Hashicorp Vault: HA with Consul

在建置Vault時，因為以有使用Consul,所以它作為早期HA的solution,設定上非常簡單,但隨著Vault使用量大增，為減少Consul的負擔，資料透過網路傳輸的時間及風險，後來改為Integrated Storage.

Vault設定

...
storage "consul" {
  service = "vault"
  token = "xxx-xxxx-xxx-xxx" # Consul token
  address = "10.x.x.x:8500"
  path    = "vault/"
  check_timeout = "3s"
  max_parallel = "800"
  scheme = "https"
  tls_ca_file = "/vault/vault-ca.cer"
  tls_cert_file = "/vault/vault-cert.cer"
  tls_key_file = "/vault/vualt-key.key"
}
api_addr =  "https://10.x.x.x:8200"
cluster_addr = "https://10.x.x.x:8200"
...

Consul 設定

因為Consul有設定ACL, 所以任何連線要使用Consul都建立ACL policy, 並create token,上方設定的token就是Consul產生的。

{
  "key_prefix": {
    "vault/": {
      "policy": "write"
    }
  },
  "node_prefix": {
    "": {
      "policy": "write"
    }
  },
  "service": {
    "vault": {
      "policy": "write"
    }
  },
  "agent_prefix": {
    "": {
      "policy": "write"
    }
  },
  "session_prefix": {
    "": {
      "policy": "write"
    }
  }
}