Şöyle yaparız
brew tap hashicorp/tap
brew install hashicorp/tap/vault
brew upgrade hashicorp/tap/vault
Vault Dev Mode
Açıklaması şöyle
A common scenario when starting with Vault is to use the dev mode. This doesn’t require any setup and it works directly with your local vault installation. The dev mode is insecure and will loose data on every restart, since it stores data in-memory.The vault server can be started with vault server -dev
Seal/Unseal
Açıklaması şöyle
When you run Vault as a dev server, it will automatically unseal Vault.When you run it on a production server, then every initialized Vault server is started in the sealed state.This means that Vault can access the physical storage, but it can’t read any of it because it doesn’t know how to decrypt it.The process of teaching Vault how to decrypt the data is known as unsealing the Vault.Unsealing has to happen every time Vault starts and can be done via the API and via the CLI.
Secret Engines
Açıklaması şöyle
Secrets engines are components which store, generate, or encrypt data.Some secrets engines like the key/value secrets engine (like the one we used earlier) simply store and read data. Other secrets engines connect to other services and generate dynamic credentials on demand. Other secrets engines provide encryption as a service.
Database Secrets Engine
Açıklaması şöyle
When an authenticated entity, say an instance of your backend application, requests database access and is authorised to do so, this secrets engine creates a database user and password with the corresponding lifetimes and access rights.
Şeklen şöyle
If configured, the credentials have a limited lifetime and expire quickly if not renewed. This renewal process exists for the tokens used to communicate with vault as well as the credentials for the database. These refresh mechanism are shown below.
Yenileme şeklen şöyle
token hierarchy
Açıklaması şöyle
Another nice concept worth mentioning here, is the token hierarchy.If a token is considered compromised, it can be revoked. This also revokes all other tokens it spawned.
Docker
Dev Mode'da çalıştırmak için iki tane orta değişkenini
1. VAULT_DEV_ROOT_TOKEN ve
2. VAULT_DEV_LISTEN_ADDRESS
tanımlamak gerekir.
Örnek
Şöyle yaparız
docker run \ -d \ -p 8200:8200 \ --cap-add=IPC_LOCK \ -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' \ -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \ vault
Ekrana yazılan Unseal Key ve Root Token değerlerini saklamak gerekir. Root Token değeri Vault ile etkileşim için gerekir.
http://0.0.0.0:8200/ui/ veya http://127.0.0.1:8200/ adresine gideriz ve Root Token ile giriş yaparız
CLI
login
Şöyle yaparız
export VAULT_ADDR=’http://127.0.0.1:8200' vault login <roottoken>
status seçeneği
Şöyle yaparız
$ vault status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.11.3 Build Date 2022-08-26T10:27:10Z Storage Type inmem Cluster Name vault-cluster-f1a3049f Cluster ID 50bd8f06-9533-5da1-e36a-fce85433822a HA Enabled false
Docker Compose
Örnek
Şöyle yaparız
version: '3.6'
services:
vault:
image: vault:latest
container_name: vault
restart: on-failure:10
ports:
- "8200:8200"
cap_add:
- IPC_LOCK
db:
image: postgres
restart: always
environment:
POSTGRES_PASSWORD: supersecure
ports:
- "5432:5432"
Hiç yorum yok:
Yorum Gönder