HA _VAULT部署
角色 | ip | raft_node_id |
---|---|---|
leader | 172.17.22.11 | vault_1 |
follower | 172.17.22.12 | vault_2 |
follower | 172.17.22.13 | vault_3 |
如无特殊说明,以下操作均在leader节点执行
1.VAULT部署
- 下载
wget https://releases.hashicorp.com/vault/1.8.2/vault_1.8.2_linux_amd64.zip
- 解压
unzip vault_1.8.2_linux_amd64.zip
- 分发vault至各节点
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp vault root@${node_ip}:/usr/local/bin/
ssh root@${node_ip} "chmod +x /usr/local/bin/*"
done
2.HA集群配置
vault.hcl
文件根据集群实际情况进行修改,其中集群内各节点配置信息存放位置为/etc/vault.d/
,持久化数据存放位置为/data/vault
,vault程序监听端口为各节点ip:8200
,raft cluster监听端口为各节点ip:8201
各节点创建文件夹
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} mkdir -p /etc/vault.d/
ssh root@${node_ip} mkdir -p /data/vault/
done
配置文件分发
- 创建模板配置文件
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
cat > vault.hcl.templete <<EOF
cluster_addr = "http://##VAULT_IP##:8201"
api_addr = "http://##VAULT_IP##:8200"
disable_mlock = true
ui = true
# HTTP listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
# HA_storage
storage "raft" {
path = "/data/vault/"
node_id = "vault_##RAFT_ID##"
retry_join {
leader_api_addr = "http://${NODE_IPS[0]}:8200"
}
retry_join {
leader_api_addr = "http://${NODE_IPS[1]}:8200"
}
retry_join {
leader_api_addr = "http://${NODE_IPS[2]}:8200"
}
}
EOF
- 分发配置文件
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
index=1
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
sed -e "s/##VAULT_IP##/${node_ip}/" vault.hcl.templete > vault.hcl-${node_ip}
sed -i "s/##RAFT_ID##/${index}/" vault.hcl-${node_ip}
scp vault.hcl-${node_ip} root@${node_ip}:/etc/vault.d/vault.hcl
let index+=1
done
3.创建用户
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} useradd -s /sbin/nologin -M vault
done
4.配置服务化
- 配置vault服务模板
cat > vault.service.templete <<EOF
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP \$MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
EOF
- 分发文件
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp vault.service.templete root@${node_ip}:/usr/lib/systemd/system/vault.service
done
- 对所需文件进行赋权
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} chown vault:vault -R /data/vault/
ssh root@${node_ip} chown vault:vault -R /etc/vault.d/
done
- 启动服务并检查状态
export NODE_IPS=(172.17.22.11 172.17.22.12 172.17.22.13)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} systemctl enable vault
ssh root@${node_ip} systemctl start vault
ssh root@${node_ip} systemctl status vault
done
5.初始化VAULT
使用CLI时需增加-address指定vault监听地址
vault operator init -address=http://127.0.0.1:8200
记下输出信息
Unseal Key 1: gkhEVJWo4TpZhQAO5+qJhtSr75F1tuS7QeaTstUU77X1
Unseal Key 2: zAkGk2TsAnoKcll7DffVG4GrQUcGApkeEtQaTChcTarH
Unseal Key 3: f+JGoPTbEnmIgtQF6oiEGdG4+P15ymLRWNcqo+8xDUde
Unseal Key 4: fdjfe5v8Gs0LhNkEDTeUu/KIGZrllWcBA1nE63qhXBa1
Unseal Key 5: 1u4gNPP/idUr6Iw6CiP0kBj4QD+JjgqHwEuq3FJDHjlO
Initial Root Token: s.JOLSqe6tq6Oc0Ua0h3ugfujk
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 keys to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
6.解封VAULT
以下操作在每个节点执行,依次输入3个上文记录的Unseal Key
vault operator unseal -address=http://127.0.0.1:8200
7.浏览器访问
输入上文记录的root token以使用vault,使用任意节点地址均可以登陆
登陆后查看到Raft Storage状态中,节点1为leader