erangaeb · November 12, 2022 09:41
diff --git a/vault b/vault
 # build docker
 docker build -t erangaeb/vault-filesystem:0.1 .


 # run vault with filesystem backend
 docker-compose up -d vault-filesystem


 ❯❯ docker ps
 CONTAINER ID   IMAGE                           COMMAND                  CREATED         STATUS         PORTS                    NAMES
 ece1977b1a31   erangaeb/vault-filesystem:0.1   "vault server -confi…"   4 seconds ago   Up 2 seconds   0.0.0.0:8200->8200/tcp   deployment-vault-filesystem-1


 # connect to vault container
 ❯❯ docker exec -it deployment-vault-filesystem-1 /bin/sh


 # get vault status, initially vault is at sealed status(Sealed true)
 ❯❯ vault status
 Key                Value
 ---                -----
 Seal Type          shamir
 Initialized        false
 Sealed             true
 Total Shares       0
 Threshold          0
 Unseal Progress    0/0
 Unseal Nonce       n/a
 Version            1.8.2
 Storage Type       file
 HA Enabled         false


 # initialize vault cluster
 # it will generates 5 master key shares and root token which can use to authenticate http client
 ❯❯ vault operator init
 Unseal Key 1: qFR9MGNL2R2zGpvnbGzmHwgU/VcIDB+aEVUsQRmNdIpY
 Unseal Key 2: iuIdpBAC2NSPFZvHKEE5oH2wQ4aa9UlVmmrO/TlD+Ave
 Unseal Key 3: vEp7kCxqqYswEbH5q06XKitRxOE5HaPf5RLt7D9nh1H6
 Unseal Key 4: C+r6VFdTwjohC9IT/3iqipFQ7qRPWXrAAHiU+uQIsyf4
 Unseal Key 5: njzrLIuMLrpBzGK2Vw/8yE7GRpxSVvYgmkygjg7Lyz7I

 Initial Root Token: s.5VHXQu45QGKfpZhQ23wn0OiA

 Vault initialized with 5 key shares and a key threshold of 3. Please securely
 distribute the key shares printed above. When the Vault is re-sealed,
 restarted, or stopped, you must supply at least 3 of these keys to unseal it
 before it can start servicing requests.

 Vault does not store the generated master key. Without at least 3 keys to
 reconstruct the master key, Vault will remain permanently sealed!

 It is possible to generate new unseal keys, provided you have a quorum of
 existing unseal keys shares. See "vault operator rekey" for more information.


 # unseal vault server, we need to give 3 key shares unseal the vault
 # exectued vault operator unseal command three times with three different key shares
 ❯❯ vault operator unseal
 Unseal Key (will be hidden):
 Key                Value
 ---                -----
 Seal Type          shamir
 Initialized        true
 Sealed             true
 Total Shares       5
 Threshold          3
 Unseal Progress    1/3
 Unseal Nonce       01aca092-73d4-a7fe-e5b7-b6e4a8a334ae
 Version            1.8.2
 Storage Type       file
 HA Enabled         false

 ❯❯ vault operator unseal
 Unseal Key (will be hidden):
 Key                Value
 ---                -----
 Seal Type          shamir
 Initialized        true
 Sealed             true
 Total Shares       5
 Threshold          3
 Unseal Progress    2/3
 Unseal Nonce       01aca092-73d4-a7fe-e5b7-b6e4a8a334ae
 Version            1.8.2
 Storage Type       file
 HA Enabled         false

 ❯❯ vault operator unseal
 Unseal Key (will be hidden):
 Key             Value
 ---             -----
 Seal Type       shamir
 Initialized     true
 Sealed          false
 Total Shares    5
 Threshold       3
 Version         1.8.2
 Storage Type    file
 Cluster Name    vault-cluster-d6b6353c
 Cluster ID      02fbf360-959f-c4aa-603a-67d0b9cf1b75
 HA Enabled      false


 # login to vault with root token(in this case s.5VHXQu45QGKfpZhQ23wn0OiA)
 ❯❯ vault login
 Token (will be hidden):
 Success! You are now authenticated. The token information displayed below
 is already stored in the token helper. You do NOT need to run "vault login"
 again. Future Vault requests will automatically use this token.

 Key                  Value
 ---                  -----
 token                s.5VHXQu45QGKfpZhQ23wn0OiA
 token_accessor       J9GzgkwtvoEanKIgQdshOTPp
 token_duration       ∞
 token_renewable      false
 token_policies       ["root"]
 identity_policies    []
 policies             ["root"]


 # enable kv secret engine
 ❯❯ vault secrets enable kv
 Success! Enabled the kv secrets engine at: kv/


 # create new secret with a key of `ops` and value of `lambda` within the `kv/rahasak` path
 ❯❯ vault kv put kv/rahasak ops=lambda
 Success! Data written to: kv/rahasak


 # get secret from `kv/rahasak` path
 ❯❯ vault kv get kv/rahasak
 === Data ===
 Key    Value
 ---    -----
 ops    lambda


 # get secret with HTTP API
 # HTTP API running on port 8200
 # i have connected to the HTTP API from host machine 
 # 192.168.64.75 is my docker host address
 ❯❯ curl \
    -H "X-Vault-Token: $VAULT_TOKEN" \
    -H "Content-Type: application/json" \
    -X POST \
    -d '{ "data": { "ops": "koko" } }' \
    http://192.168.64.75:8200/v1/kv/bassa


 # get secret with HTTP API
 ❯❯ curl \
    -H "X-Vault-Token: s.5VHXQu45QGKfpZhQ23wn0OiA" \
    -H "Content-Type: application/json" \
    -X GET \
    http://192.168.64.75:8200/v1/kv/bassa

 # output
 {
  "request_id": "a46975eb-07f4-85ee-1d38-460002ecde8a",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 2764800,
  "data": {
    "data": {
      "ops": "koko"
    }
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
 }
	# build docker
	docker build -t erangaeb/vault-filesystem:0.1 .


	# run vault with filesystem backend
	docker-compose up -d vault-filesystem


	❯❯ docker ps
	CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
	ece1977b1a31 erangaeb/vault-filesystem:0.1 "vault server -confi…" 4 seconds ago Up 2 seconds 0.0.0.0:8200->8200/tcp deployment-vault-filesystem-1


	# connect to vault container
	❯❯ docker exec -it deployment-vault-filesystem-1 /bin/sh


	# get vault status, initially vault is at sealed status(Sealed true)
	❯❯ vault status
	Key Value
	--- -----
	Seal Type shamir
	Initialized false
	Sealed true
	Total Shares 0
	Threshold 0
	Unseal Progress 0/0
	Unseal Nonce n/a
	Version 1.8.2
	Storage Type file
	HA Enabled false


	# initialize vault cluster
	# it will generates 5 master key shares and root token which can use to authenticate http client
	❯❯ vault operator init
	Unseal Key 1: qFR9MGNL2R2zGpvnbGzmHwgU/VcIDB+aEVUsQRmNdIpY
	Unseal Key 2: iuIdpBAC2NSPFZvHKEE5oH2wQ4aa9UlVmmrO/TlD+Ave
	Unseal Key 3: vEp7kCxqqYswEbH5q06XKitRxOE5HaPf5RLt7D9nh1H6
	Unseal Key 4: C+r6VFdTwjohC9IT/3iqipFQ7qRPWXrAAHiU+uQIsyf4
	Unseal Key 5: njzrLIuMLrpBzGK2Vw/8yE7GRpxSVvYgmkygjg7Lyz7I

	Initial Root Token: s.5VHXQu45QGKfpZhQ23wn0OiA

	Vault initialized with 5 key shares and a key threshold of 3. Please securely
	distribute the key shares printed above. When the Vault is re-sealed,
	restarted, or stopped, you must supply at least 3 of these keys to unseal it
	before it can start servicing requests.

	Vault does not store the generated master key. Without at least 3 keys to
	reconstruct the master key, Vault will remain permanently sealed!

	It is possible to generate new unseal keys, provided you have a quorum of
	existing unseal keys shares. See "vault operator rekey" for more information.


	# unseal vault server, we need to give 3 key shares unseal the vault
	# exectued vault operator unseal command three times with three different key shares
	❯❯ vault operator unseal
	Unseal Key (will be hidden):
	Key Value
	--- -----
	Seal Type shamir
	Initialized true
	Sealed true
	Total Shares 5
	Threshold 3
	Unseal Progress 1/3
	Unseal Nonce 01aca092-73d4-a7fe-e5b7-b6e4a8a334ae
	Version 1.8.2
	Storage Type file
	HA Enabled false

	❯❯ vault operator unseal
	Unseal Key (will be hidden):
	Key Value
	--- -----
	Seal Type shamir
	Initialized true
	Sealed true
	Total Shares 5
	Threshold 3
	Unseal Progress 2/3
	Unseal Nonce 01aca092-73d4-a7fe-e5b7-b6e4a8a334ae
	Version 1.8.2
	Storage Type file
	HA Enabled false

	❯❯ vault operator unseal
	Unseal Key (will be hidden):
	Key Value
	--- -----
	Seal Type shamir
	Initialized true
	Sealed false
	Total Shares 5
	Threshold 3
	Version 1.8.2
	Storage Type file
	Cluster Name vault-cluster-d6b6353c
	Cluster ID 02fbf360-959f-c4aa-603a-67d0b9cf1b75
	HA Enabled false


	# login to vault with root token(in this case s.5VHXQu45QGKfpZhQ23wn0OiA)
	❯❯ vault login
	Token (will be hidden):
	Success! You are now authenticated. The token information displayed below
	is already stored in the token helper. You do NOT need to run "vault login"
	again. Future Vault requests will automatically use this token.

	Key Value
	--- -----
	token s.5VHXQu45QGKfpZhQ23wn0OiA
	token_accessor J9GzgkwtvoEanKIgQdshOTPp
	token_duration ∞
	token_renewable false
	token_policies ["root"]
	identity_policies []
	policies ["root"]


	# enable kv secret engine
	❯❯ vault secrets enable kv
	Success! Enabled the kv secrets engine at: kv/


	# create new secret with a key of `ops` and value of `lambda` within the `kv/rahasak` path
	❯❯ vault kv put kv/rahasak ops=lambda
	Success! Data written to: kv/rahasak


	# get secret from `kv/rahasak` path
	❯❯ vault kv get kv/rahasak
	=== Data ===
	Key Value
	--- -----
	ops lambda


	# get secret with HTTP API
	# HTTP API running on port 8200
	# i have connected to the HTTP API from host machine
	# 192.168.64.75 is my docker host address
	❯❯ curl \
	-H "X-Vault-Token: $VAULT_TOKEN" \
	-H "Content-Type: application/json" \
	-X POST \
	-d '{ "data": { "ops": "koko" } }' \
	http://192.168.64.75:8200/v1/kv/bassa


	# get secret with HTTP API
	❯❯ curl \
	-H "X-Vault-Token: s.5VHXQu45QGKfpZhQ23wn0OiA" \
	-H "Content-Type: application/json" \
	-X GET \
	http://192.168.64.75:8200/v1/kv/bassa

	# output
	{
	"request_id": "a46975eb-07f4-85ee-1d38-460002ecde8a",
	"lease_id": "",
	"renewable": false,
	"lease_duration": 2764800,
	"data": {
	"data": {
	"ops": "koko"
	}
	},
	"wrap_info": null,
	"warnings": null,
	"auth": null
	}