Harald Hoyer
07cf031bbb
This commit adds the full implementation of vault-hier, a Rust utility for: - Initializing HashiCorp Vault in production mode (non-dev) - Handling Vault seal/unseal operations with key thresholds - Using Docker Compose for containerized operation - Supporting persistent storage via Docker volumes Key components: - Rust application for Vault interaction - Docker and Docker Compose configuration - Test scripts for local development - Nix flake for development dependencies 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
93 lines
2.3 KiB
Markdown
93 lines
2.3 KiB
Markdown
# Vault Hierarchical Initializer
|
|
|
|
A Rust-based utility for initializing and unsealing HashiCorp Vault in non-dev (production) mode.
|
|
|
|
## Overview
|
|
|
|
This project provides a Docker-based solution for:
|
|
|
|
1. Running a HashiCorp Vault server in non-dev (production) mode
|
|
2. Automatically initializing the Vault instance
|
|
3. Unsealing the Vault after initialization
|
|
4. Storing unseal keys and root token securely
|
|
|
|
## Prerequisites
|
|
|
|
- Docker and Docker Compose installed on your system
|
|
- Rust (if you want to build the project locally)
|
|
|
|
## Configuration
|
|
|
|
In production mode, Vault:
|
|
- Starts sealed and requires a threshold of unseal keys to unseal
|
|
- Stores data persistently in mounted volumes
|
|
- Requires explicit initialization
|
|
- Needs manual unsealing after restarts
|
|
|
|
The implementation uses:
|
|
- 5 key shares with a threshold of 3 keys needed for unsealing
|
|
- Persistent volume storage for Vault data
|
|
|
|
## Usage
|
|
|
|
### Starting Vault with Docker Compose
|
|
|
|
```bash
|
|
docker-compose up -d
|
|
```
|
|
|
|
This will:
|
|
1. Start a Vault server in production mode
|
|
2. Run the vault-hier utility to initialize Vault if needed
|
|
3. Automatically unseal Vault using the threshold number of keys
|
|
4. Save the unseal keys and root token to `vault-credentials.txt` in the mounted volume
|
|
|
|
### Getting Vault Credentials
|
|
|
|
After initialization, you can find the unseal keys and root token in:
|
|
|
|
```
|
|
./vault-credentials.txt
|
|
```
|
|
|
|
Keep these credentials safe! They provide full access to your Vault instance.
|
|
|
|
### Restarting a Sealed Vault
|
|
|
|
If your Vault instance restarts, it will start in a sealed state. To unseal it automatically:
|
|
|
|
```bash
|
|
# Set the unseal keys as environment variables
|
|
export VAULT_UNSEAL_KEY_1="your-first-key"
|
|
export VAULT_UNSEAL_KEY_2="your-second-key"
|
|
export VAULT_UNSEAL_KEY_3="your-third-key"
|
|
|
|
# Restart the vault-init container to trigger unsealing
|
|
docker-compose restart vault-init
|
|
```
|
|
|
|
## Development
|
|
|
|
### Building the Project Locally
|
|
|
|
```bash
|
|
cargo build --release
|
|
```
|
|
|
|
### Running Tests
|
|
|
|
```bash
|
|
cargo test
|
|
```
|
|
|
|
### Custom Configuration
|
|
|
|
To modify the key sharing threshold:
|
|
1. Edit the `init_req` struct in `src/main.rs`
|
|
2. Rebuild the Docker image
|
|
|
|
## Security Considerations
|
|
|
|
- In a production environment, never store unseal keys on the same machine as Vault
|
|
- Consider using a key management solution like Shamir's Secret Sharing
|
|
- Rotate root tokens regularly and use appropriate authentication methods |