setup-vault-using-docker.md

Setup Vault to connect to Consul using docker

Create an install script for running a consul agent

• Create a script called run-consul-agent.sh

  #!/bin/bash
  LOCAL_IP=xxx.yyy.zzz.aaa # IP-Address of the current node
  LOCAL_HOSTNAME=consul-host-xx # Name of the current node
  CONSUL_IMAGE=consul # Consul Image
  CONSUL_VERSION=1.1.0 # Version of Consul Image
  DATACENTER=consul-cluster # Name of Consul Datacenter
  CONSUL_CLUSTER_NODE=xxx.yyy.zzz.aaa # IP-Address of the first cluster node
  
  docker run \
    --detach \
    --net=host \
    --hostname ${LOCAL_HOSTNAME} \
    --env CONSUL_CLIENT_INTERFACE='eth0' \
    --env CONSUL_BIND_INTERFACE='eth0' \
    --env CONSUL_HTTP_TOKEN="${DATACENTER}" \
    --env CONSUL_HTTP_SSL_VERIFY=false \
    --name consul ${CONSUL_IMAGE}:${CONSUL_VERSION} \
    agent \
    -retry-join=${CONSUL_CLUSTER_NODE} \
    -datacenter ${DATACENTER}

Create an install script for running a vault server

• Create a file called config.hcl and put this in it

  storage "consul" {
    address = "[IP-ADDRESS of Vault Host]:8500"
    token   = "[VAULT_TOKEN]"
    path    = "vault/"
    service = "vault"
  }
  listener "tcp" {
    address = "[IP-ADDRESS of Vault Host]:8200"
    tls_disable = 1
  }

  • Please take note that the address key is the IP-Address of the server vault is to be installed on
  • Please take note that the token key is a token generated by consul

• Create a script called run-vault-server.sh

  #!/bin/bash
  docker run \
  --detach \
  --net=host \
  --volume /path/to/vault-data/file:/vault/file \
  --cap-add=IPC_LOCK \
  --env='VAULT_ADDR=http://127.0.0.1:8200' \
  --env='VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' \
  --name=vault \
  vault \
  server \
  -config=/vault/file/config.hcl

  • Please take note that the volume must match the folder to where you have placed the config.hcl file

Run it

• Set execute permissions on the newly created scripts: chmod u+x run-consul-agent.sh
• Set execute permissions on the newly created scripts: chmod u+x run-vault-server.sh
• Execute: ./run-consul-agent.sh to start the consul agent locally
  • Verify that the consul agent is up and running, connected to the cluster.
• Execute: ./run-vault-server.sh to start the vault server
• Configure the vault server
  • Execute: docker exec -it vault /bin/sh to access the vault docker container
  • Execute: vault operator init to initialize the vault server. Take note of the Unseal Keys and the Initial Root Token. Without these, the vault is lost when sealed/locked
  • Execute: vault operator unseal to unseal/open the vault. Follow the onscreen instructions and use 3 of the five Unseal Keys
  • Execute: exit to log out of the vault docker container

Test it

• Execute: export VAULT_TOKEN="[VAULT_TOKEN]" where Vault Token is used
• Execute: curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"bar": "Baz"}' http://vault.domain.local:8200/v1/secret/foo to put test data into the vault. No output is returned if it works
• Execute: curl --header "X-Vault-Token: $VAULT_TOKEN" http://vault.domain.local:8200/v1/secret/foo to get test data from the vault. Expected output is JSON formatted:

{
  "request_id": "fe70ab02-cc4c-4e6c-3eeb-f4e23d9f3c80",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 604800,
  "data": {
    "bar": "Baz"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}