88 lines
No EOL
3.6 KiB
Markdown
88 lines
No EOL
3.6 KiB
Markdown
# Customized Hashicorp Vault Implementation
|
|
This is a customized implementation of the Hashicorp Vault image.
|
|
|
|
This augments the standard Hashicorp Vault image in 2 main ways:
|
|
1. It sets up the Hashicorp Vault in production mode but sets it up with an app authentication and unseals the vault so that the app can interact with it.
|
|
2. It adds a "snapshot server" which allows serving and receiving vault backups/snapshots over HTTP
|
|
|
|
## Getting Started
|
|
First, you need to clone the repostiory:
|
|
|
|
```sh
|
|
git clone https://github.com/...
|
|
```
|
|
|
|
Next, you'll need to create a/the `.env` file (you can use the `.env.example` as a template)
|
|
|
|
```sh
|
|
cp .env.example .env
|
|
```
|
|
|
|
```sh
|
|
VAULT_NAME=pass-vault.identity.bridgemanaccessible.ca
|
|
```
|
|
|
|
## Volumes
|
|
For the purposes of this piece there are two types of volumes:
|
|
- [Host Mounted Volumes](#host-mounted-volumes)
|
|
- [Shared Volumes](#shared-volumes)
|
|
|
|
These are detailed bleow
|
|
|
|
### Host Mounted Volumes
|
|
There are a number of volumes used that are intended to be mounted within the host system.
|
|
This is so that these files can be viewed or backed up easily by administrators rather than having to dive into the containers file system itself.
|
|
|
|
These Host Mounted Volumes include:
|
|
- [Configuration Directory](#configuration-directory-vaultconfig)
|
|
- [Logs Directory](#logs-directory-vaultlogs)
|
|
- [Data Directory](#data-directory-vaultdata)
|
|
- [Backup/Creds Directory](#backupcreds-directory-vaultcreds)
|
|
|
|
#### Configuration Directory (`/vault/config`)
|
|
This is where configuration files for the vault go.
|
|
In general, this doesn't require a lot of monitoring, maintenance or updating on a regular basis.
|
|
It only needs to be updated when a change to the configuration of the vault is happening/desired.
|
|
|
|
#### Logs Directory (`/vault/logs`)
|
|
This is where log files used for tasks like debugging are intended to go.
|
|
In general, the files in this directory are helpful but not thought of as critical.
|
|
|
|
#### Data Directory (`/vault/data`)
|
|
This is where all the actual data goes and therefore is a critical directory.
|
|
This directory should be backed up and monitored as if something happens to it the vault won't function or restart properly.
|
|
|
|
#### Backup/Creds Directory (`/vault/creds`)
|
|
This is where "backup" files are kept.
|
|
More specifically, things like a copy of the "root token" and "unseal keys" are kept here.
|
|
This is because these values aren't as easily available after initialization but can become required.
|
|
To that end, it's important to ensure this directory isn't shared too openly because these should be relatively confidential values.
|
|
|
|
### Shared Volumes
|
|
Unlike the [Host Mounted Volumes](#host-mounted-volumes) these volumes are intended to be shared across containers.
|
|
That is, are more geared for program access rather than human access.
|
|
|
|
You can add these using Docker Compose:
|
|
```yml
|
|
services:
|
|
app:
|
|
volumes:
|
|
- hashicorp-vault_role-vars:/role_vars
|
|
|
|
volumes:
|
|
hashicorp-vault_role-vars:
|
|
external: true
|
|
```
|
|
|
|
Replacing `app` and `hashicorp-vault_role-vars` with the appropriate values.
|
|
|
|
Note, the volume's "full name" will likely be the name of the directory followed by an underscore followed by the volumes name.
|
|
Take the example above, the volume name is `role-vars` but the Docker compose is in and was run in the `hashicorp-vault` directory so the "full name" became `hashicorp-vault_role-vars`.
|
|
|
|
If your unsure you can check using `docker volume list` which lists all the volumes.
|
|
|
|
These Shared Volumes include:
|
|
- [Role Vars](#role-vars-role_vars)
|
|
|
|
#### Role Vars (`/role_vars`)
|
|
This is where values that allow apps to use their appropriate "App Roles" are stored to be shared with the app. |