iklim.co/VaultTest
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
VaultTest/README.md
Murat ÖZDEMİR bf81b6ebee feat: initialize vault transit auto-unseal documentation and configs 
- Added comprehensive step-by-step guide in README.md for Vault Transit auto-unseal setup.
- Included Docker Swarm stack definition (docker-stack-vault.yml).
- Added Vault configuration templates and bootstrap scripts.
- Configured Gitea workflows for the VaultTest environment.
2026-05-27 01:48:30 +03:00

200 lines
8.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ADIM 1 — Placeholder secrets oluştur (manager node)
```bash
# opsiyonel history reset
history -w && > ~/.bash_history && history -c
echo "bootstrap" | docker secret create vault_transit_unseal_key -
echo "bootstrap" | docker secret create transit_master_token -
```
# ADIM 2 — Stack deploy et
```bash
docker node update --label-add vault_transit=true iklim-app-03
docker stack deploy --with-registry-auth -c docker-stack-vault.yml iklimco
```
Ana vault node'ları transit henüz hazır olmadığı için crash loop'a girer — beklenen durum.
# ADIM 3 — Transit vault'u initialize et
```bash
# Transit'in hangi node'da çalıştığını bul:
docker service ps iklimco_vault-transit
# O node'a SSH'la, sonra:
docker exec -it $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator init -key-shares=1 -key-threshold=1'
# Unseal Key 1 ve Initial Root Token'ı kaydet.
# Unseal Key 1: ........
#
# Initial Root Token: hvs.xxxxxxxxxx
#
# Vault initialized with 1 key shares and a key threshold of 1. Please securely
# distribute the key shares printed above. When the Vault is re-sealed,
# restarted, or stopped, you must supply at least 1 of these keys to unseal it
# before it can start servicing requests.
#
# Vault does not store the generated root key. Without at least 1 keys to
# reconstruct the root key, Vault will remain permanently sealed!
#
# It is possible to generate new unseal keys, provided you have a quorum of
# existing unseal keys shares. See "vault operator rekey" for more information.
```
Unseal Key 1: cS0HPNVl8/9r42SXxeq9Y4uokJP886UAeRQ/sBsBFnQ=
Initial Root Token: hvs.AReLHEa44pztSLBUqW2djdEv
# ADIM 4 — Transit'i manuel unseal et (sadece bu seferlik)
```bash
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal UNSEAL_KEY_1'
```
| Key | Value |
| ------------ | ------------------------------------ |
| Seal Type | shamir |
| Initialized | true |
| Sealed | false |
| Total Shares | 1 |
| Threshold | 1 |
| Version | 2.0.1 |
| Build Date | 2026-05-19T17:20:48Z |
| Storage Type | file |
| Cluster Name | vault-cluster-5bd8a332 |
| Cluster ID | b03a2f93-53b0-d32b-9762-c36a9d45df90 |
| HA Enabled | false |
# ADIM 5 — Transit engine kur
```bash
# Policy dosyasını host'ta oluştur, container'a kopyala:
cat > /tmp/autounseal-policy.hcl << 'EOF'
path "transit/encrypt/autounseal" { capabilities = ["update"] }
path "transit/decrypt/autounseal" { capabilities = ["update"] }
EOF
docker cp /tmp/autounseal-policy.hcl \
$(docker ps -q -f name=iklimco_vault-transit):/tmp/
# Successfully copied 128B (transferred 2.05kB) to 61a136a1c04e:/tmp/
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault login ROOT_TOKEN'
```
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
(token -> root token)
| Key | Value |
| ----------------- | ---------------------------- |
| token | hvs.AReLHEa44pztSLBUqW2djdEv |
| token_accessor | 6w5ZKxbSSP3S5kz4D6luAmjv |
| token_duration | ∞ |
| token_renewable | false |
| token_policies | ["root"] |
| identity_policies | [] |
| policies | ["root"] |
```bash
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault secrets enable transit'
# Success! Enabled the transit secrets engine at: transit/
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault write -f transit/keys/autounseal'
```
| Key | Value |
| ---------------------- | ----------------- |
| allow_plaintext_backup | false |
| auto_rotate_period | 0s |
| deletion_allowed | false |
| derived | false |
| exportable | false |
| imported_key | false |
| keys | map[1:1779831017] |
| latest_version | 1 |
| min_available_version | 0 |
| min_decryption_version | 1 |
| min_encryption_version | 0 |
| name | autounseal |
| supports_decryption | true |
| supports_derivation | true |
| supports_encryption | true |
| supports_signing | false |
| type | aes256-gcm96 |
```bash
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault policy write autounseal /tmp/autounseal-policy.hcl'
# Success! Uploaded policy: autounseal
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault token create -policy=autounseal -period=768h -orphan'
```
(token -> auto unseal token)
| Key | Value |
| ----------------- | ----------------------------------------------------------------------------------------------- |
| token | hvs.CAESIFqiceeloWSqHszPL8OY9PCFKpNQsh6NXoBxw_Us0w7gGh4KHGh2cy5XWTBXekE1VUNQcGhmNlE4U1F1RVhWOFo |
| token_accessor | mRgwI0az8UZguETf5iqJWXhb |
| token_duration | 768h |
| token_renewable | true |
| token_policies | ["autounseal" "default"] |
| identity_policies | [] |
| policies | ["autounseal" "default"] |
# ADIM 6 — Secrets'ı gerçek değerlerle güncelle (manager node'a dön)
```bash
# 6a. Transit unseal key — sırayla: servis'ten çıkar, sil, gerçek değerle oluştur, ekle
docker service update --secret-rm vault_transit_unseal_key iklimco_vault-transit
# iklimco_vault-transit
# overall progress: 1 out of 1 tasks
# 1/1: running [==================================================>]
# verify: Service iklimco_vault-transit converged
docker secret rm vault_transit_unseal_key
# vault_transit_unseal_key
echo "UNSEAL_KEY_1" | docker secret create vault_transit_unseal_key -
docker service update --secret-add vault_transit_unseal_key iklimco_vault-transit
# iklimco_vault-transit
# overall progress: 1 out of 1 tasks
# 1/1: running [==================================================>]
# verify: Service iklimco_vault-transit converged
# 6b. Transit'in unsealed olduğunu doğrula (iklim-app-03'te)
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault status'
# Sealed: false olmalı. Eğer hâlâ sealed ise manuel unseal et:
docker exec $(docker ps -q -f name=iklimco_vault-transit) \
sh -c 'VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal UNSEAL_KEY_1'
# 6c. Autounseal token — ATOMIC SWAP (vault hiç token'sız restart olmaz)
# DIKKAT: --secret-rm ve --secret-add AYNI komutta verilmeli
echo "hvs.AUTOUNSEAL_TOKEN" | docker secret create transit_master_token_v2 -
docker service update \
--secret-rm transit_master_token \
--secret-add source=transit_master_token_v2,target=transit_master_token \
iklimco_vault
```
# ADIM 7 — Ana vault cluster'ı initialize et
```bash
# Transit açıldıktan ve vault node'ları stable olduktan sonra (~1-2 dk):
docker service ps iklimco_vault # vault.1'in hangi node'da olduğunu bul
# O node'a SSH'la, sonra:
docker exec $(docker ps -q -f name=iklimco_vault.1) vault operator init
# Recovery Keys ve Root Token'ı kaydet. Bitti.
```
Reference in New Issue View Git Blame Copy Permalink