Vault Basic Setup: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
| Строка 21: | Строка 21: | ||
* Требуется токен (получение токена - https://noname.com.ua/mediawiki/index.php/Consul_Basic_Setup#management_token ) |
* Требуется токен (получение токена - https://noname.com.ua/mediawiki/index.php/Consul_Basic_Setup#management_token ) |
||
* токен приведен для примера |
* токен приведен для примера |
||
| − | * |
||
<PRE> |
<PRE> |
||
export CONSUL_TOKEN="4f6037ed-5f62-5463-d165-cbb984791ef1" |
export CONSUL_TOKEN="4f6037ed-5f62-5463-d165-cbb984791ef1" |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | apt install terraform |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | terraform init |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | |||
| + | <PRE> |
||
| + | cat acl.tf |
||
| + | </PRE> |
||
| + | </PRE> |
||
| + | variable "consul_datacenter" { |
||
| + | type = string |
||
| + | default = "kilda-fred" |
||
| + | } |
||
| + | provider "consul" { |
||
| + | address = "http://127.0.0.1:8500" |
||
| + | datacenter = var.consul_datacenter |
||
| + | } |
||
| + | resource "consul_acl_policy" "vault_policy" { |
||
| + | name = "vault_policy" |
||
| + | datacenters = [var.consul_datacenter] |
||
| + | rules = <<-RULE |
||
| + | { |
||
| + | "key_prefix": { |
||
| + | "kilda-fred-vault/": { |
||
| + | "policy": "write" |
||
| + | } |
||
| + | }, |
||
| + | "node_prefix": { |
||
| + | "": { |
||
| + | "policy": "write" |
||
| + | } |
||
| + | }, |
||
| + | "service": { |
||
| + | "vault": { |
||
| + | "policy": "write" |
||
| + | } |
||
| + | }, |
||
| + | "agent_prefix": { |
||
| + | "": { |
||
| + | "policy": "write" |
||
| + | } |
||
| + | }, |
||
| + | "session_prefix": { |
||
| + | "": { |
||
| + | "policy": "write" |
||
| + | } |
||
| + | } |
||
| + | } |
||
| + | RULE |
||
| + | } |
||
| + | |||
| + | resource "consul_acl_role" "vault_role" { |
||
| + | name = "vault_role" |
||
| + | description = "Role assignet to the Hasicorp Vault service" |
||
| + | policies = [ |
||
| + | consul_acl_policy.vault_policy.id |
||
| + | ] |
||
| + | service_identities { |
||
| + | service_name = "vault" |
||
| + | } |
||
| + | } |
||
| + | resource "consul_acl_token" "vault_token" { |
||
| + | description = "Token for Vault Server" |
||
| + | roles = [ |
||
| + | consul_acl_role.vault_role.name |
||
| + | ] |
||
| + | local = true |
||
| + | } |
||
| + | |||
| + | data "consul_acl_token_secret_id" "vault_token" { |
||
| + | accessor_id = consul_acl_token.vault_token.accessor_id |
||
| + | } |
||
| + | |||
| + | output "consul_acl_token_secret_id" { |
||
| + | value = data.consul_acl_token_secret_id.vault_token.secret_id |
||
| + | sensitive = true |
||
| + | } |
||
| + | |||
| + | output "consul_token_for_vault_server_accessor_id" { |
||
| + | value = consul_acl_token.vault_token.accessor_id |
||
| + | sensitive = true |
||
| + | } |
||
| + | <PRE> |
||
</PRE> |
</PRE> |
||
Версия 14:54, 4 февраля 2022
Установка и базовая настройка Hashicorm Vault
Consul
- Consul выступает в качестве бекенда
- Базовая установка Consul https://noname.com.ua/mediawiki/index.php/Consul_Basic_Setup
Базовая настойка Vault
Устновка
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" sudo apt-get update && sudo apt-get install vault
Подготовка Consul
Есть разные способы - тут привожу пример с использованием терраформ
- Требуется токен (получение токена - https://noname.com.ua/mediawiki/index.php/Consul_Basic_Setup#management_token )
- токен приведен для примера
export CONSUL_TOKEN="4f6037ed-5f62-5463-d165-cbb984791ef1"
apt install terraform
terraform init
<PRE> cat acl.tf
variable "consul_datacenter" {
type = string default = "kilda-fred"
} provider "consul" {
address = "http://127.0.0.1:8500" datacenter = var.consul_datacenter
} resource "consul_acl_policy" "vault_policy" {
name = "vault_policy"
datacenters = [var.consul_datacenter]
rules = <<-RULE
{
"key_prefix": {
"kilda-fred-vault/": {
"policy": "write"
}
},
"node_prefix": {
"": {
"policy": "write"
}
},
"service": {
"vault": {
"policy": "write"
}
},
"agent_prefix": {
"": {
"policy": "write"
}
},
"session_prefix": {
"": {
"policy": "write"
}
}
}
RULE
}
resource "consul_acl_role" "vault_role" {
name = "vault_role"
description = "Role assignet to the Hasicorp Vault service"
policies = [
consul_acl_policy.vault_policy.id
]
service_identities {
service_name = "vault"
}
} resource "consul_acl_token" "vault_token" {
description = "Token for Vault Server"
roles = [
consul_acl_role.vault_role.name
]
local = true
}
data "consul_acl_token_secret_id" "vault_token" {
accessor_id = consul_acl_token.vault_token.accessor_id
}
output "consul_acl_token_secret_id" {
value = data.consul_acl_token_secret_id.vault_token.secret_id sensitive = true
}
output "consul_token_for_vault_server_accessor_id" {
value = consul_acl_token.vault_token.accessor_id sensitive = true
}
