Hashicorp Vault: Server configuration for production

剛開始建置PRD環境時，總會怕漏設定了甚麼，一段時間的經驗累積後，總算有個樣子了，紀錄讓想使用的人參考。

cluster_name = "vault-cluster"
ui = true
log_level = "debug"
log_format = "standard"
disable_clustering = false
api_addr      = "https://vault.abc.com:8200"
cluster_addr  = "http://10.x.x.x:8201"
default_lease_ttl = "24h"
max_lease_ttl = "768h"
disable_mlock = false
pid_file = "/vault/vault.pid"


listener "tcp" {
  address         = "10.x.x.x:8200"
  cluster_address    = "10.x.x.x:8201"
  tls_disable     = false
  tls_cert_file    = "/vault/ssl/vault-ca.cer"
  tls_key_file     = "/vault/ssl/vault-key.key"
  tls_client_ca_file = "/vault/ssl/vault-client-ca.cer"
  tls_disable_client_certs = true
  tls_require_and_verify_client_cert = false
}

storage "raft" {
  path = "/vault/data"
  node_id = "vault-node1"
}

service_registration "consul" {
  address         = "10.x.x.x:8500"
  service         = "vault"
  scheme          = "https"
  service_address = ""
  tls_ca_file   = "/vault/ssl/ca.cer"
  tls_cert_file = "/vault/ssl/cert.cer"
  tls_key_file  = "/vault/ssl/key.key"
  token           = "xxx-xxx-xxx-xxx"
}

telemetry {
  prometheus_retention_time = "30s"
  disable_hostname = true
}