Thank you for reading this post, don't forget to subscribe!
Hashicop Vault будем ставить в docker-compose
ставим docker:
yum remove docker docker-engine docker.io
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce -y
systemctl start docker
systemctl enable docker
ставим docker-compose
https://github.com/docker/compose/releases
на текущий момент самая последняя версия:
2,6,1
https://github.com/docker/compose/releases/download/v2.6.1/docker-compose-linux-x86_64
выкачиваем её:
curl -L "https://github.com/docker/compose/releases/download/v2.6.1/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
всё готово.
теперь приступим к установке Vault
cat docker-compose.yml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
version: '3.8' services: vault: build: context: ./vault dockerfile: Dockerfile ports: - 8200:8200 volumes: - ./vault/config:/vault/config - ./vault/policies:/vault/policies - ./vault/data:/vault/data - ./vault/logs:/vault/logs environment: - VAULT_ADDR=http://127.0.0.1:8200 - VAULT_API_ADDR=http://127.0.0.1:8200 command: server -config=/vault/config/vault-config.json cap_add: - IPC_LOCK depends_on: - consul consul: build: context: ./consul dockerfile: Dockerfile ports: - 8500:8500 command: agent -server -bind 0.0.0.0 -client 0.0.0.0 -bootstrap-expect 1 -config-file=/consul/config/config.json volumes: - ./consul/config/consul-config.json:/consul/config/config.json - ./consul/data:/consul/data consul-worker: build: context: ./consul dockerfile: Dockerfile command: agent -server -join consul -config-file=/consul/config/config.json volumes: - ./consul/config/consul-config.json:/consul/config/config.json depends_on: - consul |
cat consul/Dockerfile
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# base image FROM alpine:3.14 # set consul version ENV CONSUL_VERSION 1.10.2 # create a new directory RUN mkdir /consul # download dependencies RUN apk --no-cache add \ bash \ ca-certificates \ wget # download and set up consul RUN wget --quiet --output-document=/tmp/consul.zip https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip && \ unzip /tmp/consul.zip -d /consul && \ rm -f /tmp/consul.zip && \ chmod +x /consul/consul # update PATH ENV PATH="PATH=$PATH:$PWD/consul" # add the config file COPY ./config/consul-config.json /consul/config/config.json # expose ports EXPOSE 8300 8400 8500 8600 # run consul ENTRYPOINT ["consul"] |
cat consul/config/consul-config.json
1 2 3 4 5 6 7 8 9 10 11 |
{ "datacenter": "localhost", "data_dir": "/consul/data", "log_level": "DEBUG", "server": true, "ui": true, "ports": { "dns": 53 } } |
mkdir consul/data/
cat vault/Dockerfile
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# base image FROM alpine:3.14 # set vault version ENV VAULT_VERSION 1.11.2 # create a new directory RUN mkdir /vault # download dependencies RUN apk --no-cache add \ bash \ ca-certificates \ wget # download and set up vault RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ unzip /tmp/vault.zip -d /vault && \ rm -f /tmp/vault.zip && \ chmod +x /vault # update PATH ENV PATH="PATH=$PATH:$PWD/vault" # add the config file COPY ./config/vault-config.json /vault/config/vault-config.json # expose port 8200 EXPOSE 8200 # run vault ENTRYPOINT ["vault"] |
cat vault/config/vault-config.json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{ "backend": { "consul": { "address": "consul:8500", "path": "vault/" } }, "listener": { "tcp":{ "address": "0.0.0.0:8200", "tls_disable": 1 } }, "ui": true } |
mkdir vault/data/
mkdir vault/logs/
cat vault/policies/app-policy.json
1 2 3 4 5 6 7 8 |
{ "path": { "kv/data/app/*": { "policy": "read" } } } |
запускаем:
docker-compose up -d
ждём пока соберётся.
потом заходим в Vault:
http://192.168.1.170:8200
ставим
Key shares = 5
Key threshold = 3
но вы можете установить любое другое значение
мы получаем 5 ключей.
внизу справа можно скачать json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
{ "keys": [ "22b07e26d89c620dc68cab7a7e5046d8a807390fe55a477d091f9178bc8339af3c", "140b672e0b9fdfae320d80a023261be6a72c019fd85f19f58a29eb1fccd82f26f2", "6cec6d35d5f2250e4e007f1a8d88f252f725751d3383d1d0dff8aabc0e1738e16b", "17752ae8096c64efe213bc63eccb496a87c8525ad24c0597ecab386adbfc8c86b5", "e23fc4247807c314d1590dcb706e131218ae7fdf8b6d6959d208d9398c5ec2168e" ], "keys_base64": [ "IrB+JticYg3GjKt6flBG2KgHOQ/lWkd9CR+ReLyDOa88", "FAtnLguf364yDYCgIyYb5qcsAZ/YXxn1iinrH8zYLyby", "bOxtNdXyJQ5OAH8ajYjyUvcldR0zg9HQ3/iqvA4XOOFr", "F3Uq6AlsZO/iE7xj7MtJaofIUlrSTAWX7Ks4atv8jIa1", "4j/EJHgHwxTRWQ3LcG4TEhiuf9+LbWlZ0gjZOYxewhaO" ], "root_token": "s.Rw5WixMGCf84xZD1nHhndj3K" } |
далее нужно ввести ключи по очереди:
далее выбираем рутовый токен который мы скачали вместе с ключами:
мы так же можем выбрать и другие методы:
но мы остановимся на токене
всё ок.
попадаем в панель:
проверим Consul
http://192.168.1.170:8500/
==========================================
добавим аутентификацию по логину и паролю:
ну всё готово. пользователь есть теперь зададим политику.
идём на офф сайт
https://www.vaultproject.io/docs/concepts/policies
или смотрим в default возможные варианты настройки
вставляем политику:
1 2 3 |
path "secret/*" { capabilities = ["create", "read", "update", "patch", "delete", "list"] } |
всё можно создавать секрет