I'm a lazy guy and want to do some automation that renew and distribute the certificates without human intervention. And of course I'd like to try out Vault for ages because it's a great secret store for Kubernetes.
I did the installation with Ansible because I like to automate things.
Install Vault with ansible
Basically it wasn't a hard task. I followed thedocumentation and converted into a playbook.
First I added a repository file (I use Fedora Server):
[hashicorp]name=Hashicorp Stable - $basearchbaseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stableenabled=1gpgcheck=1gpgkey=https://rpm.releases.hashicorp.com/gpg[hashicorp-test]name=Hashicorp Test - $basearchbaseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/testenabled=0gpgcheck=1gpgkey=https://rpm.releases.hashicorp.com/gpgIn thedocs you can find the systemd unit file too if you want to run the Vault as a service.
[Unit]Description="HashiCorp Vault"Documentation="https://developer.hashicorp.com/vault/docs"ConditionFileNotEmpty="/etc/vault.d/vault.hcl"[Service]User=vaultGroup=vaultSecureBits=keep-capsAmbientCapabilities=CAP_IPC_LOCKCapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCKNoNewPrivileges=yesExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hclExecReload=/bin/kill --signal HUPKillMode=processKillSignal=SIGINT[Install]WantedBy=multi-user.targetI used this basic configuration file:
# Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configurationui=truestorage"file"{path="/opt/vault/data"}# HTTP listenerlistener"tcp"{address="127.0.0.1:8200"tls_disable="true"}I bind the8200 port to thelocalhost because I use a NGINX reverse proxy in front of the Vault but of course you can bind to all interface.
The role contains the following tasks:
# Create a group and user for the service because I don't want to run it as root-name:Add 'vault' groupansible.builtin.group:name:vaultstate:present-name:Add 'vault' useransible.builtin.user:name:vaultgroup:vaultstate:present# Copy the repository-name:Add Vaults repositoryansible.builtin.copy:src:hashicorp.repodest:/etc/yum.repos.d/# Install Vault with DNF package manager-name:Install Vaultansible.builtin.dnf:name:vaultstate:present-name:Copy Vault configurationansible.builtin.copy:src:vault.hcldest:/etc/vault.d/-name:Copy systemd unit fileansible.builtin.copy:src:vault.servicedest:/etc/systemd/system/mode:'0644'-name:Enable and start Vault serviceansible.builtin.systemd_service:name:vaultenabled:truedaemon_reload:truestate:restartedAfter the Vault has installed starts the real work to configure the user access and the services. Everything is described in the official documentationhere.
Top comments(0)
For further actions, you may consider blocking this person and/orreporting abuse
