CentOS 7에서 HashiCorp Vault를 설치하는 방법

CentOS 7에서 HashiCorp Vault를 설치하는 방법

Vault Release

https://releases.hashicorp.com/vault/

prerequirement

yum -y -q install curl unzip openssh openssh-server openssh-clients

yum -y -q install epel-release

yum -y -q install sshpass

Vault 설치

export VAULT_VERSION=1.3.4

 

cd /usr/local/src/

 

curl -fsSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip

 

curl -fsSLO https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS

 

grep "vault_${VAULT_VERSION}_linux_amd64.zip" vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c -

$ grep "vault_${VAULT_VERSION}_linux_amd64.zip" vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c -
 vault_1.3.4_linux_amd64.zip: 성공

 

unzip -q vault_${VAULT_VERSION}_linux_amd64.zip

 

cp vault /usr/local/bin/

 

which vault

$ which vault
/usr/local/bin/vault

 

$ vault --version
Vault v1.3.4

Vault 데이터 디렉토리 생성

mkdir -p /app/vault/data

Vault 환경 설정 파일 생성

cat > /app/vault/config.hcl <<EOF
listener "tcp" {
    address     = "0.0.0.0:8200"
    tls_disable = true # don't do this in production - always use TLS in prod
}


storage "file" {
    path = "/app/vault/data"
}


disable_mlock = true # don't do this in production either
# ^ setting this to true allows leaking of sensitive data to disk/swap
# we're doing it here to avoid running the process as root
# or modifying any system tunables
EOF

Vault 실행 및 초기화

Vault를 실행하고 초기화해야 합니다.

vault server -config=/app/vault/config.hcl

Vault 서버를 개발용 모드로 실행할 수 있습니다.

vault server -dev

$ vault server -dev
==> Vault server configuration:


             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.3.4


WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.


You may need to set the following environment variable:


    $ export VAULT_ADDR='http://127.0.0.1:8200'


The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.


Unseal Key: z/zNZCzwvD2vzWpZn7fLWCTYDCnkexYSfcnZI8P2+g4=
Root Token: s.F2bOWngShzH0oehzHbacWBJN


Development mode should NOT be used in production installations!


==> Vault server started! Log data will stream in below:


2020-03-21T11:22:16.897+0900 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-03-21T11:22:16.898+0900 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2020-03-21T11:22:16.907+0900 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-03-21T11:22:16.907+0900 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-03-21T11:22:16.907+0900 [INFO]  core: security barrier not initialized

listen port

ss -nlpt | grep vault

$ ss -nlpt | grep vault
LISTEN     0    128    *:8200    *:*    users:(("vault",pid=26974,fd=5))

환경 변수 설정

export VAULT_ADDR=http://127.0.0.1:8200

Vault 상태 확인

vault status

Vault 초기화 및 언락

Vault를 초기화하고 언락 키를 안전한 곳에 저장합니다.

vault operator init

Vault 초기화 후에 생성된 루트 토큰 및 언락 키를 안전한 장소에 보관하십시오.

Vault에 대한 인증 및 비밀 엔진 설정

Vault를 사용하기 위해 인증 및 비밀 엔진을 활성화합니다. 예를 들어, 토큰 인증을 활성화하고 키/값(KV) 비밀 엔진을 활성화하는 방법은 다음과 같습니다.

vault auth enable token

vault secrets enable kv

Vault 사용

Vault를 사용하여 비밀을 저장하고 가져오는 등의 작업을 수행할 수 있습니다.