Vault: Consul в роли бекенда

Автор: | 02/03/2016
 

vault_logoПример быстрой настройки Vault с хранилищем данных в Consul.

Установка выполняется на Ubuntu 14.

Подробнее о VaultVault: установка и базовые операции.

Подробнее о Consul —Consul: установка и базовые операции.

Устанавливаем Vault:

# cd /usr/local/bin/
# wget https://releases.hashicorp.com/vault/0.4.1/vault_0.4.1_linux_amd64.zip
# unzip vault_0.4.1_linux_amd64.zip
Archive:  vault_0.4.1_linux_amd64.zip
  inflating: vault
# rm vault_0.4.1_linux_amd64.zip

Устанавливаем Consul:

# unzip consul_0.6.3_linux_amd64.zip && rm consul_0.6.3_linux_amd64.zip
Archive:  consul_0.6.3_linux_amd64.zip
  inflating: consul

Проверяем:

# vault -h
usage: vault [-version] [-help] <command> [args]

Common commands:
    delete           Delete operation on secrets in Vault
    path-help        Look up the help for a path
    read             Read data or secrets from Vault
...
# consul -h
usage: consul [--version] [--help] <command> [<args>]

Available commands are:
    agent          Runs a Consul agent
    configtest     Validate config file
    event          Fire a new event
...

Запускаем Consul:

# getip=$(ip a s | grep -E 'inet.*eth1' | awk '{print $2}' | cut -d"/" -f 1)
# consul agent -bind $getip -ui -client=$getip -server -bootstrap-expect 1 -data-dir /tmp/consul
==> WARNING: BootstrapExpect Mode is specified as 1; this is the same as Bootstrap mode.
==> WARNING: Bootstrap mode enabled! Do not enable unless necessary
==> Starting Consul agent...
==> Starting Consul agent RPC...
==> Consul agent running!
         Node name: 'vagrant-ubuntu-trusty-64'
        Datacenter: 'dc1'
            Server: true (bootstrap: true)
       Client Addr: 10.11.100.53 (HTTP: 8500, HTTPS: -1, DNS: 8600, RPC: 8400)
      Cluster Addr: 10.11.100.53 (LAN: 8301, WAN: 8302)
    Gossip encrypt: false, RPC-TLS: false, TLS-Incoming: false
             Atlas: <disabled>
...

Проверяем:

# ps aux | grep consul
root      2434  0.2  0.6  22624 13136 pts/0    Sl   13:45   0:00 consul agent -bind 10.11.100.53 -ui -client=10.11.100.53 -server -bootstrap-expect 1 -data-dir /tmp/consul

Создаем каталоги для файлов конфигурации Vault и Consul:

# mkdir -p /etc/{vault/{conf.d,},consul/{conf.d,}}
# ls -l /etc/ | grep -E 'consul|vault'
drwxr-xr-x 3 root root    4096 Feb  1 13:48 consul
drwxr-xr-x 3 root root    4096 Feb  1 13:48 vault

Создаем файл настроек Vault — /etc/vault/conf.d/server.hcl:

backend "consul" {
  address = "10.11.100.53:8500"
  path = "vault"
}

listener "tcp" {
 address = "10.11.100.53:8200"
 tls_disable = 1
}

Больше об настройках можно почитать тут>>>.

Запускаем Vault:

# vault server -config=/etc/vault/conf.d/server.hcl
==> Vault server configuration:

         Log Level: info
             Mlock: supported: true, enabled: true
           Backend: consul (HA available)
 Advertise Address: http://10.11.100.53:8200
        Listener 1: tcp (addr: "10.11.100.53:8200", tls: "disabled")
           Version: Vault v0.4.1

==> Vault server started! Log data will stream in below:

Проверяем Vault:

# netstat -anp | grep vault
tcp        0      0 10.11.100.53:8200       0.0.0.0:*               LISTEN      2517/vault
tcp        0      0 10.11.100.53:36139      10.11.100.53:8500       ESTABLISHED 2517/vault

Инициализируем сервер (если запускаем его первый раз):

# export VAULT_ADDR=http://$getip:8200
# vault init
...
Key 1: f7575ee8370e30062e39300d625851fedb226961d0fe110f846cd30123d6eeb201
Key 2: 749564c16e71aa1184c4c0dae007da0b10e856b06608dd031623d32a73212c8b02
Key 3: f42e20ac92610077ae7b722509a33c22ffe2dcf08e3a3a4ffdbe499d9b17081603
Key 4: 114e134399e71d40629ef2bbe387b37ad5ce4c5ce6e9758e7baf841c77fb935e04
Key 5: 91f5572e65f7b726482140440a2355533ac4c61c0edb92c290321eab9fcdb7c305
Initial Root Token: 6ce5778d-1f48-b8e3-eaf3-177679623929
...

Проверяем статус — хранилище запечатано:

# vault status
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0

High-Availability Enabled: true
	Mode: sealed

Открываем его:

# vault unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1

Повторяем 3 раза. Больше о seal/unsealтут>>>.

Проверяем еще раз:

# vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0

High-Availability Enabled: true
	Mode: active
	Leader: http://10.11.100.53:8200

Авторизируемся с Root-токеном:

# vault auth
Token (will be hidden):
Successfully authenticated!
token: 6ce5778d-1f48-b8e3-eaf3-177679623929
token_duration: 0
token_policies: [root]

Проверяем смонтированные хранилища:

# vault mounts
Path        Type       Default TTL  Max TTL  Description
cubbyhole/  cubbyhole  n/a          n/a      per-token private secret storage
secret/     generic    system       system   generic secret storage
sys/        system     n/a          n/a      system endpoints used for control, policy and debugging

Добавляем данные:

# vault write secret/rtfm val=data
Success! Data written to: secret/rtfm

Получаем их из Vault-а:

# vault read secret/rtfm
Key           	Value
lease_duration	2592000
val           	data

И из Consul-а:

# curl -s -v http://$getip:8500/v1/kv/?recurse | python -m json.tool | grep vault
* Hostname was NOT found in DNS cache
*   Trying 10.11.100.53...
* Connected to 10.11.100.53 (10.11.100.53) port 8500 (#0)
> GET /v1/kv/?recurse HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 10.11.100.53:8500
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< X-Consul-Index: 84
< X-Consul-Knownleader: true
< X-Consul-Lastcontact: 0
< Date: Mon, 01 Feb 2016 14:08:27 GMT
< Transfer-Encoding: chunked
<
{ [data not shown]
* Connection #0 to host 10.11.100.53 left intact
        "Key": "vault/core/audit",
        "Key": "vault/core/auth",
        "Key": "vault/core/keyring",
        "Key": "vault/core/leader/40ed9528-1e8f-d127-6d98-3e7cd263f201",
        "Key": "vault/core/lock",
        "Key": "vault/core/master",
        "Key": "vault/core/mounts",
        "Key": "vault/core/seal-config",
        "Key": "vault/logical/c43648ce-76d5-423a-5667-e66b2c98506b/rtfm",
        "Key": "vault/sys/policy/default",
        "Key": "vault/sys/token/id/31b9d0e85c34a77722a749ffee7f7fac7872dde1",
        "Key": "vault/sys/token/salt",

Готово.

Ссылки по теме

Use Vault with Consul on Docker

Vault vs. Consul

12 Factor Infrastructure with Consul and Vault

Quick Setup for Hashicorp Vault with Consul Backend