• Stars
    star
    164
  • Rank 230,032 (Top 5 %)
  • Language
    Shell
  • Created almost 8 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

docker compose for consul and vault official images

cault

Consul and Vault are started together in two separate, but linked, docker containers.

Vault is configured to use a consul secret backend.


Start Consul and Vault

docker-compose up -d

Getting Vault Ready

Login to the Vault image:

docker exec -it cault_vault_1 sh

Check Vault's status:

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            n/a
HA Enabled         true

Because Vault is not yet initialized (Initialized false), it is sealed (Sealed true), that's why Consul will show you a sealed critial status:

Init Vault

$ vault operator init
Unseal Key 1: dW2PXpPdjWZvXCUvE/GWxJ+CdeEp6SziEKh6xNYRpB8k
Unseal Key 2: 5K52IOOU+rZf+6Aj7PBOTclnL80Ftb1Wta1GbrJDWX8f
Unseal Key 3: ykK/Q5Il7OOp/qKTdT75U1q6EDzMo2LkM0KRWv7I11Lb
Unseal Key 4: /1EVEn1UDG4LbqI2h5MQPWRI1wpCbirELJyVBo+D2QR1
Unseal Key 5: H47Vch2d0AxuA43kxOlW+MzC/YtjoGU8wCoZLDmRg29r

Initial Root Token: s.1ee2zxWvX43sAwjlcDaSGGSC

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

notice Vault says:

you must provide at least 3 of these keys to unseal it again

hence it needs to be unsealed 3 times with 3 different keys (out of the 5 above)

Unsealing Vault

$ vault operator unseal
Unseal Key (will be hidden):
Key                Value
---                -----
...
Sealed             true
Unseal Progress    1/3

$ vault operator unseal
Unseal Key (will be hidden):
Key                Value
---                -----
...
Sealed             true
Unseal Progress    2/3

$ vault operator unseal
Unseal Key (will be hidden):
Key                    Value
---                    -----
...
Initialized            true
Sealed                 false
...
Active Node Address    <none>

the Vault is now unsealed:

Auth with Vault

We can use the Initial Root Token from above to auth with the Vault:

$ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.1ee2zxWvX43sAwjlcDaSGGSC
token_accessor       shMBI822edbRUYTo8mW54mdB
token_duration       โˆž
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

All done: now you have both Consul and Vault running side by side.

Making sure it actually works

From the host environment (i.e. outside of the docker image):

alias vault='docker exec -it cault_vault_1 vault "$@"'

This will allow to run vault commands without a need to login to the image.

the reason commands will work is because you just auth'ed (logged into Vault) with a root token inside the image in the previous step.

Watch Consul logs

In one terminal tail Consul logs:

$ docker logs cault_consul_1 -f

Writing / Reading Secrets

In the other terminal run vault commands:

$ vault write -address=http://127.0.0.1:8200 cubbyhole/billion-dollars value=behind-super-secret-password
Success! Data written to: cubbyhole/billion-dollars

Check the Consul log, you should see something like:

2016/12/28 06:52:09 [DEBUG] http: Request PUT /v1/kv/vault/logical/a77e1d7f-a404-3439-29dc-34a34dfbfcd2/billion-dollars (199.657ยตs) from=172.28.0.3:50260

Let's read it back:

$ vault read cubbyhole/billion-dollars
Key             	Value
---             	-----
value           	behind-super-secret-password

And it is in fact in Consul:

and in Vault:

(this is from Vault's own UI that is enabled in this image)

Response Wrapping

NOTE: for these examples to work you would need jq (i.e. to parse JSON responses from Vault).

brew install jq or apt-get install jq or similar

System backend

Running with a System Secret Backend.

Export Vault env vars for the local scripts to work:

$ export VAULT_ADDR=http://127.0.0.1:8200
$ export VAULT_TOKEN=s.1ee2zxWvX43sAwjlcDaSGGSC  ### root token you remembered from initializing Vault

At the root of cault project there is creds.json file (you can create your own of course):

$ cat creds.json

{"username": "ceo",
 "password": "behind-super-secret-password"}

We can write it to a "one time place" in Vault. This one time place will be accessible by a "one time token" Vault will return from a /sys/wrapping/wrap endpoint:

$ token=`./tools/vault/wrap-token.sh creds.json`

$ echo $token
s.sMFwpg8DBYh0NXbXqjLJTNKN

You can checkout wrap-token.sh script, it uses /sys/wrapping/wrap Vault's endpoint to secretly persist creds.json and return a token for it that will be valid for 60 seconds.

Now let's use this token to unwrap the secret:

$ ./tools/vault/unwrap-token.sh $token

{"password": "behind-super-secret-password",
 "username": "ceo" }

You can checkout unwrap-token.sh script, it uses /sys/wrapping/unwrap Vault's endpoint

Let's try to use the same token again:

$ ./tools/vault/unwrap-token.sh $token
["wrapping token is not valid or does not exist"]

i.e. Vault takes one time pretty seriously.

Cubbyhole backend

Running with a Cubbyhole Secret Backend.

Export Vault env vars for the local scripts to work:

$ export VAULT_ADDR=http://127.0.0.1:8200
$ export VAULT_TOKEN=s.1ee2zxWvX43sAwjlcDaSGGSC  ### root token you remembered from initializing Vault

Create a cubbyhole for the billion-dollars secret, and wrap it in a one time use token:

$ token=`./tools/vault/cubbyhole-wrap-token.sh /cubbyhole/billion-dollars`

let's look at it:

$ echo $token
s.T3GT2dGb8bUuJtSEenxnZick

looks like any other token, but it is in fact a one time use token, only for this cobbyhole.

Let's use it:

$ curl -s -H "X-Vault-Token: $token" -X GET $VAULT_ADDR/v1/cubbyhole/response
{
  "request_id": "f0cf41a6-d971-69be-4eee-c7137376a755",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "response": "{\"request_id\":\"083429a1-2956-39f0-a402-628b6e346ac0\",\"lease_id\":\"\",\"renewable\":false,\"lease_duration\":0,\"data\":{\"value\":\"behind-super-secret-password\"},\"wrap_info\":null,\"warnings\":null,\"auth\":null}"
  },
  "wrap_info": null,
  "warnings": [
    "Reading from 'cubbyhole/response' is deprecated. Please use sys/wrapping/unwrap to unwrap responses, as it provides additional security checks and other benefits."
  ],
  "auth": null
}

(notice: that "cubbyhole/response" is deprecated, use the system backend instead. example is in the section above)

Let's try to use it again:

$ curl -s -H "X-Vault-Token: $token" -X GET $VAULT_ADDR/v1/cubbyhole/response
{"errors":["permission denied"]}

Vault takes one time pretty seriously.

Troubleshooting

Bad Image Caches

In case there are some stale / stopped cached images, you might get connection exceptions:

failed to check for initialization: Get v1/kv/vault/core/keyring: dial tcp i/o timeout
reconcile unable to talk with Consul backend: error=service registration failed: /v1/agent/service/register

you can purge stopped images to solve that:

docker rm $(docker ps -a -q)

License

Copyright ยฉ 2022 tolitius

Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.

More Repositories

1

mount

managing Clojure and ClojureScript app state since (reset)
Clojure
1,226
star
2

cprop

likes properties, environments, configs, profiles..
Clojure
352
star
3

jemma

jemma & her ai agents that build software
Python
93
star
4

calip

calip(er): all functions deserve to be measured and debugged at runtime
Clojure
78
star
5

hface

look your Hazelcast cluster in the face!
JavaScript
74
star
6

chazel

Hazelcast bells and whistles under the Clojure belt
Clojure
72
star
7

boot-check

check, analyze and inspect Clojure/Script code
Clojure
70
star
8

envoy

a gentle touch of Clojure to Hashicorp's Consul
Clojure
69
star
9

xml-in

your friendly XML navigator
Clojure
62
star
10

yurt

high quality mounted real (e)states
Clojure
54
star
11

towel

"a towel is about the most massively useful thing an interstellar AI hitchhiker can have"
Python
46
star
12

highlander

soft landing for high speed data
Clojure
45
star
13

lasync

making executor service tougher
Clojure
43
star
14

verter

curator of the institute of time
Clojure
42
star
15

yang

the yang of Clojure's yin
Clojure
36
star
16

bb8

a command line interface to Stellar networks
Go
36
star
17

stater

collection of Clojure/Script mount apps
CSS
30
star
18

mount-up

watching mount's ups and downs
Clojure
26
star
19

multim

oh.. these tasty guava multi maps
Clojure
25
star
20

cbass

adding "simple" to HBase
Clojure
24
star
21

tag

tagging apps with immutable intel
Clojure
24
star
22

mongodb-write-performance-playground

Playing with MongoDB Write Performance
Java
24
star
23

zlink

making conversation between languages
Java
23
star
24

mxterm

explore apache mxnet from the terminal / REPL
Clojure
20
star
25

hubble

hubbling the universe nebula by nebula
CSS
19
star
26

inquery

vanilla SQL with params for Clojure/Script
Clojure
17
star
27

money-making-project

A project based on Spring and Hibernate that makes money
Java
17
star
28

grete

kafka client with threads and a scheduler
Clojure
16
star
29

www

lein template(s): clojurescript, om, compojure, ring, etc.
Clojure
15
star
30

obiwan

redis/search clojure client based on jedis
Clojure
14
star
31

gridy-batch

Spring Batch partitioning over GridGain nodes using Java and ScalaR. Also partitioning over Hazelcast via Distributed Executor tasks. Presenting it at Spring ONE 2Gx 2010. #reference-demo-app
Java
9
star
32

on-demand-scheduler

Collection of Schedulable Tasks that can be scheduled on demand ( based on Spring Framework )
Java
7
star
33

psql-vault

PostgreSQL docker image with creds from Vault
Shell
7
star
34

cassandra-bombardier

A Python bombardier based on Pycassa used to benchmark Cassandra Write Performance
Python
6
star
35

entail

grep and tail for nomad logs
Shell
6
star
36

funoop

clojure "enterprisy" ways
HTML
6
star
37

attache

Consul API <-> Go maps
Go
6
star
38

colalamo

direct api via copilot to its large language models
Python
6
star
39

akka-pi-on-gradle

"Scala + Akka + Gradle" Startkit
Scala
5
star
40

making-sense-dependency-injection-test-execution-listener

Test Listener for Spring JUnit / Spock to access beans in @BeforeClass
Java
4
star
41

wracer

alt! racing web with core.async/clojurescript
Clojure
4
star
42

git-cheat-sheet

my git notes to have them all in one place
4
star
43

miner

tracing steps of an evil bitcoin miner
Clojure
4
star
44

gblog

docker compose: ghost + postgres + nginx w/ vault creds
JavaScript
4
star
45

scalagist

a pair of "simplify me" glasses for Scala code
Clojure
4
star
46

redclaw

redis clojure client based on redisson
Clojure
3
star
47

whoami

learning Tensorfow, OpenCV, Google Cloud Vision API
Go
3
star
48

auqlue

42 for all your presentations
SCSS
3
star
49

monr

"anything" rate monitor
Clojure
3
star
50

market-watch

ร˜MQ & AKKA: Market feed consumption simulation
Scala
3
star
51

quacker

playing with twitter like grails app
2
star
52

barcoda

web app that can scan barcodes [with browser and mobile love]
Clojure
2
star
53

learn-myself-some-erlang

collection of gists as I walk the erlang path..
Erlang
2
star
54

zmqure

clojure zmq server
Clojure
2
star
55

repp

scanning barcodes, OCRing, OCDing..
Shell
2
star
56

libriot

buy a book, lent a book, and... remember where it is
JavaScript
1
star
57

khadi

crud'ing your DNS records from command line
Shell
1
star
58

grails-mincriteria

DSL for expressing, applying and validating domain minimum criteria
Groovy
1
star
59

raffer

raffle that twitter
Clojure
1
star
60

scalarm

a simple alarm that does not block, does not need a task, does not produce anything but the alarm itself
Scala
1
star
61

jna-posix-sleeper

Snooze Like a Real Geek!
Java
1
star
62

venona

"Venona Project" and more...
Clojure
1
star
63

jerl

making Java and Erlang friends that have a lot to talk about
Java
1
star
64

wrap

it's a wrap. wrap before, after, around
Clojure
1
star
65

maven-template-pom

Maven is just too complex (yes, it is), but many clients still prefer it to Gradle.. keeping this POM for a quick copy paste to start a new project
1
star