Пример быстрой настройки Vault с хранилищем данных в Consul.
Установка выполняется на Ubuntu 14.
Подробнее о Vault —Vault: установка и базовые операции.
Подробнее о Consul —Consul: установка и базовые операции.
Устанавливаем Vault:
# cd /usr/local/bin/ # wget https://releases.hashicorp.com/vault/0.4.1/vault_0.4.1_linux_amd64.zip # unzip vault_0.4.1_linux_amd64.zip Archive: vault_0.4.1_linux_amd64.zip inflating: vault # rm vault_0.4.1_linux_amd64.zip
Устанавливаем Consul:
# unzip consul_0.6.3_linux_amd64.zip && rm consul_0.6.3_linux_amd64.zip Archive: consul_0.6.3_linux_amd64.zip inflating: consul
Проверяем:
# vault -h
usage: vault [-version] [-help] <command> [args]
Common commands:
delete Delete operation on secrets in Vault
path-help Look up the help for a path
read Read data or secrets from Vault
...
# consul -h
usage: consul [--version] [--help] <command> [<args>]
Available commands are:
agent Runs a Consul agent
configtest Validate config file
event Fire a new event
...
Запускаем Consul:
# getip=$(ip a s | grep -E 'inet.*eth1' | awk '{print $2}' | cut -d"/" -f 1)
# consul agent -bind $getip -ui -client=$getip -server -bootstrap-expect 1 -data-dir /tmp/consul
==> WARNING: BootstrapExpect Mode is specified as 1; this is the same as Bootstrap mode.
==> WARNING: Bootstrap mode enabled! Do not enable unless necessary
==> Starting Consul agent...
==> Starting Consul agent RPC...
==> Consul agent running!
Node name: 'vagrant-ubuntu-trusty-64'
Datacenter: 'dc1'
Server: true (bootstrap: true)
Client Addr: 10.11.100.53 (HTTP: 8500, HTTPS: -1, DNS: 8600, RPC: 8400)
Cluster Addr: 10.11.100.53 (LAN: 8301, WAN: 8302)
Gossip encrypt: false, RPC-TLS: false, TLS-Incoming: false
Atlas: <disabled>
...
Проверяем:
# ps aux | grep consul root 2434 0.2 0.6 22624 13136 pts/0 Sl 13:45 0:00 consul agent -bind 10.11.100.53 -ui -client=10.11.100.53 -server -bootstrap-expect 1 -data-dir /tmp/consul
Создаем каталоги для файлов конфигурации Vault и Consul:
# mkdir -p /etc/{vault/{conf.d,},consul/{conf.d,}}
# ls -l /etc/ | grep -E 'consul|vault'
drwxr-xr-x 3 root root 4096 Feb 1 13:48 consul
drwxr-xr-x 3 root root 4096 Feb 1 13:48 vault
Создаем файл настроек Vault — /etc/vault/conf.d/server.hcl:
backend "consul" {
address = "10.11.100.53:8500"
path = "vault"
}
listener "tcp" {
address = "10.11.100.53:8200"
tls_disable = 1
}
Больше об настройках можно почитать тут>>>.
Запускаем Vault:
# vault server -config=/etc/vault/conf.d/server.hcl
==> Vault server configuration:
Log Level: info
Mlock: supported: true, enabled: true
Backend: consul (HA available)
Advertise Address: http://10.11.100.53:8200
Listener 1: tcp (addr: "10.11.100.53:8200", tls: "disabled")
Version: Vault v0.4.1
==> Vault server started! Log data will stream in below:
Проверяем Vault:
# netstat -anp | grep vault tcp 0 0 10.11.100.53:8200 0.0.0.0:* LISTEN 2517/vault tcp 0 0 10.11.100.53:36139 10.11.100.53:8500 ESTABLISHED 2517/vault
Инициализируем сервер (если запускаем его первый раз):
# export VAULT_ADDR=http://$getip:8200 # vault init ... Key 1: f7575ee8370e30062e39300d625851fedb226961d0fe110f846cd30123d6eeb201 Key 2: 749564c16e71aa1184c4c0dae007da0b10e856b06608dd031623d32a73212c8b02 Key 3: f42e20ac92610077ae7b722509a33c22ffe2dcf08e3a3a4ffdbe499d9b17081603 Key 4: 114e134399e71d40629ef2bbe387b37ad5ce4c5ce6e9758e7baf841c77fb935e04 Key 5: 91f5572e65f7b726482140440a2355533ac4c61c0edb92c290321eab9fcdb7c305 Initial Root Token: 6ce5778d-1f48-b8e3-eaf3-177679623929 ...
Проверяем статус — хранилище запечатано:
# vault status Sealed: true Key Shares: 5 Key Threshold: 3 Unseal Progress: 0 High-Availability Enabled: true Mode: sealed
Открываем его:
# vault unseal Key (will be hidden): Sealed: true Key Shares: 5 Key Threshold: 3 Unseal Progress: 1
Повторяем 3 раза. Больше о seal/unseal — тут>>>.
Проверяем еще раз:
# vault status Sealed: false Key Shares: 5 Key Threshold: 3 Unseal Progress: 0 High-Availability Enabled: true Mode: active Leader: http://10.11.100.53:8200
Авторизируемся с Root-токеном:
# vault auth Token (will be hidden): Successfully authenticated! token: 6ce5778d-1f48-b8e3-eaf3-177679623929 token_duration: 0 token_policies: [root]
Проверяем смонтированные хранилища:
# vault mounts Path Type Default TTL Max TTL Description cubbyhole/ cubbyhole n/a n/a per-token private secret storage secret/ generic system system generic secret storage sys/ system n/a n/a system endpoints used for control, policy and debugging
Добавляем данные:
# vault write secret/rtfm val=data Success! Data written to: secret/rtfm
Получаем их из Vault-а:
# vault read secret/rtfm Key Value lease_duration 2592000 val data
И из Consul-а:
# curl -s -v http://$getip:8500/v1/kv/?recurse | python -m json.tool | grep vault
* Hostname was NOT found in DNS cache
* Trying 10.11.100.53...
* Connected to 10.11.100.53 (10.11.100.53) port 8500 (#0)
> GET /v1/kv/?recurse HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 10.11.100.53:8500
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< X-Consul-Index: 84
< X-Consul-Knownleader: true
< X-Consul-Lastcontact: 0
< Date: Mon, 01 Feb 2016 14:08:27 GMT
< Transfer-Encoding: chunked
<
{ [data not shown]
* Connection #0 to host 10.11.100.53 left intact
"Key": "vault/core/audit",
"Key": "vault/core/auth",
"Key": "vault/core/keyring",
"Key": "vault/core/leader/40ed9528-1e8f-d127-6d98-3e7cd263f201",
"Key": "vault/core/lock",
"Key": "vault/core/master",
"Key": "vault/core/mounts",
"Key": "vault/core/seal-config",
"Key": "vault/logical/c43648ce-76d5-423a-5667-e66b2c98506b/rtfm",
"Key": "vault/sys/policy/default",
"Key": "vault/sys/token/id/31b9d0e85c34a77722a749ffee7f7fac7872dde1",
"Key": "vault/sys/token/salt",
Готово.
Ссылки по теме
Use Vault with Consul on Docker
12 Factor Infrastructure with Consul and Vault
Quick Setup for Hashicorp Vault with Consul Backend
