下載

Vault 的檔案可以從官網選擇對應的環境下載:https://www.vaultproject.io/downloads

這系列的文章會使用Linux 64-bit來做為教學，Vault則使用目前最新的版本1.5.3,
下載後會的到一個壓縮檔 vault_1.5.3_linux_amd64.zip 解壓縮後會有一個Vault的檔案，已經被包裝成binary檔，可以直接執行。

$ unzip vault_1.5.3_linux_amd64.zip
$ ls -l
total 185328
-rwxr-xr-x 1 ec2-user ec2-user 138559035 Aug 27 00:22 vault
-rw-rw-r-- 1 ec2-user ec2-user  51215114 Aug 27 22:42 vault_1.5.3_linux_amd64.zip

查看目前的版本資訊:

$ ./vault version
Vault v1.5.3 (9fcd81405feb320390b9d71e15a691c3bc1daeef)

基本設定

1. 複製vault 到 /usr/local/bin 省去之後下指令要指定vault路徑。

$ cp vault /usr/local/bin

2. 設定auto-complete, 之後按Tab就會幫你補上剩下的指令，也會有指令提示。

$ vault -autocomplete-install

這個會在~/.bashrc裡面加入complete -C /usr/local/bin/vault vault
直接編輯vi ~/.bashrc 加入export complete -C /usr/local/bin/vault vault也可以最後在source ~/.bashrc生效。

啟動Dev mode

如果要做簡單的測試可以使用 dev mode，啟動指令如下:

$ vault server -dev -dev-listen-address="10.168.1.175" -dev-root-token-id="root" 

參數說明:

-dev: 使用dev mode來啟動consul agent.
-dev-listen-address: 設定Listen address,預設是127.0.0.1,如果使用預設只有本機才可以開啟web ui.
-dev-root-token-id: 設定登入的root token為root.

log裡面有一些資訊我們要注意的

1. 設定環境變數，因為我們有設定listen address,所以要設定VAULT_ADDR，當你執行CLI時request要送到哪裡: $ export VAULT_ADDR='http://10.168.1.175:8200'
2. 當沒有需要操作Vault時，可以把Barrier seal起來，等到要用時，在unseal增加安全性，Unseal Key: OJ1bNKzr3W5ZHwCnaaCU4dSywYXSgUjjSyJXcb3YSlU=
3. 登入用的Root Token: root

$ vault server -dev -dev-listen-address="10.168.1.175:8200" -dev-root-token-id="root"
==> Vault server configuration:

             Api Address: http://10.168.1.175:8200
                     Cgo: disabled
         Cluster Address: https://10.168.1.175:8201
              Go Version: go1.14.7
              Listener 1: tcp (addr: "10.168.1.175:8200", cluster address: "10.168.1.175:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.5.3
             Version Sha: 9fcd81405feb320390b9d71e15a691c3bc1daeef

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://10.168.1.175:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: OJ1bNKzr3W5ZHwCnaaCU4dSywYXSgUjjSyJXcb3YSlU=
Root Token: root

Development mode should NOT be used in production installations!

檢查狀態

Vault dev mode預設請動就已經unseal, 可以看到Sealed value是false.

$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.5.3
Cluster Name    vault-cluster-bbf6592e
Cluster ID      9fb2b953-35e9-6ebf-fdb9-8c86b48e846d
HA Enabled      false

seal

可以執行seal 起來

Success! Vault is sealed.

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       1
Threshold          1
Unseal Progress    0/1
Unseal Nonce       n/a
Version            1.5.3
HA Enabled         false

unseal

使用剛剛的unseal key

$ vault operator unseal vah5McbPLaoPi8HWffBiwmHQFs8t5+c4OwKMQnT2Vho=
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.5.3
Cluster Name    vault-cluster-8f058eeb
Cluster ID      121b1687-f94a-f26a-cf6b-278e2047a09c
HA Enabled      false

Vault Web UI

可以使用剛剛的listen address透過瀏覽器來開啟Web UI: http://10.168.1.175:8200
輸入unseal key:

再輸入token即可登入: