Vault Basic Setup

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску


Установка и базовая настройка Hashicorm Vault

Consul

Базовая настойка Vault

Устновка

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install vault

Подготовка Consul

Есть разные способы - тут привожу пример с использованием терраформ

export CONSUL_TOKEN="4f6037ed-5f62-5463-d165-cbb984791ef1"
  • Установить терраформ (если не установлен)
apt install terraform


cat acl.tf
variable "consul_datacenter" {
    type = string
    default = "kilda-fred"
}
provider "consul" {
  address    = "http://127.0.0.1:8500"
  datacenter = var.consul_datacenter
}
resource "consul_acl_policy" "vault_policy" {
  name        = "vault_policy"
  datacenters = [var.consul_datacenter]
  rules       = <<-RULE
    {
        "key_prefix": {
            "kilda-fred-vault/": {
                "policy": "write"
            }
        },
        "node_prefix": {
            "": {
              "policy": "write"
            }
        },
        "service": {
            "vault": {
                "policy": "write"
            }
        },
        "agent_prefix": {
            "": {
                "policy": "write"
            }
        },
        "session_prefix": {
            "": {
                "policy": "write"
            }
        }
    }
    RULE
}

resource "consul_acl_role" "vault_role" {
    name = "vault_role"
    description = "Role assignet to the Hasicorp Vault service"
    policies = [
        consul_acl_policy.vault_policy.id
    ]
    service_identities {
        service_name = "vault"
    }
}
resource "consul_acl_token" "vault_token" {
    description = "Token for Vault Server"
    roles = [
        consul_acl_role.vault_role.name
    ]
    local = true
}

data "consul_acl_token_secret_id" "vault_token" {
    accessor_id = consul_acl_token.vault_token.accessor_id
}

output "consul_acl_token_secret_id" {
    value = data.consul_acl_token_secret_id.vault_token.secret_id
    sensitive = true
}

output "consul_token_for_vault_server_accessor_id" {
    value = consul_acl_token.vault_token.accessor_id
    sensitive = true
}


<PRE>
terraform init