Initial commit: Vault Hierarchical Initializer
This commit adds the full implementation of vault-hier, a Rust utility for: - Initializing HashiCorp Vault in production mode (non-dev) - Handling Vault seal/unseal operations with key thresholds - Using Docker Compose for containerized operation - Supporting persistent storage via Docker volumes Key components: - Rust application for Vault interaction - Docker and Docker Compose configuration - Test scripts for local development - Nix flake for development dependencies 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
commit
07cf031bbb
9 changed files with 891 additions and 0 deletions
93
README.md
Normal file
93
README.md
Normal file
|
|
@ -0,0 +1,93 @@
|
|||
# Vault Hierarchical Initializer
|
||||
|
||||
A Rust-based utility for initializing and unsealing HashiCorp Vault in non-dev (production) mode.
|
||||
|
||||
## Overview
|
||||
|
||||
This project provides a Docker-based solution for:
|
||||
|
||||
1. Running a HashiCorp Vault server in non-dev (production) mode
|
||||
2. Automatically initializing the Vault instance
|
||||
3. Unsealing the Vault after initialization
|
||||
4. Storing unseal keys and root token securely
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Docker and Docker Compose installed on your system
|
||||
- Rust (if you want to build the project locally)
|
||||
|
||||
## Configuration
|
||||
|
||||
In production mode, Vault:
|
||||
- Starts sealed and requires a threshold of unseal keys to unseal
|
||||
- Stores data persistently in mounted volumes
|
||||
- Requires explicit initialization
|
||||
- Needs manual unsealing after restarts
|
||||
|
||||
The implementation uses:
|
||||
- 5 key shares with a threshold of 3 keys needed for unsealing
|
||||
- Persistent volume storage for Vault data
|
||||
|
||||
## Usage
|
||||
|
||||
### Starting Vault with Docker Compose
|
||||
|
||||
```bash
|
||||
docker-compose up -d
|
||||
```
|
||||
|
||||
This will:
|
||||
1. Start a Vault server in production mode
|
||||
2. Run the vault-hier utility to initialize Vault if needed
|
||||
3. Automatically unseal Vault using the threshold number of keys
|
||||
4. Save the unseal keys and root token to `vault-credentials.txt` in the mounted volume
|
||||
|
||||
### Getting Vault Credentials
|
||||
|
||||
After initialization, you can find the unseal keys and root token in:
|
||||
|
||||
```
|
||||
./vault-credentials.txt
|
||||
```
|
||||
|
||||
Keep these credentials safe! They provide full access to your Vault instance.
|
||||
|
||||
### Restarting a Sealed Vault
|
||||
|
||||
If your Vault instance restarts, it will start in a sealed state. To unseal it automatically:
|
||||
|
||||
```bash
|
||||
# Set the unseal keys as environment variables
|
||||
export VAULT_UNSEAL_KEY_1="your-first-key"
|
||||
export VAULT_UNSEAL_KEY_2="your-second-key"
|
||||
export VAULT_UNSEAL_KEY_3="your-third-key"
|
||||
|
||||
# Restart the vault-init container to trigger unsealing
|
||||
docker-compose restart vault-init
|
||||
```
|
||||
|
||||
## Development
|
||||
|
||||
### Building the Project Locally
|
||||
|
||||
```bash
|
||||
cargo build --release
|
||||
```
|
||||
|
||||
### Running Tests
|
||||
|
||||
```bash
|
||||
cargo test
|
||||
```
|
||||
|
||||
### Custom Configuration
|
||||
|
||||
To modify the key sharing threshold:
|
||||
1. Edit the `init_req` struct in `src/main.rs`
|
||||
2. Rebuild the Docker image
|
||||
|
||||
## Security Considerations
|
||||
|
||||
- In a production environment, never store unseal keys on the same machine as Vault
|
||||
- Consider using a key management solution like Shamir's Secret Sharing
|
||||
- Rotate root tokens regularly and use appropriate authentication methods
|
||||
Loading…
Add table
Add a link
Reference in a new issue