본문 바로가기

리눅스

[리눅스] ubuntu에 hashicorp vault를 설치하는 방법(installing vault)

728x90

ubuntu에 hashicorp vault를 설치하는 방법(installing vault)

테스트 환경

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04 LTS
Release:        22.04
Codename:       jammy

vault 설치

패키지 서명 키(signing key)용 PGP 추가

sudo apt update && sudo apt install -y gpg

HashiCorp GPG 키(GPG key) 추가

wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null

키의 지문(fingerprint) 확인

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
$ gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub   rsa4096 2020-05-07 [SC]
      E8A0 32E0 94D8 EB4E A189  D270 DA41 8C88 A321 9F7B
uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub   rsa4096 2020-05-07 [E]

공식 HashiCorp Linux 저장소 추가

echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main

업데이트 및 설치

sudo apt update && sudo apt install -y vault
$ sudo apt update && sudo apt install vault
...
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  vault
0 upgraded, 1 newly installed, 0 to remove and 103 not upgraded.
Need to get 85.0 MB of archives.
After this operation, 214 MB of additional disk space will be used.
Get:1 https://apt.releases.hashicorp.com jammy/main amd64 vault amd64 1.12.2-1 [85.0 MB]
Fetched 85.0 MB in 3s (26.8 MB/s) 
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package vault.
(Reading database ... 20109 files and directories currently installed.)
Preparing to unpack .../vault_1.12.2-1_amd64.deb ...
Unpacking vault (1.12.2-1) ...
Setting up vault (1.12.2-1) ...
Generating Vault TLS key and self-signed certificate...
..........+...+.+..+.......+...+..............+...+............+.+........+....+........+....+.....+....+..+..........+.....+.............+.........+.....+...+....+...+...+........+.........+..........+...+..+...+...+.+...+......+...........+....+.....................+........+.+..+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+......+.....+.......+..+.+........+.+...+..............................+.....+.+...............+..+.......+...........+........................+...+....+.....................+...+..............+......+....+......+...........+....+......+......+.....+....+...........+.......+...........+....+........+....+...........+..........+..+......+....+..+....+.....+......+............................+.....................+..+....+.....+................+...+..+....+...+.....+............+.+........+....+............+....................+...............+....+..+....+........+...............+............................+.........+.....+....+.....+......+....+..+.........+...+......+.+...+...+........+.+...+...+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.....+.+...+..+...+....+.....+......+.+...+..+......+...........................+.+.....+.+......+..+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+............+..........+.....+......+....+...........+.......+........+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Vault TLS key and self-signed certificate have been generated in '/opt/vault/tls'.

vault 버전 정보

vault --version
$ vault --version
Vault v1.12.2 (415e1fe3118eebd5df6cb60d13defdc01aa17b03), built 2022-11-23T12:53:46Z

vault 환경 설정 파일

vim /etc/vault.d/vault.hcl
$ cat /etc/vault.d/vault.hcl 
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"

# Example AWS KMS auto unseal
#seal "awskms" {
#  region = "us-east-1"
#  kms_key_id = "REPLACE-ME"
#}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}

vault 환경 설정 파일 편집

  • HTTP listener 주석 제거
  • HTTPS listener 주석 처리
vim /etc/vault.d/vault.hcl
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

# HTTPS listener
#listener "tcp" {
#  address       = "0.0.0.0:8200"
#  tls_cert_file = "/opt/vault/tls/tls.crt"
#  tls_key_file  = "/opt/vault/tls/tls.key"
#}

vault 서비스 시작

systemctl --now enable vault
$ systemctl --now enable vault
Created symlink /etc/systemd/system/multi-user.target.wants/vault.service → /lib/systemd/system/vault.service.

vault 서비스 상태 확인

systemctl status vault.service
$ systemctl status vault.service
● vault.service - "HashiCorp Vault - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-01-18 13:17:06 KST; 1min 13s ago
       Docs: https://www.vaultproject.io/docs/
   Main PID: 3746 (vault)
      Tasks: 8 (limit: 686)
     Memory: 62.1M
        CPU: 289ms
     CGroup: /system.slice/vault.service
             └─3746 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Jan 18 13:17:06 ubuntu vault[3746]:            Recovery Mode: false
Jan 18 13:17:06 ubuntu vault[3746]:                  Storage: file
Jan 18 13:17:06 ubuntu vault[3746]:                  Version: Vault v1.12.2, built 2022-11-23T12:53:46Z
Jan 18 13:17:06 ubuntu vault[3746]:              Version Sha: 415e1fe3118eebd5df6cb60d13defdc01aa17b03
Jan 18 13:17:06 ubuntu vault[3746]: ==> Vault server started! Log data will stream in below:
Jan 18 13:17:06 ubuntu vault[3746]: 2023-01-18T04:17:06.468Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
Jan 18 13:17:06 ubuntu vault[3746]: 2023-01-18T04:17:06.496Z [INFO]  core: Initializing version history cache for core
Jan 18 13:17:06 ubuntu systemd[1]: Started "HashiCorp Vault - A tool for managing secrets".
Jan 18 13:17:11 ubuntu vault[3746]: 2023-01-18T04:17:11.417Z [INFO]  http: TLS handshake error from 192.168.0.10:60985: remote error: tls: unknown certificate
Jan 18 13:17:11 ubuntu vault[3746]: 2023-01-18T04:17:11.430Z [INFO]  http: TLS handshake error from 192.168.0.10:60986: remote error: tls: unknown certificate

환경변수 설정

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN="hvs.7axXYWtfZ4qBwrvwDmoPONrc"

seal 및 HA 상태 표시

vault status -tls-skip-verify
$ vault status -tls-skip-verify          
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.12.2
Build Date         2022-11-23T12:53:46Z
Storage Type       file
HA Enabled         false

볼트 초기화(initialize vault)

vault operator init -tls-skip-verify
$ vault operator init -tls-skip-verify
Unseal Key 1: +IkPZSTlhAzOIjNbNuk+Z1X6FxggUOxBHPtxRqhqRV/G
Unseal Key 2: nKX5+EHw6sbY8A5h8JGmL4OH1I6EusjtOUVrsDW0HU4o
Unseal Key 3: Oxo/foe6NpMrwkuBt6VgOKpZbsJgt7OG/Xbq6fmgAi9y
Unseal Key 4: rvchAkM2p8z7KB/XVMu6gbPXGOSSqxyMTbZgdL+ziiOK
Unseal Key 5: 37kNYC0kRr1qIs81qBRM9SuPkG6F/KtwxPiqGcJrYsh+

Initial Root Token: hvs.7axXYWtfZ4qBwrvwDmoPONrc

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Unseal Vault

- unseal 명령 또는 웹브라우저에서 진행

vault operator unseal -tls-skip-verify +IkPZSTlhAzOIjNbNuk+Z1X6FxggUOxBHPtxRqhqRV/G
vault operator unseal -tls-skip-verify nKX5+EHw6sbY8A5h8JGmL4OH1I6EusjtOUVrsDW0HU4o
vault operator unseal -tls-skip-verify Oxo/foe6NpMrwkuBt6VgOKpZbsJgt7OG/Xbq6fmgAi9y

seal 및 HA 상태 표시

vault status -tls-skip-verify
$ vault status -tls-skip-verify          
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.12.2
Build Date      2022-11-23T12:53:46Z
Storage Type    file
Cluster Name    vault-cluster-81637fc9
Cluster ID      a0c6fdd0-cbf9-3214-dcbc-6f50584e2750
HA Enabled      false

볼트 로그인(vault login)

vault login hvs.7axXYWtfZ4qBwrvwDmoPONrc
$ vault login hvs.7axXYWtfZ4qBwrvwDmoPONrc
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.7axXYWtfZ4qBwrvwDmoPONrc
token_accessor       I6d1vEccUGkFNVrkbgQ1fUyN
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

vault 웹 브라우저

- http://192.168.0.51:8200

- 볼트 초기화 전 화면

 

볼트 초기화(initialize vault)

vault operator init -tls-skip-verify

Unseal Vault

 

 

 

 

참고URL

- vault 설치: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install

- 소스에서 컴파일 : https://developer.hashicorp.com/vault/docs/install

 

728x90