DEV Community

Frederick Ollinger
Frederick Ollinger

Posted on • Edited on

Production Hashicorp Vault Minimal Configuration On CentOS 7

This is a hello world with Hashicorp Vault to get a production server working.

I had looked high and low for a way to configure the simplest possible production Vault server, and I was not able to find anything in which every step worked.

Assumptions

It is assumed that one has command line access to a CentOS Linux release 7.9.2009 (Core) or equivalent and Vault v1.8.2 (aca76f63357041a43b49f3e8c11d67358496959f) installed.

Ensure that your bash PATH variable includes /usr/local/bin.

Install Vault

wget https://releases.hashicorp.com/vault/1.8.2/vault_1.8.2_linux_amd64.zip
unzip vault_1.8.2_linux_amd64.zip
mv vault /usr/local/bin
Enter fullscreen mode Exit fullscreen mode

Install OpenSSL

The version of SSL that is in Centos 7 is too old.

# CentOS 7 has too old SSL, sigh.

yum -y update

# Install required packages
yum install -y make gcc perl-core pcre-devel wget zlib-devel

# Download the latest version of OpenSSL source code
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

# Configure, build and install OpenSSL
# Uncompress the source file
tar -xzvf openssl-1.1.1k.tar.gz

# Change to the OpenSSL directory
cd openssl-1.1.1k

# Configure the package for compilation
./config --prefix=/opt/ssl --openssldir=/opt/ssl/etc/ssl --libdir=lib no-shared zlib-dynamic

# Compile package
make -j4

# Install compiled package
sudo make install
Enter fullscreen mode Exit fullscreen mode

Make TLS Certificates

A production Vault server is going to use SSL.

IP=`hostname -I | cut -f1 -d" "`

sudo mkdir -p /opt/vault/{tls,data}
# alias openssl=/opt/ssl/bin/openssl

export LD_LIBRARY_PATH=/opt/ssl/lib:$LD_LIBRARY_PATH
cd /opt/vault/tls \
&& sudo rm -f tls.key tls.crt \
&& sudo -E /opt/ssl/bin/openssl req -out tls.crt -new -keyout tls.key -newkey rsa:4096 -nodes -sha256 -x509 -subj "/O=HashiCorp/CN=Vault" \
-addext "subjectAltName = IP:${IP},DNS:${IP}" -days 3650
Enter fullscreen mode Exit fullscreen mode

Configure Vault

Create a file called config.hcl and paste the following. Replace $IP with your IP address you get from "hostname -I".

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

api_addr = "http://$IP:8200"

storage "file" {
  path = "/opt/vault/data"
}

max_lease_ttl = "10h"
default_lease_ttl = "10h"
ui = true
Enter fullscreen mode Exit fullscreen mode

Run the Vault Server

The moment of truth. When we actually run our vault server. Note, you need to keep this console window open so have a second window for doing the rest of the commands.

sudo vault server -config=config.hcl
Enter fullscreen mode Exit fullscreen mode

Check Vault Status

First set some variables then check vault status. NOTE: for subsequent commands these bash variables need to be set:

IP=`hostname -I | cut -f1 -d" "`
export VAULT_ADDR=https://${IP}:8200
export VAULT_CACERT="/opt/vault/tls/tls.crt"
Enter fullscreen mode Exit fullscreen mode

The next command checks to see if vault is running, and you can connect to your local vault server.

vault status
Enter fullscreen mode Exit fullscreen mode

Unseal Vault and Login

vault operator init -key-shares=1 -key-threshold=1
Enter fullscreen mode Exit fullscreen mode

This will give you the unseal key. Take note of it.

vault operator unseal
Enter fullscreen mode Exit fullscreen mode

Now give your unseal key.

vault login
Enter fullscreen mode Exit fullscreen mode

Verify Persistent Storage

Ensure that our production server can actually store keys
between server restarts.

Enable secrets backend:

vault secrets enable -version=2 -path=kv2 kv
Enter fullscreen mode Exit fullscreen mode

Now add a secret:

vault kv put kv2/secret username=admin password=qwertyasdf
Enter fullscreen mode Exit fullscreen mode

Now list said secret:

vault kv get kv2/secret
Enter fullscreen mode Exit fullscreen mode

Shut down the server with CTRL-c on the terminal where we are running vault then
restart it.

Now go through unseal steps above.

Finally see if we can print our secret:

vault kv get kv2/secret
Enter fullscreen mode Exit fullscreen mode

Top comments (0)