I'm a lazy guy and want to do some automation that renew and distribute the certificates without human intervention. And of course I'd like to try out Vault for ages because it's a great secret store for Kubernetes.
I did the installation with Ansible because I like to automate things.
Install Vault with ansible
Basically it wasn't a hard task. I followed the documentation and converted into a playbook.
First I added a repository file (I use Fedora Server):
[hashicorp]
name=Hashicorp Stable - $basearch
baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://rpm.releases.hashicorp.com/gpg
[hashicorp-test]
name=Hashicorp Test - $basearch
baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://rpm.releases.hashicorp.com/gpg
In the docs you can find the systemd unit file too if you want to run the Vault as a service.
[Unit]
Description="HashiCorp Vault"
Documentation="https://developer.hashicorp.com/vault/docs"
ConditionFileNotEmpty="/etc/vault.d/vault.hcl"
[Service]
User=vault
Group=vault
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target
I used this basic configuration file:
# Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration
ui = true
storage "file" {
path = "/opt/vault/data"
}
# HTTP listener
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
I bind the 8200 port to the localhost because I use a NGINX reverse proxy in front of the Vault but of course you can bind to all interface.
The role contains the following tasks:
# Create a group and user for the service because I don't want to run it as root
- name: Add 'vault' group
ansible.builtin.group:
name: vault
state: present
- name: Add 'vault' user
ansible.builtin.user:
name: vault
group: vault
state: present
# Copy the repository
- name: Add Vaults repository
ansible.builtin.copy:
src: hashicorp.repo
dest: /etc/yum.repos.d/
# Install Vault with DNF package manager
- name: Install Vault
ansible.builtin.dnf:
name: vault
state: present
- name: Copy Vault configuration
ansible.builtin.copy:
src: vault.hcl
dest: /etc/vault.d/
- name: Copy systemd unit file
ansible.builtin.copy:
src: vault.service
dest: /etc/systemd/system/
mode: '0644'
- name: Enable and start Vault service
ansible.builtin.systemd_service:
name: vault
enabled: true
daemon_reload: true
state: restarted
After the Vault has installed starts the real work to configure the user access and the services. Everything is described in the official documentation here.
Top comments (0)