (RBAC, \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u0435, \u043b\u043e\u0433\u0438\u043a\u0430 \u0432\u044b\u0434\u0430\u0447\u0438);<\/li>\n\n\n\n<li>\u0421\u043e\u0432\u043c\u0435\u0441\u0442\u0438\u043c\u043e\u0441\u0442\u044c \u0441 <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/multi-cloud\/\" data-internallinksmanager029f6b8e52c=\"337\" title=\"Multi-Cloud (\u041c\u0443\u043b\u044c\u0442\u0438\u043e\u0431\u043b\u0430\u043a\u043e)\">multi-cloud<\/a> \u0438 \u0433\u0438\u0431\u0440\u0438\u0434\u043d\u044b\u043c\u0438 \u0441\u0440\u0435\u0434\u0430\u043c\u0438;<\/li>\n\n\n\n<li>\u0410\u0443\u0434\u0438\u0442, \u043a\u043e\u043c\u043f\u043b\u0430\u0435\u043d\u0441 \u0438 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u043c\u043e\u0441\u0442\u044c \u0432\u0441\u0435\u0445 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0439;<\/li>\n\n\n\n<li>\u0413\u0438\u0431\u043a\u0430\u044f \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u0430 (self-hosted, HCP Vault, Kubernetes-native);<\/li>\n\n\n\n<li>\u041d\u0430\u0434\u0451\u0436\u043d\u043e\u0441\u0442\u044c: HA-\u043c\u043e\u0434\u0435\u043b\u044c, TLS, \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0435 unseal \u0447\u0435\u0440\u0435\u0437 cloud provider KMS.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>HashiCorp Vault<\/strong> \u2014 \u044d\u0442\u043e \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u0435\u043a\u0440\u0435\u0442\u0430\u043c\u0438 \u0432 \u043e\u0431\u043b\u0430\u0447\u043d\u044b\u0445 \u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0430\u0445. \u041e\u043d \u0434\u0430\u0451\u0442 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c \u0438 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u044e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0434\u0430\u043d\u043d\u044b\u043c \u0434\u0430\u0436\u0435 \u0432 \u0441\u0430\u043c\u044b\u0445 \u043c\u0430\u0441\u0448\u0442\u0430\u0431\u043d\u044b\u0445 \u0438 \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0451\u043d\u043d\u044b\u0445 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u0445.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>\u041f\u0440\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0435 \u043c\u0430\u043d\u0438\u0444\u0435\u0441\u0442\u044b \u0438 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u0434\u043b\u044f \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u0440\u0430\u0431\u043e\u0442\u044b \u0441 <strong>Vault<\/strong> \u2014 \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u0440\u0430\u0437\u0432\u0451\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u0435 \u0432 Kubernetes, \u0438\u043d\u0442\u0435\u0433\u0440\u0430\u0446\u0438\u044e \u0441 <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/pod-v-kubernetes\/\" data-internallinksmanager029f6b8e52c=\"348\" title=\"Pod (\u0432 Kubernetes)\">pod<\/a>&#8217;\u0430\u043c\u0438, \u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 dynamic secrets.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 Vault \u0432 Kubernetes (\u0447\u0435\u0440\u0435\u0437 Helm)<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>helm repo add hashicorp https:\/\/helm.releases.hashicorp.com\nhelm install vault hashicorp\/vault \\\n  --set \"server.dev.enabled=true\" \\\n  --set \"injector.enabled=true\" \\\n  --namespace vault --create-namespace\n<\/code><\/div><\/pre>\n\n\n\n<p>\ud83d\udccc \u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0430\u043a\u0448\u0435\u043d\u0430 \u0437\u0430\u043c\u0435\u043d\u0438 <div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>dev.enabled=true<\/code><\/div> \u043d\u0430 HA-\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u0441 backend (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, Consul, S3 \u0438\u043b\u0438 Raft).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">2. \u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 Kubernetes Auth Method<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>vault auth enable kubernetes\n\nvault write auth\/kubernetes\/config \\\n  token_reviewer_jwt=\"$(cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token)\" \\\n  kubernetes_host=\"https:\/\/$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT\" \\\n  kubernetes_ca_cert=@\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt\n<\/code><\/div><\/pre>\n\n\n\n<p>\ud83d\udccc Vault \u0442\u0435\u043f\u0435\u0440\u044c \u043c\u043e\u0436\u0435\u0442 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u0442\u044c pod&#8217;\u044b \u0447\u0435\u0440\u0435\u0437 ServiceAccount.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">3. \u041f\u0440\u0438\u043c\u0435\u0440 policy (ACL)<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code># db-readonly-policy.hcl\npath \"database\/creds\/readonly\" {\n  capabilities = &#91;\"read\"]\n}\n<\/code><\/div><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>vault policy write db-readonly db-readonly-policy.hcl\n<\/code><\/div><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">4. Role \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 ServiceAccount<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>vault write auth\/kubernetes\/role\/db-reader \\\n  bound_service_account_names=app-sa \\\n  bound_service_account_namespaces=default \\\n  policies=db-readonly \\\n  ttl=1h\n<\/code><\/div><\/pre>\n\n\n\n<p>\ud83d\udccc \u041b\u044e\u0431\u043e\u0439 \u043f\u043e\u0434 \u0441 <div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>serviceAccountName: app-sa<\/code><\/div> \u0432 namespace <div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>default<\/code><\/div> \u0441\u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 creds.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">5. Vault Agent Injector (sidecar-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f \u0432 pod)<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>apiVersion: v1\nkind: Pod\nmetadata:\n  name: app-with-secret\n  annotations:\n    vault.hashicorp.com\/agent-inject: \"true\"\n    vault.hashicorp.com\/role: \"db-reader\"\n    vault.hashicorp.com\/agent-inject-secret-db-creds.txt: \"database\/creds\/readonly\"\nspec:\n  serviceAccountName: app-sa\n  containers:\n    - name: app\n      image: alpine\n      command: &#91;\"sleep\", \"3600\"]\n<\/code><\/div><\/pre>\n\n\n\n<p>\ud83d\udccc \u0421\u0435\u043a\u0440\u0435\u0442 \u0431\u0443\u0434\u0435\u0442 \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u0432 <div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>\/vault\/secrets\/db-creds.txt<\/code><\/div> \u0432\u043d\u0443\u0442\u0440\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">6. Dynamic Secret: PostgreSQL<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><div class=\"code-block\"><button class=\"copy-btn\">\u041a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c<\/button><code>vault secrets enable database\n\nvault write database\/config\/pg-db \\\n  plugin_name=postgresql-database-plugin \\\n  allowed_roles=\"readonly\" \\\n  connection_url=\"postgresql:\/\/vaultadmin:pass@db.internal.local:5432\/postgres?sslmode=disable\"\n\nvault write database\/roles\/readonly \\\n  db_name=pg-db \\\n  creation_statements=\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\" \\\n  default_ttl=\"1h\" \\\n  max_ttl=\"24h\"\n<\/code><\/div><\/pre>\n\n\n\n<p>\ud83d\udccc \u0421\u0435\u043a\u0440\u0435\u0442\u044b \u0433\u0435\u043d\u0435\u0440\u0438\u0440\u0443\u044e\u0442\u0441\u044f \u043d\u0430 \u043b\u0435\u0442\u0443 \u2014 Vault \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0432\u0441\u0435\u043c: \u043f\u0430\u0440\u043e\u043b\u0435\u043c, \u0441\u0440\u043e\u043a\u043e\u043c \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f, \u0440\u0435\u0432\u043e\u043a\u0430\u0446\u0438\u0435\u0439.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">7. \u0410\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u0430: HCP Vault (SaaS)<\/h3>\n\n\n\n<p>\u0415\u0441\u043b\u0438 \u043d\u0435 \u0445\u043e\u0447\u0435\u0448\u044c \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u043e\u0439 \u2014 HashiCorp \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 <strong>Vault \u0432 \u043e\u0431\u043b\u0430\u043a\u0435 (HCP Vault)<\/strong>. \u041e\u043d \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u0442 \u0432\u0441\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 Vault, \u0432\u043a\u043b\u044e\u0447\u0430\u044f Kubernetes \u0438 <a href=\"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/terraform\/\" data-internallinksmanager029f6b8e52c=\"354\" title=\"Terraform (\u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435\u043c \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b)\">Terraform<\/a>-\u0438\u043d\u0442\u0435\u0433\u0440\u0430\u0446\u0438\u0438, \u043d\u043e \u043d\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"featured_media":0,"parent":2927,"menu_order":178,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[],"class_list":["post-4127","docs","type-docs","status-publish","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/docs\/4127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/comments?post=4127"}],"version-history":[{"count":1,"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/docs\/4127\/revisions"}],"predecessor-version":[{"id":4129,"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/docs\/4127\/revisions\/4129"}],"up":[{"embeddable":true,"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/docs\/2927"}],"next":[{"title":"Phishing\u00a0(\u0424\u0438\u0448\u0438\u043d\u0433)","link":"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/phishing\/","href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/docs\/4206"}],"prev":[{"title":"Continuous Integration (CI)","link":"https:\/\/cloudvps.by\/community\/docs\/glossarij\/terminy\/continuous-integration\/","href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/docs\/4099"}],"wp:attachment":[{"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/media?parent=4127"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/cloudvps.by\/community\/wp-json\/wp\/v2\/doc_tag?post=4127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}