先安装vault,参考
https://hub.docker.com/_/vault/
注意:不要安装开发版,否则后面goldfish相关的初始化会失败。
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable":"1"}},"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h" , "ui":"true"}' -p 8200:8200 vault server
启动vault之后,浏览器访问http://ip:8200 ,j进行初始化,获得root token和key
Initial Root Token
ff2c6a8f-1014-cc9b-d842-54739ca305c4
Key 1
+QFq6wANH73JPcbub5T8Y7AZbib0uMMXBtV0YbmCG2M=
在界面完成vault的unseal操作。
准备好goldfish.hcl文件,并cp到vault docker容器。
goldfish.hcl获取方式:https://github.com/Caiyeon/goldfish/tree/master/vagrant/policies
登录vault的docker容器,使用root token登录后台。
export VAULT_ADDR='http://127.0.0.1:8200'
vault login
vault auth enable approle
vault policy write goldfish /home/goldfish.hcl
vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish \
secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0
vault write auth/approle/role/goldfish/role-id role_id=goldfish
vault write secret/goldfish DefaultSecretPath="secret/" UserTransitKey="usertransit" BulletinPath="secret/bulletins/"
安装goldfish
参考:
https://github.com/Caiyeon/goldfish/tree/master/docker
下载config.hcl,并保存到当前目录,执行
docker pull elijahwright/goldfish
export GOLDFISH_CONFIG=$(cat config.hcl)
export GOLDFISH_PORT=8001
docker run -it -p ${GOLDFISH_PORT}:${GOLDFISH_PORT} \
-e GOLDFISH_PORT=${GOLDFISH_PORT} \
-e GOLDFISH_TOKEN=${GOLDFISH_TOKEN} \
-v /home/goldfish/config.hcl:/app/docker.hcl\
elijahwright/goldfish
登录vault后台,执行
vault write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id
获取wrapping_token
/ # vault write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id
Key Value
--- -----
wrapping_token: b8e18e57-32f0-562c-c13c-393cf651d890
wrapping_accessor: ae73f2ed-a538-ca2a-495f-4a1a04183ddb
wrapping_token_ttl: 5m
wrapping_token_creation_time: 2018-09-06 01:49:30.267217574 +0000 UTC
wrapping_token_creation_path: auth/approle/role/goldfish/secret-id
浏览器访问:http://ip:8001
输入wrapping_token,完成goldfish的bootstrap,然后使用vault的root token登录即可。