goldfish安装

先安装vault,参考
https://hub.docker.com/_/vault/

注意:不要安装开发版,否则后面goldfish相关的初始化会失败。

docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable":"1"}},"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h" , "ui":"true"}'  -p 8200:8200 vault server

启动vault之后,浏览器访问http://ip:8200 ,j进行初始化,获得root token和key

Initial Root Token
ff2c6a8f-1014-cc9b-d842-54739ca305c4
Key 1
+QFq6wANH73JPcbub5T8Y7AZbib0uMMXBtV0YbmCG2M=

在界面完成vault的unseal操作。

准备好goldfish.hcl文件,并cp到vault docker容器。
goldfish.hcl获取方式:https://github.com/Caiyeon/goldfish/tree/master/vagrant/policies
登录vault的docker容器,使用root token登录后台。


export VAULT_ADDR='http://127.0.0.1:8200'
vault login

vault auth enable approle

vault policy write goldfish /home/goldfish.hcl
vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish \
secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0

vault write auth/approle/role/goldfish/role-id role_id=goldfish
vault write secret/goldfish DefaultSecretPath="secret/" UserTransitKey="usertransit" BulletinPath="secret/bulletins/"

安装goldfish
参考:
https://github.com/Caiyeon/goldfish/tree/master/docker

下载config.hcl,并保存到当前目录,执行

docker pull elijahwright/goldfish
export GOLDFISH_CONFIG=$(cat config.hcl)
export GOLDFISH_PORT=8001
docker run -it  -p ${GOLDFISH_PORT}:${GOLDFISH_PORT} \
    -e GOLDFISH_PORT=${GOLDFISH_PORT} \
	-e GOLDFISH_TOKEN=${GOLDFISH_TOKEN} \
	-v /home/goldfish/config.hcl:/app/docker.hcl\
    elijahwright/goldfish

登录vault后台,执行

vault write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id

获取wrapping_token


/ # vault write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id
Key                              Value
---                              -----
wrapping_token:                  b8e18e57-32f0-562c-c13c-393cf651d890
wrapping_accessor:               ae73f2ed-a538-ca2a-495f-4a1a04183ddb
wrapping_token_ttl:              5m
wrapping_token_creation_time:    2018-09-06 01:49:30.267217574 +0000 UTC
wrapping_token_creation_path:    auth/approle/role/goldfish/secret-id

浏览器访问:http://ip:8001
输入wrapping_token,完成goldfish的bootstrap,然后使用vault的root token登录即可。

posted @ 2018-09-06 10:05  abcyrf  阅读(294)  评论(0编辑  收藏  举报