Vault deployment

This section provides an example deployment of Vault if you do not already have one running. If you do, you can skip to Deploying the APM plugin.

Configuration

Create a basic configuration file for HashiCorp Vault named config.hcl in the current directory:

api_addr = "https://127.0.0.1:8200"

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/vault/certs/cert.pem"
  tls_key_file  = "/vault/certs/key.pem"
}

plugin_directory = "/vault/plugins"

storage "file" {
  path = "/vault/data"
}

TLS certificates

To support TLS, generate a self-signed certificate and key for use with the above configuration:

$ mkdir -p certs
$ openssl req -x509 -nodes -newkey rsa:2048 \
    -keyout certs/key.pem \
    -out certs/cert.pem \
    -days 365 \
    -subj "/CN=localhost" \
    -addext "subjectAltName = DNS:localhost,IP:127.0.0.1,IP:192.168.122.1"
$ chmod 0640 certs/key.pem
$ sudo chgrp 1000 certs/key.pem
The use of a self-signed certificate here is for demonstration purposes only. For production deployments, it is recommended to use certificates signed by a trusted CA.

Data directory

Create a data directory with suitable permissions for the Vault data files:

$ mkdir -p data
$ sudo chown 100:1000 data

Starting Vault

Vault can now be started through Docker using the following command:

$ docker run -d \
    --name apm \
    --cap-add=IPC_LOCK \
    -p "8200:8200" \
    -v "${PWD}"/config.hcl:/vault/config/config.hcl:ro \
    -v "${PWD}"/bin/anjuna-policy-manager-plugin:/vault/plugins/anjuna-policy-manager-plugin:ro \
    -v "${PWD}"/certs:/vault/certs:ro \
    -v "${PWD}"/data:/vault/data \
    hashicorp/vault:1.21.1 \
    server

The Vault and APM plugin logs can be accessed using the following command:

$ docker logs apm

Initializing Vault

On first use, Vault must be initialized:

$ export VAULT_CACERT=/vault/certs/cert.pem
$ docker exec -e VAULT_CACERT apm vault operator init -key-shares=1 -key-threshold=1

Vault will now report its unseal key and root token. First, save the root token:

$ export VAULT_TOKEN=<root token>

Then, save the unseal token. You will need to use it to unseal the Vault server now and after every time it is restarted:

$ docker exec -e VAULT_TOKEN -e VAULT_CACERT apm vault operator unseal <unseal key>

Vault is now ready for use.

Managing the Vault container

To stop the APM use the following command:

$ docker stop apm

To destroy the APM container use the following command:

$ docker rm apm