Skip to content

BOSH release for running Hashicorp's Vault for secure credentials storage

License

Notifications You must be signed in to change notification settings

chrisburrus/vault-boshrelease

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vault - Secure Credentials Storage

This BOSH release packages the excellent Vault software from Hashicorp, so that you can run your own secure credentials storage vault on your BOSH infrastructure, today!

Getting Started on BOSH-lite

Before you can start spinning a vault, you will need to upload the BOSH release to your director:

bosh target https://192.168.50.4:25555
bosh upload release https://bosh.io/d/github.com/cloudfoundry-community/vault-boshrelease

You can create a small, working manifest file from this git repository:

git clone https://github.com/cloudfoundry-community/vault-boshrelease
cd vault-boshrelease
./templates/make_manifest warden
bosh -n deploy

Vault should be up and running at http://10.244.8.3:8200, but it still needs some manual setup, due to security precautions.

First, you need to initialize the vault:

export VAULT_ADDR=http://10.244.8.3:8200
vault init

This generates a root encryption key for encrypting all of the secrets. At this point, the vault is sealed, and you will need to unseal it three times, each time with a different key:

vault unseal
vault unseal
vault unseal

Once unsealed, your vault should be ready for authentication with your initial root token:

vault auth

Now, you can put secrets in the vault, and read them back out:

vault write secret/handshake knock=knock
vault read secret/handshake

You may want to look at safe, an alternative command-line utility for Vault that provides higher-level abstractions like tree-based listing, secret generation, secure terminal password entry, etc.

High Availability Concerns

If you put important things in your Vault, you want it to be available, so you can get those important things back out again.

Enter High Availability.

The easiest way to do high availability is to run 3 or more nodes, and use the Consul backend. To do that, you're going to need to load the Consul BOSH release from the Cloud Foundry Community:

bosh upload release https://bosh.io/d/github.com/cloudfoundry-community/consul-boshrelease

(Having, of course, targeted your BOSH director first. You did target your BOSH director first, right?)

Then, just add the consul-y bits to your deployment manifest. Here's a barebones (working) example to get you started:

---
name: ha-vault

jobs:
- name: vault
  instances: 3
  resource_pool: vault
  persistent_disk: 4096
  networks:
    - name: vault
      static_ips: &ips
        - 10.244.8.2
        - 10.244.8.3
        - 10.244.8.4

  templates:
    - { release: vault,  name: vault  }
    - { release: consul, name: consul }

  properties:
    consul:
      join_hosts: *ips

    vault:
      backend:
        use_consul: true

About

BOSH release for running Hashicorp's Vault for secure credentials storage

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 87.9%
  • HTML 10.1%
  • Ruby 2.0%