Getting started with Hashicorp Vault v1.6.1

The purpose of this blog post is to provide multiple methods on how to install/setup Vault. This blog post generated an Ansible playbook, Docker-composes for Swarm and non-swarm, and manual instructions for installing Vault on Ubuntu 20.04. Additionally, over the past couple of months, I have been learning Vault and demonstrating different ways to incorporate Vault. This blog post will be a condensed version of the content in those blog posts and a jumping off point to those blog posts as well.

Goals

  • Install/Setup Vault with Docker
  • Install/Setup Vault with Docker Swarm
  • Install/Setup Vault with Ansible
  • Manual Install/Setup of Vault on Ubuntu 20.04

Background

What is Hashicorp Vault?

HashiCorp Vault is an open-source tool for managing secrets. Application identity management with Vault enables applications and machines to automatically create, change, and rotate secrets needed for communications, services, scripts, etc. Additionally, Vault enables administrators to manage applications and machines by providing access control over different secrets.

What is Consul?

Consul is a service mesh solution providing a full featured control plane with service discovery, configuration, and segmentation functionality. Each of these features can be used individually as needed, or they can be used together to build a full service mesh. Consul requires a data plane and supports both a proxy and native integration model. Consul ships with a simple built-in proxy so that everything works out of the box, but also supports 3rd party proxy integrations such as Envoy.

Generate OpenSSL private key and public cert

  1. git clone https://github.com/CptOfEvilMinions/Vault-Automation
  2. cd Vault-Automation
  3. cp conf/tls/tls.conf.example conf/tls/tls.conf
  4. vim conf/tls/tls.conf and set:
    1. Set the location information under [dn]
      1. C – Set Country
      2. ST – Set state
      3. L – Set city
      4. O – Enter organization name
      5. emailAddress – Enter a valid e-mail for your org
    2. Replace {{ base_domain }} in all fields with your domain
  5. For alt names list all the valid DNS records for this cert
    1. Save and exit
  6. openssl req -x509 -new -nodes -keyout conf/tls/vault.key -out conf/tls/vault.crt -config conf/tls/tls.conf
    1. Generate TLS private key and public certificate

Install Vault with Docker-compose v2.x

  1. git clone https://github.com/CptOfEvilMinions/Vault-Automation
  2. cd Vault-Automation
  3. docker-compose build
  4. docker-compose up -d
  5. Skip ahead to the “Init Vault” section

Install Vault with Docker-compose v3.x (Swarm)

  1. git clone https://github.com/CptOfEvilMinions/Vault-Automation
  2. cd Vault-Automation
  3. docker stack deploy -c docker-compose-stack.yml vault
    1. Spin up Docker stack
  4. docker service logs -f vault_consul
    1. Tail logs of Consul container in Vault stack
  5. docker service logs -f vault_vault
    1. Tail logs of Vault container in Vault stack
  6. Skip ahead to the “Init Vault” section

Install Vault on Ubuntu 20.04 with Ansible

Init playbook

  1. git clone https://github.com/CptOfEvilMinions/Vault-Automation
  2. cd Vault-Automation
  3. pip3 install ansible
  4. vim hosts.yml and add IP address under [vault]
  5. vim all.yml and set:
    1. base_domain – The domain for your network and the base domain of the FQDN
    2. timezone – OPTIONAL – Change the default timezone of UTC +0
  6. vim hasicorp.yml and set:
    1. consul_version – OPTIONAL – Set the version of Consul
    2. vault_version – OPTIONAL – Set the version of Vault

Run playbook

  1. ansible-playbook -i hosts.ini deploy_vault.yml -u <username> -K
    1. Enter password

Manual install of Vault 1.6.1 on Ubuntu 20.04

Init VM

  1. Login into VM
  2. apt update -y && apt upgrade -y && reboot
  3. apt install unzip curl -y

Install/Setup Consul v1.9.1

  1. cd /tmp
  2. curl https://releases.hashicorp.com/consul/1.9.1/consul_1.9.1_linux_amd64.zip -o consul_1.9.1_linux_amd64.zip
    1. Download Consul
  3. unzip consul_1.9.1_linux_amd64.zip
    1. Unzip consul
  4. mv /tmp/consul /usr/local/bin/consul
    1. Add the Consul binary to the system’s path
  5. chmod +x /usr/local/bin/consul
    1. Enable the execution of the binary
  6. groupadd --system consul
    1. Create a group called consul
  7. useradd -s /sbin/nologin --system -g consul consul
    1. Create a user named consul and add it to the group named consul
  8. mkdir -p /var/lib/consul
    1. Create directory for consul
  9. chown -R consul:consul /var/lib/consul
  10. chmod -R 775 /var/lib/consul
    1. Set permissions to consul
  11. mkdir /etc/consul.d
    1. Create consul config directory
  12. chown -R consul:consul /etc/consul.d
  13. curl https://raw.githubusercontent.com/CptOfEvilMinions/Vault-Automation/main/conf/ansible/consul/consul.hcl -o /etc/consul.d/consul.hcl
    1. Download consul config
  14. sed -i "s/{{ consul_keygen.stdout }}/$(consul keygen)/g" /etc/consul.d/consul.hcl
    1. consul keygen – Generates an encryption key for Consul
  15. curl https://raw.githubusercontent.com/CptOfEvilMinions/Vault-Automation/main/conf/ansible/consul/consul.service -o /etc/systemd/system/consul.service
    1. Download consul systemd file
  16. systemctl enable consul
  17. systemctl start consul
  18. consul members

Install/Setup Vault v1.6.1

  1. cd /tmp
  2. curl https://releases.hashicorp.com/vault/1.6.1/vault_1.6.1_linux_amd64.zip -o vault_1.6.1_linux_amd64.zip
    1. Download Vault
  3. unzip vault_1.6.1_linux_amd64.zip
    1. Unzip Vault
  4. mv vault /usr/local/bin/vault
    1. Add the Consul binary to the system’s path
  5. chmod +x /usr/local/bin/vault
    1. Enable the execution of the binary
  6. groupadd --system vault
    1. Create a group called vault
  7. useradd --system --home-dir /etc/vault --shell /sbin/nologin -g vault vault
    1. Create a user named vault and add it to the group named vault
  8. mkdir -p /var/lib/vault
    1. Create directory for consul
  9. chown -R vault:vault /var/lib/vault
  10. chmod -R 775 /var/lib/vault
    1. Set permissions to vault
  11. mkdir /etc/vault
    1. Create consul config directory
  12. chown -R vault:vault /etc/vault
  13. curl https://raw.githubusercontent.com/CptOfEvilMinions/Vault-Automation/main/conf/ansible/vault/vault.hcl -o /etc/vault/config.hcl
    1. Download consul config
  14. curl https://raw.githubusercontent.com/CptOfEvilMinions/Vault-Automation/main/conf/ansible/vault/vault.service -o /etc/systemd/system/vault.service
    1. Download consul systemd file
  15. systemctl enable vault
  16. systemctl start vault
  17. netstat -tnlp | grep ':8200'

Install/Setup NGINX

  1. apt install nginx -y
  2. curl https://raw.githubusercontent.com/CptOfEvilMinions/Vault-Automation/main/conf/tls/ssl.conf -o /etc/ssl/ssl.conf
    1. Download SSL config
  3. openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/vault.key -days 3560 -out /etc/ssl/certs/vault.crt-config /etc/ssl/ssl.conf
    1. Generate OpenSSL self-signed private key and public certificate
  4. curl https://raw.githubusercontent.com/CptOfEvilMinions/Vault-Automation/main/conf/ansible/nginx/nginx.conf -o /etc/nginx/nginx.conf
    1. Download main NGINX config
  5. curl https://raw.githubusercontent.com/CptOfEvilMinions/Vault-Automation/main/conf/ansible/nginx/nginx_vault.conf -o /etc/nginx/conf.d/vault.conf
    1. Download NGINX config to server Vault
  6. systemd enable nginx
  7. systemd restart nginx
  8. netstat -tnlp | grep 'nginx'

Setup UFW

  1. ufw allow OpenSSH
    1. Allow SSH access
  2. ufw allow 'NGINX HTTP'
  3. ufw allow 'NGINX HTTPS'
    1. Allow NGINX for HTTP and HTTPS
  4. ufw enable
  5. Skip ahead to the “Init Vault” section

Init Vault

  1. Open web browser to https://<Vault IP addr>:<port>
    1. Enter 1 for Key Shares
      1. NEVER EVER ENTER 1 FOR PRODUCTION – Only enter 1 for testing 
    2. Enter 1 for Key threshold
      1. NEVER EVER ENTER 1 FOR PRODUCTION – Only enter 1 for testing
    3. Select Initialize
  2. Select “Download keys”
  3. Open terminal
  4. cat ~/Downloads/vault-cluster-vault-*
  5. Back to browser
  6. Select “Continue to Unseal”
  7. Enter “<key from downloaded file>” into Master Key Portion
  8. Select “Unseal”
  9. Select “Token” for method
  10. Enter “<root_token from downloaded file>” into sign in
  11. Select “Sign In”
  12. Copy the root token for the next section

Install/Setup Vault CLI tool on macOS and connect to Vault

  1. brew install jq
  2. brew install hashicorp/tap/vault
  3. export VAULT_ADDR=https://<Vault IP addr>:<port>
  4. export VAULT_SKIP_VERIFY=true
    1. Disable TLS cert verify
  5. vault login
    1. Enter root token from above

Jumping off points

References

Leave a Reply

Your email address will not be published.