ben
/
mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mgmt/docs/vault/vault_setup_guide.md

252 lines
4.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Vault 部署和配置指南
本文档提供了在现有Consul集群节点上部署和配置HashiCorp Vault的详细步骤。
## 1. 前置准备
### 1.1 创建数据目录
在每个节点上创建Vault数据目录
```bash
sudo mkdir -p /opt/vault/data
sudo chown -R nomad:nomad /opt/vault
```
### 1.2 生成TLS证书生产环境必须
```bash
# 生成CA证书
vault operator generate-root -generate-only -type=tls > ca.cert
# 生成服务器证书
vault operator generate-server-cert > server.cert
```
## 2. 部署Vault集群
### 2.1 使用Nomad部署
将`vault-cluster.nomad`文件提交到Nomad
```bash
nomad job run vault-cluster.nomad
```
### 2.2 验证部署状态
```bash
# 检查Nomad任务状态
nomad job status vault-cluster
# 检查Vault服务状态
curl http://localhost:8200/v1/sys/health
```
## 3. 初始化和解封Vault
### 3.1 初始化Vault
在任一节点上执行:
```bash
# 初始化Vault生成解封密钥和根令牌
vault operator init -key-shares=5 -key-threshold=3
```
**重要提示:** 安全保存生成的解封密钥和根令牌!
### 3.2 解封Vault
在每个节点上执行解封操作需要至少3个解封密钥
```bash
# 解封Vault
vault operator unseal <解封密钥1>
vault operator unseal <解封密钥2>
vault operator unseal <解封密钥3>
```
## 4. 配置Vault
### 4.1 登录Vault
```bash
# 设置Vault地址
export VAULT_ADDR='http://127.0.0.1:8200'
# 使用根令牌登录
vault login <根令牌>
```
### 4.2 启用密钥引擎
```bash
# 启用KV v2密钥引擎
vault secrets enable -version=2 kv
# 启用AWS密钥引擎如需要
vault secrets enable aws
# 启用数据库密钥引擎(如需要)
vault secrets enable database
```
### 4.3 配置访问策略
```bash
# 创建策略文件
cat > nomad-server-policy.hcl <<EOF
path "kv/data/nomad/*" {
capabilities = ["read"]
}
EOF
# 创建策略
vault policy write nomad-server nomad-server-policy.hcl
# 创建令牌
vault token create -policy=nomad-server
```
## 5. 与Nomad集成
### 5.1 配置Nomad使用Vault
编辑Nomad配置文件`/etc/nomad.d/nomad.hcl`添加Vault配置
```hcl
vault {
enabled = true
address = "http://127.0.0.1:8200"
token = "<Nomad服务器的Vault令牌>"
}
```
### 5.2 重启Nomad服务
```bash
sudo systemctl restart nomad
```
## 6. 迁移现有密钥到Vault
### 6.1 存储API密钥
```bash
# 存储OCI API密钥
vault kv put kv/oci/api-key key="$(cat /root/mgmt/security/secrets/key.md)"
# 存储其他云服务商密钥
vault kv put kv/aws/credentials aws_access_key_id="<访问密钥ID>" aws_secret_access_key="<秘密访问密钥>"
```
### 6.2 配置密钥轮换策略
```bash
# 为数据库凭据配置自动轮换
vault write database/config/mysql \
plugin_name=mysql-database-plugin \
connection_url="{{username}}:{{password}}@tcp(database.example.com:3306)/" \
allowed_roles="app-role" \
username="root" \
password="<数据库根密码>"
# 配置角色
vault write database/roles/app-role \
db_name=mysql \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
```
## 7. 安全最佳实践
### 7.1 启用审计日志
```bash
# 启用文件审计设备
vault audit enable file file_path=/var/log/vault/audit.log
```
### 7.2 配置自动解封(生产环境)
对于生产环境建议配置自动解封机制可以使用云KMS服务
```hcl
# AWS KMS自动解封配置示例
seal "awskms" {
region = "us-west-2"
kms_key_id = "<AWS KMS密钥ID>"
}
```
### 7.3 定期轮换根密钥
```bash
# 轮换根密钥
vault operator rotate
```
## 8. 故障排除
### 8.1 检查Vault状态
```bash
# 检查Vault状态
vault status
# 检查密封状态
vault status -format=json | jq '.sealed'
```
### 8.2 检查Consul存储
```bash
# 检查Consul中的Vault数据
consul kv get -recurse vault/
```
### 8.3 常见问题解决
- **Vault启动失败**:检查配置文件语法和权限
- **解封失败**:确保使用正确的解封密钥
- **API不可访问**:检查防火墙规则和监听地址配置
## 9. 备份和恢复
### 9.1 备份Vault数据
```bash
# 备份Consul中的Vault数据
consul snapshot save vault-backup.snap
```
### 9.2 恢复Vault数据
```bash
# 恢复Consul快照
consul snapshot restore vault-backup.snap
```
## 10. 日常维护
### 10.1 监控Vault状态
```bash
# 设置Prometheus监控
vault write sys/metrics/collector prometheus
```
### 10.2 查看审计日志
```bash
# 分析审计日志
cat /var/log/vault/audit.log | jq
```
### 10.3 定期更新Vault版本
```bash
# 更新Vault版本通过更新Nomad作业
nomad job run -detach vault-cluster.nomad
Reference in New Issue View Git Blame Copy Permalink