生成证书
ca证书
mkdir certs
openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ./certs/ca.key -out ./certs/ca.crt -subj "/CN=OpenBao Root CA"
server证书
准配conf
cat > server.cnf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[dn]
CN = baodemo.com
O = Your Organization
C = US
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = baodemo.com
IP.2 = 127.0.0.1
EOF
生成server证书
openssl req -newkey rsa:2048 -nodes \
-keyout ./certs/server.key \
-out ./certs/server.csr \
-config server.cnf
openssl x509 -req -days 365 \
-CA ./certs/ca.crt \
-CAkey ./certs/ca.key \
-CAcreateserial \
-in ./certs/server.csr \
-out ./certs/server.crt \
-extfile san.cnf \
-extensions req_ext
运行openbao
安装省略
准备配置
创建conf.hcl内容如下
storage "raft" {
path = "./data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "./certs/server.crt"
tls_key_file = "./certs/server.key"
}
api_addr = "https://0.0.0.0:8200"
cluster_addr = "https://0.0.0.0:8201"
log_level = "debug"
运行
mkdir data
openbao server -config conf.hcl
/etc/host中添加
127.0.0.1 baodemo.com
init
执行
export BAO_ADDR=https://baodemo.com:8200
export BAO_CACERT=./certs/ca.crt
bao operator init -key-shares=5 -key-threshold=3
得到如下输出
Unseal Key 1: eE1LH1s9RWdql1KaAuFsgFk9FKZiLrJTSbWyzVPBXKH1
Unseal Key 2: qREOOteCz3uTwquJC0tTnOCa1TAWaeMzDbTyh135grjz
Unseal Key 3: tPoSx6MI8ArhugUz3JC01irLxMNQ8k2mPY/cuITttgHH
Unseal Key 4: obBjCDJJq/kt9f/ixlxsYN2AG3mLLVs+fRCnp8ci5w9X
Unseal Key 5: tPInMBzOQqCMgAxooLCTnsKcCQ5MmJjrpE3YebO6SXlm
Initial Root Token: s.Zinw0QEXD3rwOBI7OtsqZ81a
unseal
执行
bao operator unseal
得到,可以看到1/3,对应key-threshold的3
···
Unseal Key (will be hidden):
Key Value
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce f4045886-eff8-e5f5-4592-9854291210a5
Version 2.0.0-HEAD
Build Date 2025-06-25T15:11:43Z
Storage Type raft
HA Enabled true
···
反复执行unseal,用不同的key,最后unseal成功,得到
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 2.0.0-HEAD
Build Date 2025-06-25T15:11:43Z
Storage Type raft
Cluster Name vault-cluster-88368a27
Cluster ID b2b2fb32-c5cc-d800-d3f3-15a7c1147296
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
Raft Committed Index 26
Raft Applied Index 26
root token测试
export BAO_TOKEN=s.Zinw0QEXD3rwOBI7OtsqZ81a
bao secrets enable -path=secret kv
bao kv put secret/db password="demo" user="admin"
bao kv get secret/db
得到
====== Data ======
Key Value
--- -----
password demo
user admin
普通token测试
创建plocy
创建user-policy.hcl
path "secret/db" {
capabilities = ["read","list"]
}
执行
bao policy write user user-olicy.hcl
创建token
执行
bao token create -policy=user -ttl=24h -format=json
得到
{
"request_id": "e030bc84-1c4a-8ecd-398f-3374d05dfa2c",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": null,
"warnings": null,
"auth": {
"client_token": "s.7BJ6DraBZbOa9EijrPrX4SVs",
"accessor": "uaQ9Rk2Hra8PSQrBEyx6uuXM",
"policies": [
"default",
"user"
],
"token_policies": [
"default",
"user"
],
"identity_policies": null,
"metadata": null,
"orphan": false,
"entity_id": "",
"lease_duration": 86400,
"renewable": true,
"mfa_requirement": null
}
}
测试
export BAO_TOKEN=s.7BJ6DraBZbOa9EijrPrX4SVs
bao kv get secret/db
得到
====== Data ======
Key Value
--- -----
password demo
user admin
