HashiCorp Vault with Docker Compose
Frankly speaking, you might already know this., however, I had been scavenging the internet for valid examples and all seemed a little fragmented. and I could not find one. Hence decided to write up this blog in case it helps someone!
This one will install a vault server via docker-compose and persist data locally on the docker host. The vault server will also be supported via SSL certificates.
Generate SSL certs to be used for the Vault server and create appropriate DNS records for the same. In my case I have used a valid public domain and used LetsEncrypt certbot to issue the SSL certs. As a result, I will have two files as shown from the certbot logs
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/thecloudgarage.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/thecloudgarage.com/privkey.pem
Let’s build the directories and copy the certificate files.
rm -rf $HOME/vault
mkdir -p $HOME/vault/{config,file,logs,certs}
cp /etc/letsencrypt/live/thecloudgarage.com/fullchain.pem $HOME/vault/certs/server.crt
cp /etc/letsencrypt/live/thecloudgarage.com/privkey.pem $HOME/vault/certs/server.key
Create the docker-compose file.
cd $HOME/vault
cat <<EOF > docker-compose.yaml
version: '3.3'
services:
vault:
image: hashicorp/vault
container_name: vault-new
environment:
VAULT_ADDR: "https://vault1.poc.thecloudgarage.com:8200"
VAULT_API_ADDR: "https://vault1.poc.thecloudgarage.com:8200"
VAULT_ADDRESS: "https://vault1.poc.thecloudgarage.com:8200"
# VAULT_UI: true
# VAULT_TOKEN:
ports:
- "8200:8200"
- "8201:8201"
restart: always
volumes:
- ./logs:/vault/logs/:rw
- ./data:/vault/data/:rw
- ./config:/vault/config/:rw
- ./certs:/certs/:rw
- ./file:/vault/file/:rw
cap_add:
- IPC_LOCK
entrypoint: vault server -config /vault/config/config.hcl
EOF
Create the config file for Vault
cd $HOME/vault/config
cat <<EOF > config.hcl
ui = true
disable_mlock = "true"
storage "raft" {
path = "/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "[::]:8200"
tls_disable = "false"
tls_cert_file = "/certs/server.crt"
tls_key_file = "/certs/server.key"
}
api_addr = "https://vault1.poc.thecloudgarage.com:8200"
cluster_addr = "https://vault1.poc.thecloudgarage.com:8201"
EOF
Start the vault server via docker-compose
docker-compose up -d
Initialize the Vault server
# Exec into the vault container
docker exec -it vault-new /bin/sh
# Once logged into the vault container
vault operator init
Ensure the unseal keys and root token are safely stored. Note that a restart of the vault container will place the Vault server in sealed status and you will need the unseal keys (so don’t lose them).
# Example output of vault operator init command
Unseal Key 1: jaCYkRmQCl+uoKh+cgCSlEIQF8F41VSImSkyqDrY4Ka2
Unseal Key 2: Tg0OzoLjeBVYCa6xsP83+6aCrAlHXI7cZx5pkE8q2ntL
Unseal Key 3: xX7yX6uMfdZ8kRsbNeuH2NmdLWvCyzjsL6aleq7kKhAZ
Unseal Key 4: fFO1XgqumqfcAoi5WYxSYLnF4gTZuArlWLAxIkoG/Zer
Unseal Key 5: dE3W+GrgUub4i1UjsFwZQ4C75fqzACsD9bqDejdvlkK0
Initial Root Token: s.MwPEOWyYFM6XNT87WMMxTyPL
While still in the vault container, execute the command “vault operator unseal” thrice with any of the 3 unseal keys. Please observe the below logs
vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce c413b1e3-d248-72db-e302-58083f2ec3aa
Version 1.8.5
Storage Type raft
HA Enabled true
vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce c413b1e3-d248-72db-e302-58083f2ec3aa
Version 1.8.5
Storage Type raft
HA Enabled true
vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.8.5
Storage Type raft
Cluster Name vault-cluster-dfd3e6e1
Cluster ID 63c7c128-d96b-d517-2e3a-28884132876c
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
Raft Committed Index 24
Raft Applied Index 24
Exit the docker-container and install vault CLI if not done already
sudo apt update && sudo apt install gpg wget
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault
For the login you will need to export the Vault adress and use the root token from the above steps
export VAULT_ADDR="https://vault1.poc.thecloudgarage.com:8200"
vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.MwPEOWyYFM6XNT87WMMxTyPL
token_accessor KY4Uefa2YlCrqBBQCo9k3BR4
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
That’s about it! Hope this helps
cheers,
Ambar@thecloudgarage
#iwork4dell