# Setup Vault to connect to Consul using docker ## Create an install script for running a consul agent - Create a script called _run-consul-agent.sh_ ```bash #!/bin/bash LOCAL_IP=xxx.yyy.zzz.aaa # IP-Address of the current node LOCAL_HOSTNAME=consul-host-xx # Name of the current node CONSUL_IMAGE=consul # Consul Image CONSUL_VERSION=1.1.0 # Version of Consul Image DATACENTER=consul-cluster # Name of Consul Datacenter CONSUL_CLUSTER_NODE=xxx.yyy.zzz.aaa # IP-Address of the first cluster node docker run \ --detach \ --net=host \ --hostname ${LOCAL_HOSTNAME} \ --env CONSUL_CLIENT_INTERFACE='eth0' \ --env CONSUL_BIND_INTERFACE='eth0' \ --env CONSUL_HTTP_TOKEN="${DATACENTER}" \ --env CONSUL_HTTP_SSL_VERIFY=false \ --name consul ${CONSUL_IMAGE}:${CONSUL_VERSION} \ agent \ -retry-join=${CONSUL_CLUSTER_NODE} \ -datacenter ${DATACENTER} ``` ## Create an install script for running a vault server - Create a file called _config.hcl_ and put this in it ```hcl storage "consul" { address = "[IP-ADDRESS of Vault Host]:8500" token = "[VAULT_TOKEN]" path = "vault/" service = "vault" } listener "tcp" { address = "[IP-ADDRESS of Vault Host]:8200" tls_disable = 1 } ``` - Please take note that the _address_ key is the IP-Address of the server vault is to be installed on - Please take note that the _token_ key is a token generated by consul - Create a script called _run-vault-server.sh_ ```bash #!/bin/bash docker run \ --detach \ --net=host \ --volume /path/to/vault-data/file:/vault/file \ --cap-add=IPC_LOCK \ --env='VAULT_ADDR=http://127.0.0.1:8200' \ --env='VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' \ --name=vault \ vault \ server \ -config=/vault/file/config.hcl ``` - Please take note that the _volume_ must match the folder to where you have placed the _config.hcl_ file ## Run it - Set execute permissions on the newly created scripts: `chmod u+x run-consul-agent.sh` - Set execute permissions on the newly created scripts: `chmod u+x run-vault-server.sh` - Execute: `./run-consul-agent.sh` to start the consul agent locally - Verify that the consul agent is up and running, connected to the cluster. - Execute: `./run-vault-server.sh` to start the vault server - Configure the vault server - Execute: `docker exec -it vault /bin/sh` to access the vault docker container - Execute: `vault operator init` to initialize the vault server. Take note of the _Unseal Keys_ and the _Initial Root Token_. Without these, the vault is lost when sealed/locked - Execute: `vault operator unseal` to unseal/open the vault. Follow the onscreen instructions and use 3 of the five _Unseal Keys_ - Execute: `exit` to log out of the vault docker container ## Test it - Execute: `export VAULT_TOKEN="[VAULT_TOKEN]"` where _Vault Token_ is used - Execute: `curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"bar": "Baz"}' http://vault.domain.local:8200/v1/secret/foo` to put test data into the vault. No output is returned if it works - Execute: `curl --header "X-Vault-Token: $VAULT_TOKEN" http://vault.domain.local:8200/v1/secret/foo` to get test data from the vault. Expected output is JSON formatted: ```json { "request_id": "fe70ab02-cc4c-4e6c-3eeb-f4e23d9f3c80", "lease_id": "", "renewable": false, "lease_duration": 604800, "data": { "bar": "Baz" }, "wrap_info": null, "warnings": null, "auth": null } ```