[draft] 우분투에 HashiCorp Vault를 설치하는 방법

우분투에 HashiCorp Vault를 설치하는 방법(installing vault)

테스트 환경

$ lsb_release -d
Description:    Ubuntu 22.04.2 LTS

vault 설치

APT 패키지 리스트 업데이트

sudo apt-get update

필요한 의존성 패키지 설치

sudo apt-get install -y software-properties-common

GPG 패키지 설치

sudo apt-get install -y gpg

sudo rm -f /usr/share/keyrings/hashicorp-archive-keyring.gpg

HashiCorp GPG 키 추가(GPG key)

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

키의 지문(fingerprint) 확인

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

$ gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub   rsa4096 2020-05-07 [SC]
      E8A0 32E0 94D8 EB4E A189  D270 DA41 8C88 A321 9F7B
uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub   rsa4096 2020-05-07 [E]

공식 HashiCorp Linux 저장소 추가

echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main

업데이트 및 설치

sudo apt-get update && sudo apt-get install -y vault

$ sudo apt update && sudo apt install vault
...
The following NEW packages will be installed:
  vault
...
Generating Vault TLS key and self-signed certificate...
.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+......+..+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+....+...+..+.+..+...+....+...+....................+.+...........+......+....+...+...........+....+...+..+......+.+......+...+.........+.....+..........................................+....+..+..........+..+...........................+....+..............+...+..........+...+.........+...+..+.+...............+..+...+....+........+...+..........+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...............+......+.+...+.................+............+.............+...+...............+...............+..+...+...................+..+...............+...+.+......+.....+....+.........+...............+..+.+..+............+..........+...............+......+.....+.........+.+.....+.............+..............+................+.....+............+....+...+..+.............+......+..+.........+.+..+.+...........+.................................+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Vault TLS key and self-signed certificate have been generated in '/opt/vault/tls'.

vault 버전 정보

vault --version

$ vault --version
Vault v1.17.2 (2af5655e364f697a15b1dc2db2c3f85f6ef949f2), built 2024-07-05T15:19:12Z

vault 환경 설정 파일

vim /etc/vault.d/vault.hcl

---

cat /etc/vault.d/vault.hcl

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

# Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"

# Example AWS KMS auto unseal
#seal "awskms" {
#  region = "us-east-1"
#  kms_key_id = "REPLACE-ME"
#}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}

---

vault 환경 설정 파일 편집

• HTTP listener 주석 제거
• HTTPS listener 주석 처리

# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

storage "file" {
  path = "/opt/vault/data"
}

# HTTP listener
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

vault 서비스 시작

sudo systemctl --now enable vault

$ sudo systemctl --now enable vault
Created symlink /etc/systemd/system/multi-user.target.wants/vault.service → /lib/systemd/system/vault.service.

vault 서비스 상태 확인

sudo systemctl status vault.service -l --no-pager

$ sudo systemctl status vault.service -l --no-pager
● vault.service - "HashiCorp Vault - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-01-18 13:17:06 KST; 1min 13s ago
       Docs: https://www.vaultproject.io/docs/
   Main PID: 3746 (vault)
      Tasks: 8 (limit: 686)
     Memory: 62.1M
        CPU: 289ms
     CGroup: /system.slice/vault.service
             └─3746 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Jan 18 13:17:06 ubuntu vault[3746]:            Recovery Mode: false
Jan 18 13:17:06 ubuntu vault[3746]:                  Storage: file
Jan 18 13:17:06 ubuntu vault[3746]:                  Version: Vault v1.12.2, built 2022-11-23T12:53:46Z
Jan 18 13:17:06 ubuntu vault[3746]:              Version Sha: 415e1fe3118eebd5df6cb60d13defdc01aa17b03
Jan 18 13:17:06 ubuntu vault[3746]: ==> Vault server started! Log data will stream in below:
Jan 18 13:17:06 ubuntu vault[3746]: 2023-01-18T04:17:06.468Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
Jan 18 13:17:06 ubuntu vault[3746]: 2023-01-18T04:17:06.496Z [INFO]  core: Initializing version history cache for core
Jan 18 13:17:06 ubuntu systemd[1]: Started "HashiCorp Vault - A tool for managing secrets".
Jan 18 13:17:11 ubuntu vault[3746]: 2023-01-18T04:17:11.417Z [INFO]  http: TLS handshake error from 192.168.0.10:60985: remote error: tls: unknown certificate
Jan 18 13:17:11 ubuntu vault[3746]: 2023-01-18T04:17:11.430Z [INFO]  http: TLS handshake error from 192.168.0.10:60986: remote error: tls: unknown certificate

728x90

Vault 클러스터 구성

초기화 및 부트스트래핑 : 클러스터의 마스터 서버에서 Vault를 초기화합니다.

vault operator init

$ vault operator init
Unseal Key 1: DhqqTA7xkeE4vPzVf1kdhbFgnx0khrtOPwDHf1eXULmE
Unseal Key 2: t8xunWFhuB6y6X7yZqO33Qva9gYn2MmDf325MKfZ3Els
Unseal Key 3: U/ku3oGqNDIDwYgJIEdPB4xrkp9K5Kq41FefwS18eftd
Unseal Key 4: x/w6Q8dWnnvZiRWTiIbm1vw/e5BTL1GhHCNFbagj7KdN
Unseal Key 5: fir+kqjGt4RT3Je0kXxMjkaFEotQcSNsXF47IlhtYFel

Initial Root Token: hvs.IqoVaNTqNVRhFQEhqZWBUeaJ

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

환경변수 설정

export VAULT_ADDR=http://127.0.0.1:8200

export VAULT_TOKEN="hvs.IqoVaNTqNVRhFQEhqZWBUeaJ"

Unseal Vault

• unseal 명령 또는 웹브라우저에서 진행

vault operator unseal DhqqTA7xkeE4vPzVf1kdhbFgnx0khrtOPwDHf1eXULmE

vault operator unseal t8xunWFhuB6y6X7yZqO33Qva9gYn2MmDf325MKfZ3Els

vault operator unseal U/ku3oGqNDIDwYgJIEdPB4xrkp9K5Kq41FefwS18eftd

seal 및 HA 상태 표시

vault status -tls-skip-verify

$ vault status -tls-skip-verify          
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.12.2
Build Date         2022-11-23T12:53:46Z
Storage Type       file
HA Enabled         false

볼트 로그인(vault login)

vault login hvs.IqoVaNTqNVRhFQEhqZWBUeaJ

$ vault login hvs.IqoVaNTqNVRhFQEhqZWBUeaJ
WARNING! The VAULT_TOKEN environment variable is set! The value of this
variable will take precedence; if this is unwanted please unset VAULT_TOKEN or
update its value accordingly.

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.IqoVaNTqNVRhFQEhqZWBUeaJ
token_accessor       Tqwoy2kNcDHLv4e1N4TY58hm
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

vault 웹 브라우저

http://192.168.0.211:8200

Unseal Vault

hashicorp-vault2

hashicorp-vault3

hashicorp-vault4

 

참고URL

- vault 설치: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install

- 소스에서 컴파일 : https://developer.hashicorp.com/vault/docs/install