iklim.co/VaultTest
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Murat ÖZDEMİR 508363fc75 refactor(vault): Replace transit auto-unseal with Shamir + Docker secret 
Remove vault-transit service entirely. Each vault node now auto-unseals at
startup by reading the Shamir unseal key from a Docker secret managed by
vault-bootstrap.sh. Eliminates the transit token expiry failure mode and
removes the vault_transit node-pinning requirement.

Changes:
- docker-stack-vault.yml: remove vault-transit service, vault_transit_config,
  vault-transit-data-vl, transit_master_token / vault_transit_unseal_key
  secrets; add vault_unseal_key secret; rewrite vault entrypoint to background
  start + poll + auto-unseal loop
- vault-template-v1.json, vault-template-v2.json: remove seal.transit block
- vault-template-transit.json: deleted (vault-transit is gone)
- vault-bootstrap.sh: full rewrite — node-agnostic run_vault() helper (docker
  exec fallback to docker run over overlay network), 7-step Shamir flow with
  SKIP_DEPLOY support and early-exit when vault is already healthy
- deploy-prod.yml: replace BE-Forecast deploy with vault stack deploy +
  bootstrap (SKIP_DEPLOY=true) + cluster health check
2026-06-10 13:37:32 +03:00
.gitea/workflows
refactor(vault): Replace transit auto-unseal with Shamir + Docker secret
2026-06-10 13:37:32 +03:00
docker-stack-vault.yml
refactor(vault): Replace transit auto-unseal with Shamir + Docker secret
2026-06-10 13:37:32 +03:00
README.md
feat: initialize vault transit auto-unseal documentation and configs
2026-05-27 01:48:30 +03:00
vault-bootstrap.sh
refactor(vault): Replace transit auto-unseal with Shamir + Docker secret
2026-06-10 13:37:32 +03:00
vault-template-v1.json
refactor(vault): Replace transit auto-unseal with Shamir + Docker secret
2026-06-10 13:37:32 +03:00
vault-template-v2.json
refactor(vault): Replace transit auto-unseal with Shamir + Docker secret
2026-06-10 13:37:32 +03:00

README.md

ADIM 1 — Placeholder secrets oluştur (manager node)

# opsiyonel history reset
history -w && > ~/.bash_history && history -c

echo "bootstrap" | docker secret create vault_transit_unseal_key -
echo "bootstrap" | docker secret create transit_master_token -

ADIM 2 — Stack deploy et

docker node update --label-add vault_transit=true iklim-app-03
docker stack deploy --with-registry-auth -c docker-stack-vault.yml iklimco

Ana vault node'ları transit henüz hazır olmadığı için crash loop'a girer — beklenen durum.

ADIM 3 — Transit vault'u initialize et

# Transit'in hangi node'da çalıştığını bul:
docker service ps iklimco_vault-transit

# O node'a SSH'la, sonra:
docker exec -it $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator init -key-shares=1 -key-threshold=1'

# Unseal Key 1 ve Initial Root Token'ı kaydet.

# Unseal Key 1: ........
# 
# Initial Root Token: hvs.xxxxxxxxxx
# 
# Vault initialized with 1 key shares and a key threshold of 1. Please securely
# distribute the key shares printed above. When the Vault is re-sealed,
# restarted, or stopped, you must supply at least 1 of these keys to unseal it
# before it can start servicing requests.
# 
# Vault does not store the generated root key. Without at least 1 keys to
# reconstruct the root key, Vault will remain permanently sealed!
# 
# It is possible to generate new unseal keys, provided you have a quorum of
# existing unseal keys shares. See "vault operator rekey" for more information.

Unseal Key 1: cS0HPNVl8/9r42SXxeq9Y4uokJP886UAeRQ/sBsBFnQ= Initial Root Token: hvs.AReLHEa44pztSLBUqW2djdEv

ADIM 4 — Transit'i manuel unseal et (sadece bu seferlik)

docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal UNSEAL_KEY_1'
Key Value
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 2.0.1
Build Date 2026-05-19T17:20:48Z
Storage Type file
Cluster Name vault-cluster-5bd8a332
Cluster ID b03a2f93-53b0-d32b-9762-c36a9d45df90
HA Enabled false

ADIM 5 — Transit engine kur

# Policy dosyasını host'ta oluştur, container'a kopyala:
cat > /tmp/autounseal-policy.hcl << 'EOF'
path "transit/encrypt/autounseal" { capabilities = ["update"] }
path "transit/decrypt/autounseal" { capabilities = ["update"] }
EOF

docker cp /tmp/autounseal-policy.hcl \
  $(docker ps -q -f name=iklimco_vault-transit):/tmp/
# Successfully copied 128B (transferred 2.05kB) to 61a136a1c04e:/tmp/

docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault login ROOT_TOKEN'

Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.

(token -> root token)

Key Value
token hvs.AReLHEa44pztSLBUqW2djdEv
token_accessor 6w5ZKxbSSP3S5kz4D6luAmjv
token_duration
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"] 
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault secrets enable transit'
# Success! Enabled the transit secrets engine at: transit/

docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault write -f transit/keys/autounseal'
Key Value
allow_plaintext_backup false
auto_rotate_period 0s
deletion_allowed false
derived false
exportable false
imported_key false
keys map[1:1779831017]
latest_version 1
min_available_version 0
min_decryption_version 1
min_encryption_version 0
name autounseal
supports_decryption true
supports_derivation true
supports_encryption true
supports_signing false
type aes256-gcm96 
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault policy write autounseal /tmp/autounseal-policy.hcl'
# Success! Uploaded policy: autounseal

docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault token create -policy=autounseal -period=768h -orphan'

(token -> auto unseal token)

Key Value
token hvs.CAESIFqiceeloWSqHszPL8OY9PCFKpNQsh6NXoBxw_Us0w7gGh4KHGh2cy5XWTBXekE1VUNQcGhmNlE4U1F1RVhWOFo
token_accessor mRgwI0az8UZguETf5iqJWXhb
token_duration 768h
token_renewable true
token_policies ["autounseal" "default"]
identity_policies []
policies ["autounseal" "default"]

ADIM 6 — Secrets'ı gerçek değerlerle güncelle (manager node'a dön)

# 6a. Transit unseal key — sırayla: servis'ten çıkar, sil, gerçek değerle oluştur, ekle
docker service update --secret-rm vault_transit_unseal_key iklimco_vault-transit
# iklimco_vault-transit
# overall progress: 1 out of 1 tasks 
# 1/1: running   [==================================================>] 
# verify: Service iklimco_vault-transit converged

docker secret rm vault_transit_unseal_key
# vault_transit_unseal_key

echo "UNSEAL_KEY_1" | docker secret create vault_transit_unseal_key -
docker service update --secret-add vault_transit_unseal_key iklimco_vault-transit
# iklimco_vault-transit
# overall progress: 1 out of 1 tasks 
# 1/1: running   [==================================================>] 
# verify: Service iklimco_vault-transit converged

# 6b. Transit'in unsealed olduğunu doğrula (iklim-app-03'te)
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault status'
# Sealed: false olmalı. Eğer hâlâ sealed ise manuel unseal et:
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
  sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal UNSEAL_KEY_1'

# 6c. Autounseal token — ATOMIC SWAP (vault hiç token'sız restart olmaz)
# DIKKAT: --secret-rm ve --secret-add AYNI komutta verilmeli
echo "hvs.AUTOUNSEAL_TOKEN" | docker secret create transit_master_token_v2 -
docker service update \
  --secret-rm transit_master_token \
  --secret-add source=transit_master_token_v2,target=transit_master_token \
  iklimco_vault

ADIM 7 — Ana vault cluster'ı initialize et

# Transit açıldıktan ve vault node'ları stable olduktan sonra (~1-2 dk):

docker service ps iklimco_vault   # vault.1'in hangi node'da olduğunu bul
# O node'a SSH'la, sonra:
docker exec $(docker ps -q -f name=iklimco_vault.1) vault operator init

# Recovery Keys ve Root Token'ı kaydet. Bitti.
Description
No description provided
Readme 71 KiB
Languages
Shell 100%