iklim.co/VaultTest
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
VaultTest/docker-stack-vault.yml
Murat ÖZDEMİR 508363fc75 refactor(vault): Replace transit auto-unseal with Shamir + Docker secret 
Remove vault-transit service entirely. Each vault node now auto-unseals at
startup by reading the Shamir unseal key from a Docker secret managed by
vault-bootstrap.sh. Eliminates the transit token expiry failure mode and
removes the vault_transit node-pinning requirement.

Changes:
- docker-stack-vault.yml: remove vault-transit service, vault_transit_config,
  vault-transit-data-vl, transit_master_token / vault_transit_unseal_key
  secrets; add vault_unseal_key secret; rewrite vault entrypoint to background
  start + poll + auto-unseal loop
- vault-template-v1.json, vault-template-v2.json: remove seal.transit block
- vault-template-transit.json: deleted (vault-transit is gone)
- vault-bootstrap.sh: full rewrite — node-agnostic run_vault() helper (docker
  exec fallback to docker run over overlay network), 7-step Shamir flow with
  SKIP_DEPLOY support and early-exit when vault is already healthy
- deploy-prod.yml: replace BE-Forecast deploy with vault stack deploy +
  bootstrap (SKIP_DEPLOY=true) + cluster health check
2026-06-10 13:37:32 +03:00

92 lines
3.8 KiB
YAML
Raw Blame History

version: '3.8'
services:
# -------------------------------------------------------------------------
# VAULT CLUSTER (3 NODES - RAFT HIGH AVAILABILITY)
# -------------------------------------------------------------------------
# Bootstrap: vault_unseal_key is auto-managed by vault-bootstrap.sh.
# The script creates a placeholder on first deploy and replaces it with the
# real Shamir unseal key after 'vault operator init'.
vault:
image: hashicorp/vault:2.0.1
cap_add:
- IPC_LOCK
# Overriding the default entrypoint to manipulate configuration strictly in RAM
entrypoint: ["sh", "-c"]
# 1. Resolves HOSTNAME_PLACEHOLDER via sed entirely in RAM (/dev/shm) — no secret touches disk
# 2. Starts vault server in background
# 3. Registers SIGTERM/SIGINT trap for graceful shutdown
# 4. Polls vault status; exit code 1 = not yet ready, 0 or 2 = vault is responding
# 5. Auto-unseals using vault_unseal_key Docker secret (no-op if key is wrong or file missing)
# 6. Waits for vault to exit and propagates exit code to Docker
command: >
"cat /vault/config/vault.json | sed \"s/HOSTNAME_PLACEHOLDER/$$HOSTNAME/g\" > /dev/shm/vault.json;
vault server -config=/dev/shm/vault.json &
VAULT_PID=$$!;
trap 'kill -TERM $$VAULT_PID; wait $$VAULT_PID' TERM INT;
export VAULT_ADDR='https://127.0.0.1:8200' VAULT_SKIP_VERIFY='true';
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do vault status > /dev/null 2>&1; [ $$? -ne 1 ] && break; sleep 2; done;
vault operator unseal $$(cat /run/secrets/vault_unseal_key 2>/dev/null) > /dev/null 2>&1 || true;
wait $$VAULT_PID"
networks:
iklimco-net:
aliases:
- vault.iklim.co
environment:
VAULT_ADDR: "https://127.0.0.1:8200"
# PHASE 1 (Bootstrap): Keep it "true" so Vault CLI can operate on self-signed/temporary certificates.
# PHASE 2 (Strict SSL): set this 'false' once you switch your configuration to v2.
VAULT_SKIP_VERIFY: "true"
volumes:
# Persistent volume for primary Raft storage
- vault-data-vl:/vault/file
# Persistent volume for audit and operational logs
- vault-logs-vl:/vault/logs
# Read-only mount of the host directory where the real wildcard certificates are managed
- /opt/iklimco/ssl:/vault/certs:ro
configs:
# PHASE 1: Deploy with 'vault_template_v1' (TLS validation skipped for easy initialization)
# PHASE 2: Update this source to 'vault_template_v2' to enforce strict wildcard SSL verification
- source: vault_template_v2
target: /vault/config/vault.json
mode: 0444
secrets:
- vault_unseal_key
deploy:
mode: replicated
replicas: 3
placement:
# High Availability: each Vault node runs on a separate physical Swarm worker
max_replicas_per_node: 1
constraints:
- node.labels.type == service
restart_policy:
condition: any
delay: 5s
configs:
# =========================================================================
# CONFIG TEMPLATE PHASE 1: Bootstrap / Initial Discovery (No Verification)
# =========================================================================
vault_template_v1:
file: ./vault-template-v1.json
# =========================================================================
# CONFIG TEMPLATE PHASE 2: Production Safe (Strict Wildcard SSL Enforcement)
# =========================================================================
vault_template_v2:
file: ./vault-template-v2.json
volumes:
vault-data-vl:
vault-logs-vl:
secrets:
# Managed by vault-bootstrap.sh: placeholder on first deploy, replaced with real unseal key after init.
vault_unseal_key:
external: true
networks:
iklimco-net:
external: true
Reference in New Issue View Git Blame Copy Permalink