diff --git a/vault/Dockerfile b/vault/Dockerfile index 13f7ee536..7637cbe47 100644 --- a/vault/Dockerfile +++ b/vault/Dockerfile @@ -5,25 +5,26 @@ FROM alpine MAINTAINER kev -ENV VAULT_VER 0.5.2 -ENV VAULT_URL https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_linux_amd64.zip -ENV VAULT_MD5 7d0f546d19c8e7e1eb5f8856bfa4cc29 -ENV VAULT_FILE vault.zip -ENV VAULT_ADDR https://127.0.0.1:8200 +ENV VAULT_VER=0.9.0 +ENV VAULT_URL=https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_linux_amd64.zip +ENV VAULT_MD5=6db0a01b144c73b0633bbcd69175cd2c RUN set -xe \ && apk add -U ca-certificates \ - && wget -O $VAULT_FILE $VAULT_URL \ - && echo "$VAULT_MD5 $VAULT_FILE" | md5sum -c \ - && unzip $VAULT_FILE -d /usr/bin/ \ + && wget -O vault.zip $VAULT_URL \ + && echo "$VAULT_MD5 vault.zip" | md5sum -c \ + && unzip vault.zip -d /usr/bin/ \ && chmod +x /usr/bin/vault \ && apk del ca-certificates \ - && rm $VAULT_FILE /var/cache/apk/* + && rm vault.zip /var/cache/apk/* -COPY vault /etc/vault - -VOLUME /etc/vault /var/lib/vault +COPY ./data/etc /etc/vault +VOLUME /etc/vault /var/lib/vault /var/log/vault EXPOSE 8200 -CMD ["vault", "server", "-config=/etc/vault/vault.hcl"] +ENV VAULT_ADDR=https://127.0.0.1:8200 +ENV VAULT_SKIP_VERIFY=1 + +ENTRYPOINT ["vault"] +CMD ["server", "-config=/etc/vault/vault.hcl"] diff --git a/vault/README.md b/vault/README.md index 406b2bc92..d021dad47 100644 --- a/vault/README.md +++ b/vault/README.md @@ -10,14 +10,15 @@ providing tight access control and recording a detailed audit log. ## docker-compose.yml -``` +```yaml vault: image: vimagick/vault ports: - "8200:8200" volumes: - - vault/vault.crt:/etc/vault/vault.crt - - vault/vault.key:/etc/vault/vault.key + - ./data/etc:/etc/vault + - ./data/var:/var/lib/vault + - ./data/log:/var/log/vault cap_add: - IPC_LOCK restart: always @@ -27,30 +28,32 @@ vault: ## server -``` +```bash $ cd ~/fig/vault -$ mkdir vault -$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vault/vault.key -out vault/vault.crt +$ mkdir data +$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout data/etc/vault.key -out data/etc/vault.crt $ docker-compose up -d $ docker cp vault_vault_1:/usr/bin/vault /usr/local/bin/ $ docker exec -it vault_vault_1 sh >>> cd /etc/vault ->>> vault init -tls-skip-verify -key-shares=5 -key-threshold=3 | tee vault.secret +>>> vault init -key-shares=5 -key-threshold=3 | tee vault.secret >>> exit -$ docker run --rm --volumes-from vault_vault_1 -v `pwd`:/backup alpine tar cvzf /backup/vault.tgz /etc/vault /var/lib/vault +$ docker run --rm --volumes-from vault_vault_1 -v `pwd`:/backup alpine tar cvzf /backup/vault.tgz /etc/vault /var/lib/vault /var/log/vault ``` > Split `vault.secret`, keep them a secret. ## client -``` +```bash $ export VAULT_ADDR='https://server:8200' -$ cp ~/fig/vault/vault/vault.crt /etc/ssl/certs/vault.pem +$ export VAULT_SKIP_VERIFY=0 +$ cp ~/fig/vault/data/etc/vault.crt /etc/ssl/certs/vault.pem $ update-ca-certificates $ vault status $ vault unseal && vault unseal && vault unseal $ vault auth +$ vault audit-enable file file_path=/var/log/vault/audit.log $ vault write secret/name key=value $ vault read secret/name $ vault seal diff --git a/vault/vault/vault.crt b/vault/data/etc/vault.crt similarity index 100% rename from vault/vault/vault.crt rename to vault/data/etc/vault.crt diff --git a/vault/vault/vault.hcl b/vault/data/etc/vault.hcl similarity index 100% rename from vault/vault/vault.hcl rename to vault/data/etc/vault.hcl diff --git a/vault/vault/vault.key b/vault/data/etc/vault.key similarity index 100% rename from vault/vault/vault.key rename to vault/data/etc/vault.key diff --git a/vault/data/etc/vault.secret b/vault/data/etc/vault.secret new file mode 100644 index 000000000..e69de29bb diff --git a/vault/data/log/.gitkeep b/vault/data/log/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/vault/data/var/.gitkeep b/vault/data/var/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/vault/docker-compose.yml b/vault/docker-compose.yml index 713bc90ca..6a959448c 100644 --- a/vault/docker-compose.yml +++ b/vault/docker-compose.yml @@ -3,8 +3,9 @@ vault: ports: - "8200:8200" volumes: - - ./vault/vault.crt:/etc/vault/vault.crt - - ./vault/vault.key:/etc/vault/vault.key + - ./data/etc:/etc/vault + - ./data/var:/var/lib/vault + - ./data/log:/var/log/vault cap_add: - IPC_LOCK restart: always