Last active
April 28, 2019 03:57
-
-
Save kainlite/dbe6cb3055b5c202bb3f65b7178e2f7c to your computer and use it in GitHub Desktop.
vault
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Store the certs for vault | |
| $ kubectl create secret generic vault \ | |
| --from-file=certs/consul-agent-ca.pem \ | |
| --from-file=certs/dc1-client-consul-0.pem \ | |
| --from-file=certs/dc1-client-consul-0-key.pem | |
| secret/vault created | |
| # Store the config as a configmap | |
| $ kubectl create configmap vault --from-file=vault/config.json | |
| configmap/vault created | |
| # Create the service | |
| $ kubectl create -f vault/01-service.yaml | |
| service/vault created | |
| # And the deployment | |
| $ kubectl create -f vault/02-deployment.yaml | |
| deployment.extensions/vault created | |
| # To be able to initialize and use the vault we need to use that port-forward. | |
| $ kubectl port-forward vault-6d78b6df7c-z7chq 8200:8200 | |
| $ export VAULT_ADDR=https://127.0.0.1:8200 | |
| $ export VAULT_CACERT="certs/consul-agent-ca.pem" | |
| # Initialize the vault, here we define that we need 3 shares and 3 keys to unseal | |
| # In a production environment those keys should be separated and only known by the | |
| # responsibles of vault. | |
| $ vault operator init -key-shares=3 -key-threshold=3 | |
| vault operator init -key-shares=3 -key-threshold=3 | |
| Unseal Key 1: 8I3HkpLoujn+fAdXHCRJYGJEw0WpvamnzTNu5IGyTcWB | |
| Unseal Key 2: I65GU6xRt+ZX+QigBjCHRyht8pvIOShpU5TL8iLGhr6g | |
| Unseal Key 3: n+Kv2qrDNiIELEy3dEMfUpD/c8EtnwpJCYIn88TrS3Pg | |
| Initial Root Token: s.3pEYBZqlzvDpImB988GyAsuf | |
| Vault initialized with 3 key shares and a key threshold of 3. Please securely | |
| distribute the key shares printed above. When the Vault is re-sealed, | |
| restarted, or stopped, you must supply at least 3 of these keys to unseal it | |
| before it can start servicing requests. | |
| Vault does not store the generated master key. Without at least 3 key to | |
| reconstruct the master key, Vault will remain permanently sealed! | |
| It is possible to generate new unseal keys, provided you have a quorum of | |
| existing unseal keys shares. See "vault operator rekey" for more information. | |
| # To unseal the vault we need to repeat this process with the 3 keys that we got in the previous step | |
| $ vault operator unseal | |
| Unseal Key (will be hidden): | |
| Key Value | |
| --- ----- | |
| Seal Type shamir | |
| Initialized true | |
| Sealed true | |
| Total Shares 3 | |
| Threshold 3 | |
| Unseal Progress 1/3 | |
| Unseal Nonce e9bb1681-ba71-b90d-95f6-8e68389e934b | |
| Version 1.1.1 | |
| HA Enabled true | |
| # Then we login with the initial root token | |
| $ vault login | |
| Token (will be hidden): | |
| Success! You are now authenticated. The token information displayed below | |
| is already stored in the token helper. You do NOT need to run "vault login" | |
| again. Future Vault requests will automatically use this token. | |
| Key Value | |
| --- ----- | |
| token s.3pEYBZqlzvDpImB988GyAsuf | |
| token_accessor w3W3Kw2GWflF9L59C4Itn6cZ | |
| token_duration ∞ | |
| token_renewable false | |
| token_policies ["root"] | |
| identity_policies [] | |
| policies ["root"] | |
| # We enable the /secrets path with the plugin kv | |
| $ vault secrets enable -path=secrets kv | |
| Success! Enabled the kv secrets engine at: secrets/ | |
| # And finally test storing a secret there | |
| $ vault kv put secrets/hello foo=world | |
| Success! Data written to: secrets/hello | |
| # Then we validate that we can read it as well | |
| $ vault kv get secrets/hello | |
| === Data === | |
| Key Value | |
| --- ----- | |
| foo world |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment