Vault Basic Setup
Материал из noname.com.ua
Установка и базовая настройка Hashicorm Vault
Consul
- Consul выступает в качестве бекенда
- Базовая установка Consul https://noname.com.ua/mediawiki/index.php/Consul_Basic_Setup
Базовая настойка Vault
Устновка
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" sudo apt-get update && sudo apt-get install vault
Подготовка Consul
Есть разные способы - тут привожу пример с использованием терраформ
- Требуется токен (получение токена - https://noname.com.ua/mediawiki/index.php/Consul_Basic_Setup#management_token )
- токен приведен для примера
export CONSUL_TOKEN="4f6037ed-5f62-5463-d165-cbb984791ef1"
- Установить терраформ (если не установлен)
apt install terraform
cat acl.tf
variable "consul_datacenter" { type = string default = "kilda-fred" } provider "consul" { address = "http://127.0.0.1:8500" datacenter = var.consul_datacenter } resource "consul_acl_policy" "vault_policy" { name = "vault_policy" datacenters = [var.consul_datacenter] rules = <<-RULE { "key_prefix": { "kilda-fred-vault/": { "policy": "write" } }, "node_prefix": { "": { "policy": "write" } }, "service": { "vault": { "policy": "write" } }, "agent_prefix": { "": { "policy": "write" } }, "session_prefix": { "": { "policy": "write" } } } RULE } resource "consul_acl_role" "vault_role" { name = "vault_role" description = "Role assignet to the Hasicorp Vault service" policies = [ consul_acl_policy.vault_policy.id ] service_identities { service_name = "vault" } } resource "consul_acl_token" "vault_token" { description = "Token for Vault Server" roles = [ consul_acl_role.vault_role.name ] local = true } data "consul_acl_token_secret_id" "vault_token" { accessor_id = consul_acl_token.vault_token.accessor_id } output "consul_acl_token_secret_id" { value = data.consul_acl_token_secret_id.vault_token.secret_id sensitive = true } output "consul_token_for_vault_server_accessor_id" { value = consul_acl_token.vault_token.accessor_id sensitive = true } <PRE> terraform init