Vault 是一款 Secret 管理工具。
MacOS 安装:下载二进制文件,下载地址:https://www.vaultproject.io/downloads/
下载完成后放入 PATH 。
验证安装:
$ vault version
Vault v1.3.2启动 UI
$ vault server -dev参见:https://learn.hashicorp.com/vault/operations/ops-deployment-guide
编写 service 文件:
$ sudo vim /usr/lib/systemd/system/vault.service
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=admin
Group=admin
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target我这里使用 etcd 作为储存。编写配置文件:
$ sudo vim /etc/vault/config.hcl
storage "etcd" {
address = "https://fueltank-1:2379,https://fueltank-2:2379,https://fueltank-3:2379"
etcd_api = "v3"
ha_enabled = "true"
tls_ca_file = "/etc/etcd/cert/ca.pem"
tls_cert_file = "/etc/etcd/cert/etcd.pem"
tls_key_file = "/etc/etcd/cert/etcd-key.pem"
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "172.20.20.162:8201"
tls_cert_file = "/etc/vault/cert/vault.pem"
tls_key_file = "/etc/vault/cert/vault-key.pem"
tls_client_ca_file = "/etc/kubernetes/cert/ca.pem"
}
api_addr = "https://172.20.20.162:8200"
cluster_addr = "https://172.20.20.162:8201"
ui = true启动:
$ sudo systemctl enable vault.service
$ sudo systemctl start vault.service服务启动后,要进行初始化:
$ vault operator init -ca-path=/etc/kubernetes/cert/ca.pem
Unseal Key 1: Xx4CWop5pr8l3CjPvRk2zm9Pi6q79HJR4K1Iv+oWE4HN
Unseal Key 2: ZvnAEmMjYZ1/o0WgtdFwD7CF7e/qV1ii3BTOgAMW/0uY
Unseal Key 3: s3BtR6kFiSb+H9KfZmU6NRAJPS8MzpPNQgdi3P/VIALU
Unseal Key 4: 5qD//UBLAswYYCxHNpWq3iMoTXt5S+dyl8SyO908aZ8q
Unseal Key 5: rZr9awWXYnLqv3MXrRPxp1zD0DakV5SACihzgcpGdEpC
Initial Root Token: s.lkTx7wVmlaCIYYE5I8u9hSBb
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.生成的数据要保存好!!!然后进行解封:
$ vault operator unseal -ca-path=/etc/kubernetes/cert/ca.pem执行三次,每次都输入一个上面的 Unseal Key。
因为上面的配置文件中,配置了 ui = true ,所以可以访问 https://localhost:8200 来访问 UI 界面,UI 界面也是需要先解封再输入上边的 root token
$ vault -autocomplete-install
$ complete -C /usr/bin/vault vault$ echo "export VAULT_CACERT=/etc/kubernetes/cert/ca.pem" >> ~/.bash_profile
$ source ~/.bash_profile参考:https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul
按照上边的配置再部署两个节点即可,解封后,使用 vault status 查看服务状态,会发现其中一个节点是 active 活动节点,两个节点是 standby 备用节点。