# ADIM 1 — Placeholder secrets oluştur (manager node) ```bash # opsiyonel history reset history -w && > ~/.bash_history && history -c echo "bootstrap" | docker secret create vault_transit_unseal_key - echo "bootstrap" | docker secret create transit_master_token - ``` # ADIM 2 — Stack deploy et ```bash docker node update --label-add vault_transit=true iklim-app-03 docker stack deploy --with-registry-auth -c docker-stack-vault.yml iklimco ``` Ana vault node'ları transit henüz hazır olmadığı için crash loop'a girer — beklenen durum. # ADIM 3 — Transit vault'u initialize et ```bash # Transit'in hangi node'da çalıştığını bul: docker service ps iklimco_vault-transit # O node'a SSH'la, sonra: docker exec -it $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator init -key-shares=1 -key-threshold=1' # Unseal Key 1 ve Initial Root Token'ı kaydet. # Unseal Key 1: ........ # # Initial Root Token: hvs.xxxxxxxxxx # # Vault initialized with 1 key shares and a key threshold of 1. Please securely # distribute the key shares printed above. When the Vault is re-sealed, # restarted, or stopped, you must supply at least 1 of these keys to unseal it # before it can start servicing requests. # # Vault does not store the generated root key. Without at least 1 keys to # reconstruct the root key, Vault will remain permanently sealed! # # It is possible to generate new unseal keys, provided you have a quorum of # existing unseal keys shares. See "vault operator rekey" for more information. ``` Unseal Key 1: cS0HPNVl8/9r42SXxeq9Y4uokJP886UAeRQ/sBsBFnQ= Initial Root Token: hvs.AReLHEa44pztSLBUqW2djdEv # ADIM 4 — Transit'i manuel unseal et (sadece bu seferlik) ```bash docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal UNSEAL_KEY_1' ``` | Key | Value | | ------------ | ------------------------------------ | | Seal Type | shamir | | Initialized | true | | Sealed | false | | Total Shares | 1 | | Threshold | 1 | | Version | 2.0.1 | | Build Date | 2026-05-19T17:20:48Z | | Storage Type | file | | Cluster Name | vault-cluster-5bd8a332 | | Cluster ID | b03a2f93-53b0-d32b-9762-c36a9d45df90 | | HA Enabled | false | # ADIM 5 — Transit engine kur ```bash # Policy dosyasını host'ta oluştur, container'a kopyala: cat > /tmp/autounseal-policy.hcl << 'EOF' path "transit/encrypt/autounseal" { capabilities = ["update"] } path "transit/decrypt/autounseal" { capabilities = ["update"] } EOF docker cp /tmp/autounseal-policy.hcl \ $(docker ps -q -f name=iklimco_vault-transit):/tmp/ # Successfully copied 128B (transferred 2.05kB) to 61a136a1c04e:/tmp/ docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault login ROOT_TOKEN' ``` Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. (token -> root token) | Key | Value | | ----------------- | ---------------------------- | | token | hvs.AReLHEa44pztSLBUqW2djdEv | | token_accessor | 6w5ZKxbSSP3S5kz4D6luAmjv | | token_duration | ∞ | | token_renewable | false | | token_policies | ["root"] | | identity_policies | [] | | policies | ["root"] | ```bash docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault secrets enable transit' # Success! Enabled the transit secrets engine at: transit/ docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault write -f transit/keys/autounseal' ``` | Key | Value | | ---------------------- | ----------------- | | allow_plaintext_backup | false | | auto_rotate_period | 0s | | deletion_allowed | false | | derived | false | | exportable | false | | imported_key | false | | keys | map[1:1779831017] | | latest_version | 1 | | min_available_version | 0 | | min_decryption_version | 1 | | min_encryption_version | 0 | | name | autounseal | | supports_decryption | true | | supports_derivation | true | | supports_encryption | true | | supports_signing | false | | type | aes256-gcm96 | ```bash docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault policy write autounseal /tmp/autounseal-policy.hcl' # Success! Uploaded policy: autounseal docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault token create -policy=autounseal -period=768h -orphan' ``` (token -> auto unseal token) | Key | Value | | ----------------- | ----------------------------------------------------------------------------------------------- | | token | hvs.CAESIFqiceeloWSqHszPL8OY9PCFKpNQsh6NXoBxw_Us0w7gGh4KHGh2cy5XWTBXekE1VUNQcGhmNlE4U1F1RVhWOFo | | token_accessor | mRgwI0az8UZguETf5iqJWXhb | | token_duration | 768h | | token_renewable | true | | token_policies | ["autounseal" "default"] | | identity_policies | [] | | policies | ["autounseal" "default"] | # ADIM 6 — Secrets'ı gerçek değerlerle güncelle (manager node'a dön) ```bash # 6a. Transit unseal key — sırayla: servis'ten çıkar, sil, gerçek değerle oluştur, ekle docker service update --secret-rm vault_transit_unseal_key iklimco_vault-transit # iklimco_vault-transit # overall progress: 1 out of 1 tasks # 1/1: running [==================================================>] # verify: Service iklimco_vault-transit converged docker secret rm vault_transit_unseal_key # vault_transit_unseal_key echo "UNSEAL_KEY_1" | docker secret create vault_transit_unseal_key - docker service update --secret-add vault_transit_unseal_key iklimco_vault-transit # iklimco_vault-transit # overall progress: 1 out of 1 tasks # 1/1: running [==================================================>] # verify: Service iklimco_vault-transit converged # 6b. Transit'in unsealed olduğunu doğrula (iklim-app-03'te) docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault status' # Sealed: false olmalı. Eğer hâlâ sealed ise manuel unseal et: docker exec $(docker ps -q -f name=iklimco_vault-transit) \ sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal UNSEAL_KEY_1' # 6c. Autounseal token — ATOMIC SWAP (vault hiç token'sız restart olmaz) # DIKKAT: --secret-rm ve --secret-add AYNI komutta verilmeli echo "hvs.AUTOUNSEAL_TOKEN" | docker secret create transit_master_token_v2 - docker service update \ --secret-rm transit_master_token \ --secret-add source=transit_master_token_v2,target=transit_master_token \ iklimco_vault ``` # ADIM 7 — Ana vault cluster'ı initialize et ```bash # Transit açıldıktan ve vault node'ları stable olduktan sonra (~1-2 dk): docker service ps iklimco_vault # vault.1'in hangi node'da olduğunu bul # O node'a SSH'la, sonra: docker exec $(docker ps -q -f name=iklimco_vault.1) vault operator init # Recovery Keys ve Root Token'ı kaydet. Bitti. ```