搭建vault server

• what is vault?

Vault是一种安全访问机密的工具。 大多数软件系统都需要用到不同种类的私密信息：数据库凭证/登录密码/Token/证书/API Key 等私密信息。明码记录这些私密信息显然是很不安全的，不小心Push到远端那就可能跟某知名科技公司产品经理和程序员打架一样的处理结果了。

• The key features of Vault

• 集中管理各种私密信息(登陆密码/Token/证书/API Key)
• 为私密信息设置租期（Lease），到期后自动失效
• 密钥的动态生成、注销和滚动更新
• 动态创建无需保存的一次性登录密钥
• 作为数据加密/解密接口
• 完整的审计记录
• 命令行以及RESTful API 访问接口(本文使用该功能来产生k8s所使用到的证书)

• Install Vault

找到适合自己系统的安装包并下载对应的zip压缩包，解压后得到vault二进制文件，将其copy到$PATH环境变量路径(such as: /usr/local/bin/)下即可使用

• 验证vault是否安装正确

  [root@Caden-dev dl]# vault #执行vault命令可显示Help信息即可
  Usage: vault <command> [args]
  Common commands:
  read        Read data and retrieves secrets
  write       Write data, configuration, and secrets
  delete      Delete secrets and configuration
  list        List data or secrets
  login       Authenticate locally
  server      Start a Vault server
  status      Print seal and HA status
  unwrap      Unwrap a wrapped secret
  Other commands:
  audit          Interact with audit devices
  auth           Interact with auth methods
  lease          Interact with leases
  operator       Perform operator-specific tasks
  path-help      Retrieve API help for paths
  policy         Interact with policies
  secrets        Interact with secrets engines
  ssh            Initiate an SSH session
  token          Interact with tokens
  

• 安装命令补全工具

  [root@Caden-dev dl]# vault -autocomplete-install
  [root@Caden-dev dl]# . ~/.bashrc
  

• Starting the Vault Server

• 在/etc/vault/目录下创建vault的配置文件 vault.json（自定义目录，下文用到）

{
  "backend": {
    "file": {
      "path": "/var/lib/vault/file"  # vault data dir
    }   
  },  
  "listener": {
    "tcp": {
      "address": "127.0.0.1:8200",
      "tls_disable": "true"
    }   
  },  
  "max_lease_ttl": "87600h" 
}

• 将vault使用systemd管理，在/etc/systemd/system/目录下创建vault.service文件

[Unit]
Description=vault
Requires=network-online.target
After=network-online.target
[Service]
Restart=on-failure
ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json
ExecStop=/usr/local/bin/vault step-down
[Install]
WantedBy=multi-user.target

• 启动vault service并初始化vault
  第一次vault init的时候vault会提供5把key和一个root token，将这5把Key和root token记录下来，分配给不同的人保管。 root token 相当于 Linux 系统中的 root user，具有最高的访问权限。而当用户要re-sealed,restarted, stopped, unseal vault的适合至少要输入正确的3 把keys才能执行。
  note: 如果启动vault时有如下报错,则需要导入环境变量

WARNING! The "vault init" command is deprecated. Please use "vault operator
init" instead. This command will be removed in Vault 0.11 (or later).
Error initializing: Put https://127.0.0.1:8200/v1/sys/init: http: server gave HTTP   response to HTTPS client
[root@tcz-dev-boob system]# export VAULT_ADDR=http://127.0.0.1:8200
[root@tcz-dev-boob system]# export VAULT_SKIP_VERIFY=1

[root@tcz-dev-adam dl]# systemctl start vault.service
[root@tcz-dev-adam dl]# systemctl status vault
● vault.service - vault
Loaded: loaded (/etc/systemd/system/vault.service; disabled; vendor preset: disabled)
 Active: active (running) since Sat 2018-08-04 16:41:35 UTC; 8s ago
 Main PID: 5091 (vault)
   Memory: 9.4M
   CGroup: /system.slice/vault.service
           └─5091 /usr/bin/vault server -config=/etc/vault/vault.json

Aug 04 16:41:35 tcz-dev-adam systemd[1]: Starting vault...
Aug 04 16:41:35 tcz-dev-adam vault[5091]: ==> Vault server configuration:
Aug 04 16:41:35 tcz-dev-adam vault[5091]: Cgo: disabled
Aug 04 16:41:35 tcz-dev-adam vault[5091]: Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")

[root@tcz-dev-adam vault]# vault operator init
Unseal Key 1: JcBq9m2Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 2: fBhye17cyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 3: xywgUyjaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 4: b8Tscd2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 5: R/lThTExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Initial Root Token: 41b667xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault rekey" for more information.

• 解封vault

[root@tcz-dev-adam vault]# vault operator unseal
Unseal Key (will be hidden): 
Key                Value
---                -----
Seal Type          shamir
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3  # 第1把key
Unseal Nonce       9fed053c-90fb-ec27-d16b-1753f5007d2a
Version            0.9.6
HA Enabled         true
[root@tcz-dev-adam vault]# vault operator unseal
Unseal Key (will be hidden): 
Key                Value
---                -----
Seal Type          shamir
Sealed             true  # 密封状态，不可以对vault读写数据
Total Shares       5
Threshold          3
Unseal Progress    2/3  # 第2把key
Unseal Nonce       9fed053c-90fb-ec27-d16b-1753f5007d2a
Version            0.9.6
HA Enabled         true
[root@tcz-dev-adam vault]# vault operator unseal  #输入第3把Key
Unseal Key (will be hidden): 
Key             Value
---             -----
Seal Type       shamir
Sealed          false   # false表示已解封，可以往vault server里读写数据了
Total Shares    5
Threshold       3
Version         0.9.6
Cluster Name    vault-cluster-4af0fb83
Cluster ID      e75e85cd-a1b3-d6a2-91a4-89ebf1f7816c
HA Enabled      false
[root@tcz-dev-adam vault]# vault status
Key             Value
---             -----
Seal Type       shamir
Sealed          false
Total Shares    5
Threshold       3
Version         0.9.6
Cluster Name    vault-cluster-4af0fb83
Cluster ID      e75e85cd-a1b3-d6a2-91a4-89ebf1f7816c
HA Enabled      false

• Vault login

[root@tcz-dev-adam vault]# vault login  #使用root token登陆vault
Token (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                Value
---                -----
token              xxxxxxxxxxxxxxxxx62c1166ae759
token_accessor     xxxxxxxxxxxxxxx0-6a7c5e07b280
token_duration     ∞
token_renewable    false
token_policies     [root]

• Write Vault

Vault 中用 Path 区分不同数据的存放位置。一个 Path 下可以包含多个键值对，但需要注意的是 write 命令是覆盖式的而不是追加式的，所以第一条命令写入的值会被后来的所覆盖，因此你必须确保在同一个命令中一次性写入所有的内容。先将要写入vault的信息写到一个脚本里k8s_pki.sh，执行脚本后将所有数据写入vault，后续我将使用vault的api来调用这些写入的数据。

[root@tcz-dev-adam vault] cat <<EOF > k8s_pki.sh
> mount_path="pki/k8s-fat01"
> vault secrets enable -path ${mount_path} pki 
> vault write ${mount_path}/roles/kubernetes allow_any_name=true enforce_hostnames=false exclude_cn_from_sans=true
> vault write ${mount_path}/roles/kubelet allow_any_name=true enforce_hostnames=false exclude_cn_from_sans=true organization=system:nodes
> vault write ${mount_path}/roles/kube-proxy allow_any_name=true enforce_hostnames=false exclude_cn_from_sans=true organization=system:node-proxier
> vault write ${mount_path}/roles/kube-admin allow_any_name=true enforce_hostnames=false exclude_cn_from_sans=true organization=system:masters server_flag=false
> vault write ${mount_path}/roles/etcd allow_any_name=true enforce_hostnames=false exclude_cn_from_sans=true
EOF
[root@tcz-dev-adam vault]# sh k8s_pki.sh 
Success! Enabled the pki secrets engine at: pki/k8s-fat01/
Success! Data written to: pki/k8s-fat01/roles/kubernetes
Success! Data written to: pki/k8s-fat01/roles/kubelet
Success! Data written to: pki/k8s-fat01/roles/kube-proxy
Success! Data written to: pki/k8s-fat01/roles/kube-admin
Success! Data written to: pki/k8s-fat01/roles/etcd

如果不再需要该数据，可以用 vault delete $path 命令将其删除