102 lines
3.5 KiB
Markdown
102 lines
3.5 KiB
Markdown
# Setup Vault to connect to Consul using docker
|
|
|
|
## Create an install script for running a consul agent
|
|
|
|
- Create a script called _run-consul-agent.sh_
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
LOCAL_IP=xxx.yyy.zzz.aaa # IP-Address of the current node
|
|
LOCAL_HOSTNAME=consul-host-xx # Name of the current node
|
|
CONSUL_IMAGE=consul # Consul Image
|
|
CONSUL_VERSION=1.1.0 # Version of Consul Image
|
|
DATACENTER=consul-cluster # Name of Consul Datacenter
|
|
CONSUL_CLUSTER_NODE=xxx.yyy.zzz.aaa # IP-Address of the first cluster node
|
|
|
|
docker run \
|
|
--detach \
|
|
--net=host \
|
|
--hostname ${LOCAL_HOSTNAME} \
|
|
--env CONSUL_CLIENT_INTERFACE='eth0' \
|
|
--env CONSUL_BIND_INTERFACE='eth0' \
|
|
--env CONSUL_HTTP_TOKEN="${DATACENTER}" \
|
|
--env CONSUL_HTTP_SSL_VERIFY=false \
|
|
--name consul ${CONSUL_IMAGE}:${CONSUL_VERSION} \
|
|
agent \
|
|
-retry-join=${CONSUL_CLUSTER_NODE} \
|
|
-datacenter ${DATACENTER}
|
|
```
|
|
|
|
## Create an install script for running a vault server
|
|
|
|
- Create a file called _config.hcl_ and put this in it
|
|
|
|
```hcl
|
|
storage "consul" {
|
|
address = "[IP-ADDRESS of Vault Host]:8500"
|
|
token = "[VAULT_TOKEN]"
|
|
path = "vault/"
|
|
service = "vault"
|
|
}
|
|
listener "tcp" {
|
|
address = "[IP-ADDRESS of Vault Host]:8200"
|
|
tls_disable = 1
|
|
}
|
|
```
|
|
|
|
- Please take note that the _address_ key is the IP-Address of the server vault is to be installed on
|
|
- Please take note that the _token_ key is a token generated by consul
|
|
|
|
- Create a script called _run-vault-server.sh_
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
docker run \
|
|
--detach \
|
|
--net=host \
|
|
--volume /path/to/vault-data/file:/vault/file \
|
|
--cap-add=IPC_LOCK \
|
|
--env='VAULT_ADDR=http://127.0.0.1:8200' \
|
|
--env='VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' \
|
|
--name=vault \
|
|
vault \
|
|
server \
|
|
-config=/vault/file/config.hcl
|
|
```
|
|
|
|
- Please take note that the _volume_ must match the folder to where you have placed the _config.hcl_ file
|
|
|
|
## Run it
|
|
|
|
- Set execute permissions on the newly created scripts: `chmod u+x run-consul-agent.sh`
|
|
- Set execute permissions on the newly created scripts: `chmod u+x run-vault-server.sh`
|
|
- Execute: `./run-consul-agent.sh` to start the consul agent locally
|
|
- Verify that the consul agent is up and running, connected to the cluster.
|
|
- Execute: `./run-vault-server.sh` to start the vault server
|
|
- Configure the vault server
|
|
- Execute: `docker exec -it vault /bin/sh` to access the vault docker container
|
|
- Execute: `vault operator init` to initialize the vault server. Take note of the _Unseal Keys_ and the _Initial Root Token_. Without these, the vault is lost when sealed/locked
|
|
- Execute: `vault operator unseal` to unseal/open the vault. Follow the onscreen instructions and use 3 of the five _Unseal Keys_
|
|
- Execute: `exit` to log out of the vault docker container
|
|
|
|
## Test it
|
|
|
|
- Execute: `export VAULT_TOKEN="[VAULT_TOKEN]"` where _Vault Token_ is used
|
|
- Execute: `curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"bar": "Baz"}' http://vault.domain.local:8200/v1/secret/foo` to put test data into the vault. No output is returned if it works
|
|
- Execute: `curl --header "X-Vault-Token: $VAULT_TOKEN" http://vault.domain.local:8200/v1/secret/foo` to get test data from the vault. Expected output is JSON formatted:
|
|
|
|
```json
|
|
{
|
|
"request_id": "fe70ab02-cc4c-4e6c-3eeb-f4e23d9f3c80",
|
|
"lease_id": "",
|
|
"renewable": false,
|
|
"lease_duration": 604800,
|
|
"data": {
|
|
"bar": "Baz"
|
|
},
|
|
"wrap_info": null,
|
|
"warnings": null,
|
|
"auth": null
|
|
}
|
|
```
|