HashiCorp Vault with Docker Compose

Ambar Hassani
3 min readMay 21, 2024

--

Frankly speaking, you might already know this., however, I had been scavenging the internet for valid examples and all seemed a little fragmented. and I could not find one. Hence decided to write up this blog in case it helps someone!

This one will install a vault server via docker-compose and persist data locally on the docker host. The vault server will also be supported via SSL certificates.

Generate SSL certs to be used for the Vault server and create appropriate DNS records for the same. In my case I have used a valid public domain and used LetsEncrypt certbot to issue the SSL certs. As a result, I will have two files as shown from the certbot logs

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/thecloudgarage.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/thecloudgarage.com/privkey.pem

Let’s build the directories and copy the certificate files.

rm -rf $HOME/vault
mkdir -p $HOME/vault/{config,file,logs,certs}
cp /etc/letsencrypt/live/thecloudgarage.com/fullchain.pem $HOME/vault/certs/server.crt
cp /etc/letsencrypt/live/thecloudgarage.com/privkey.pem $HOME/vault/certs/server.key

Create the docker-compose file.

cd $HOME/vault
cat <<EOF > docker-compose.yaml
version: '3.3'
services:
vault:
image: hashicorp/vault
container_name: vault-new
environment:
VAULT_ADDR: "https://vault1.poc.thecloudgarage.com:8200"
VAULT_API_ADDR: "https://vault1.poc.thecloudgarage.com:8200"
VAULT_ADDRESS: "https://vault1.poc.thecloudgarage.com:8200"
# VAULT_UI: true
# VAULT_TOKEN:
ports:
- "8200:8200"
- "8201:8201"
restart: always
volumes:
- ./logs:/vault/logs/:rw
- ./data:/vault/data/:rw
- ./config:/vault/config/:rw
- ./certs:/certs/:rw
- ./file:/vault/file/:rw
cap_add:
- IPC_LOCK
entrypoint: vault server -config /vault/config/config.hcl
EOF

Create the config file for Vault

cd $HOME/vault/config
cat <<EOF > config.hcl
ui = true
disable_mlock = "true"

storage "raft" {
path = "/vault/data"
node_id = "node1"
}

listener "tcp" {
address = "[::]:8200"
tls_disable = "false"
tls_cert_file = "/certs/server.crt"
tls_key_file = "/certs/server.key"
}

api_addr = "https://vault1.poc.thecloudgarage.com:8200"
cluster_addr = "https://vault1.poc.thecloudgarage.com:8201"
EOF

Start the vault server via docker-compose

docker-compose up -d

Initialize the Vault server

# Exec into the vault container

docker exec -it vault-new /bin/sh

# Once logged into the vault container

vault operator init

Ensure the unseal keys and root token are safely stored. Note that a restart of the vault container will place the Vault server in sealed status and you will need the unseal keys (so don’t lose them).

# Example output of vault operator init command

Unseal Key 1: jaCYkRmQCl+uoKh+cgCSlEIQF8F41VSImSkyqDrY4Ka2
Unseal Key 2: Tg0OzoLjeBVYCa6xsP83+6aCrAlHXI7cZx5pkE8q2ntL
Unseal Key 3: xX7yX6uMfdZ8kRsbNeuH2NmdLWvCyzjsL6aleq7kKhAZ
Unseal Key 4: fFO1XgqumqfcAoi5WYxSYLnF4gTZuArlWLAxIkoG/Zer
Unseal Key 5: dE3W+GrgUub4i1UjsFwZQ4C75fqzACsD9bqDejdvlkK0

Initial Root Token: s.MwPEOWyYFM6XNT87WMMxTyPL

While still in the vault container, execute the command “vault operator unseal” thrice with any of the 3 unseal keys. Please observe the below logs

vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce c413b1e3-d248-72db-e302-58083f2ec3aa
Version 1.8.5
Storage Type raft
HA Enabled true

vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce c413b1e3-d248-72db-e302-58083f2ec3aa
Version 1.8.5
Storage Type raft
HA Enabled true

vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.8.5
Storage Type raft
Cluster Name vault-cluster-dfd3e6e1
Cluster ID 63c7c128-d96b-d517-2e3a-28884132876c
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
Raft Committed Index 24
Raft Applied Index 24

Exit the docker-container and install vault CLI if not done already

sudo apt update && sudo apt install gpg wget
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

For the login you will need to export the Vault adress and use the root token from the above steps

export VAULT_ADDR="https://vault1.poc.thecloudgarage.com:8200"

vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key Value
--- -----
token s.MwPEOWyYFM6XNT87WMMxTyPL
token_accessor KY4Uefa2YlCrqBBQCo9k3BR4
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]

That’s about it! Hope this helps

cheers,

Ambar@thecloudgarage

#iwork4dell

--

--

Ambar Hassani
Ambar Hassani

Written by Ambar Hassani

24+ years of blended experience of technology & people leadership, startup management and disruptive acceleration/adoption of next-gen technologies

Responses (1)