HA Vault In Prod

Architecture: https://learn.hashicorp.com/vault/operations/ops-reference-architecture
Small HA Architecture: https://learn.hashicorp.com/vault/day-one/ops-vault-ha-consul#reference-diagram
Token Conf: https://learn.hashicorp.com/vault/day-one/ops-deployment-guide
Loadbalancing: https://learn.hashicorp.com/vault/operations/ops-reference-architecture#deployment-of-vault-in-one-availability-zone-all
Post Install: https://learn.hashicorp.com/vault/day-one/production-hardening

Installation

Follow https://learn.hashicorp.com/vault/day-one/ops-vault-ha-consul

Token: https://learn.hashicorp.com/vault/day-one/ops-deployment-guide#step-4-configure-consul

Consul

Servers/Ip to use for deployment

["vconsul_s1", "vconsul_s2", "vconsul_s3", "vault_s1", "vault_s2"]
servers_ip = [
  "xx.yy.65.148",
  "xx.yy.65.133",
  "xx.yy.65.182",

  "xx.yy.65.175",
  "xx.yy.65.166",
]

Docker Consul image Used: "consul:1.5.3"
Consul conf help: https://www.consul.io/docs/agent/options.html#enable_central_service_config

mkdir -p /var/opt/data/flat/consul /opt/application/consul/config

vim /opt/application/consul/config/consul.json

apt install -y  docker-compose; docker pull consul:1.5.3


vim docker-compose.yml
docker-compose up -d; docker-compose logs -f

docker-compose.yml

version: '2.2'
services:
  consul:
    image: "consul:1.5.3"
    restart: unless-stopped
    container_name: consul
    network_mode: "host"
    volumes:
      - /opt/application/consul/config:/consul/config
      - /var/opt/data/flat/consul:/consul/data
    ports:
      - "8500:8500"
      - "8300:8300"
      - "8301:8301"
    command: "agent -config-file /consul/config/consul.json"

consul.json on master nodes

{
  "server": true,
  "node_name": "vconsul_s3",
  "datacenter": "dc1",
  "data_dir": "/consul/data",
  "bind_addr": "0.0.0.0",
  "client_addr": "0.0.0.0",
  "advertise_addr": "xx.yy.65.182",
  "bootstrap_expect": 3,
  "retry_join": ["xx.yy.65.148", "xx.yy.65.133", "xx.yy.65.182"],
  "ui": true,
  "disable_remote_exec": true,
  "leave_on_terminate": false,
  "skip_leave_on_interrupt": true,
  "rejoin_after_leave": true,
  "log_level": "DEBUG",
  "primary_datacenter": "dc1",
  "acl":{
          "enabled": true,
          "default_policy": "deny",
          "down_policy": "extend-cache",
          "enable_token_persistence": true,
          "tokens": {
             "agent": "16beeb3b-6402-8800-f24a-ff94c30516f7"
          }
  }
}

Vault

mkdir -p /root/vault/config
cd vault
cat > config/vault.json <<EOF
{
  "storage": {
    "consul": {
      "path": "vault/",
      "address": "xx.yy.65.175:8500",
      "token": "8704a4e4-3711-502a-e49c-292891aaba62"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_disable": 0,
      "tls_cert_file": "/vault/config/cert.crt",
      "tls_key_file": "/vault/config/cert.key",
      "tls_disable_client_certs": false
    }
  },
  "ui": true,
  "disable_mlock": true
}
EOF

chown 105001:105001 -R /root/vault

docker pull vault:1.2.0
cat > docker-compose.yml <<EOF
---
version: '2'
services:
  vault:
    image: vault:1.2.0
    container_name: vault
    ports:
      - "80:8200"
    restart: unless-stopped
    volumes:
      - ./config:/vault/config:z
    cap_add:
      - IPC_LOCK
EOF

Vault Agent Conf

{
  "server": false,
  "node_name": "vault_s2",
  "datacenter": "dc1",
  "data_dir": "/consul/data",
  "bind_addr": "0.0.0.0",
  "client_addr": "0.0.0.0",
  "advertise_addr": "xx.yy.65.166",
  "retry_join": ["xx.yy.65.148", "xx.yy.65.133", "xx.yy.65.182"],
  "ui": false,
  "disable_remote_exec": true,
  "leave_on_terminate": false,
  "skip_leave_on_interrupt": true,
  "rejoin_after_leave": true,
  "log_level": "DEBUG",
  "primary_datacenter": "dc1",
  "acl":{
          "enabled": true,
          "default_policy": "deny",
          "down_policy": "extend-cache",
          "enable_token_persistence": true,
          "tokens": {
             "agent": "16beeb3b-6402-8800-f24a-ff94c30516f7"
          }
  }
}

Certificate on Master node

"xx.yy.65.175",
"xx.yy.65.166",

openssl req -x509 -out cert.crt -new -newkey rsa:2048 -nodes -keyout cert.key -subj "/C=FR/ST=France/L=Paris/O=enoks/CN=xx.yy.65.166/emailAddress=toto@gmail.com"


vault status -tls-skip-verify

Boostrap Token

export CONSUL_ADDR="http://127.0.0.1:8500"
curl --request PUT ${CONSUL_ADDR}/v1/acl/bootstrap
{"ID":"2d7bbc52-f18c-2939-dba9-xx.yy","AccessorID":"1a5f45ab-7c03-bfcc-a046-xyxydyd","SecretID":"2d7bbc52-f18c-2939-dba9-xx.yy","Description":"Bootstrap Token (Global Management)","Policies":[{"ID":"00000000-0000-0000-0000-000000000001","Name":"global-management"}],"Local":false,"CreateTime":"2019-12-02T13:00:33.24212366Z","Hash":"oyrov6+GFLjo/KZAfqgxF/X4J/3LX043xxyxyxyBy9V22I0=","CreateIndex":413,"ModifyIndex":413}/ #


## agent token 
export CONSUL_TOKEN="2d7bbc52-f18c-2939-dba9-xx.yy"
curl  --request PUT  --header "X-Consul-Token: ${CONSUL_TOKEN}" \
      --data '{"Name": "Agent Token", \
         "Type": "client", \
         "Rules": \
            "node \"\" { policy = \"write\" \} \
            service \"\" { policy = \"read\" }"
        }' \
        ${CONSUL_ADDR}/v1/acl/create"

        //creation sur ihm ensuite 


# https://www.consul.io/docs/acl/acl-legacy.html#bootstrapping-acls
  curl \
    --request PUT \
    --header "X-Consul-Token: 2d7bbc52-f18c-2939-dba9-xx.yy" \
    --data \
'{
  "Name": "Agent Token",
  "Type": "client",
  "Rules": "node \"\" { policy = \"write\" } service \"\" { policy = \"read\" }"
}' http://127.0.0.1:8500/v1/acl/create

16beeb3b-6402-8800-f24a-ff94c30516f7



# lister les nodes: 
consul catalog nodes  -token=2d7bbc52-f18c-2939-dba9-xx.yy

consul catalog services  -token=2d7bbc52-f18c-2939-dba9-xx.yy

consul info -token=2d7bbc52-f18c-2939-dba9-xx.yy

#token pour le vault
#"ID":"8704a4e4-3711-502a-e49c-292891aaba62"


  curl \
    --request PUT \
    --header "X-Consul-Token: 2d7bbc52-f18c-2939-dba9-xx.yy" \
    --data \
'{
  "Name": "Vault Token",
  "Type": "client",
  "Rules": "node \"\" { policy = \"write\" } service \"vault\" { policy = \"write\" } agent \"\" { policy = \"write\" } key \"vault\" { policy = \"write\" } session \"\" { policy = \"write\"}"
}' http://127.0.0.1:8500/v1/acl/create

Encrypt Consul Communication

Secure Gossip Communication with Encryption:
https://learn.hashicorp.com/consul/security-networking/agent-encryption#enable-gossip-encryption-existing-cluster

vim /opt/application/consul/config/consul.json
## keygen consul
docker exec -it consul consul keygen
wDq7d1G7Mtt3QOhdXti/9A==

## A rajouter dans la conf
  "encrypt": "wDq7d1G7Mtt3xxyOhdXti/9A==",
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": false  //le premier à mettre à true

## desactiver execution a distance
"disable_remote_exec": true,

  "ca_file": "/etc/consul/ssl/ca_cert.pem",
  "cert_file": "/etc/consul/ssl/client.pem",
  "key_file": "/etc/consul/ssl/client.key",