GitHub user daviftorres added a comment to the discussion: SSL - LetsEncrypt the Console Proxy
Sure! This is my cheat sheet for deploying and performing the most common operations on HashiCorp Vault. I’ll leave the link here because I try to keep it always up to date: https://dft.wiki/?p=5070 ### Deployment Deploying Vault is basically a one-liner with package managers like snap or apt. Enabling the UI is optional, but honestly it’s very handy when showing around policies and vaults. ### Unsealing Vault does not store the keys to unseal (decrypt) the vaults. since it is always kept in memory, right after installing, and after each reboot, you need to unseal them manually. I haven’t figured out yet how to use HSM or vTPM to unseal automatically, but it’s on my radar. ### Operation Step 1 - Enable Key Vault (KV) ``` export VAULT_ADDR=http://127.0.0.1:8200 vault login vault secrets enable -path=kv kv ``` Step 2 - Create Policies Read+Write Policy - for issuing certificates ``` cat <<EOF > readwrite-policy.hcl path "kv/*" { capabilities = ["create", "read", "update", "delete", "list"] } EOF vault policy write readwrite readwrite-policy.hcl ``` Read-Only Policy - for consuming the secrets ``` cat <<EOF > readonly-policy.hcl path "kv/*" { capabilities = ["read", "list"] } EOF vault policy write readonly readonly-policy.hcl ``` Check ``` vault policy list ``` **Note:** The examples above allow access to all secrets in KV. In production, always create tailor-made policies per application+secret. Step 3 - Generate Tokens ``` vault token create -policy=readonly -orphan -no-default-policy -ttl=0 vault token create -policy=readwrite -orphan -no-default-policy -ttl=0 ``` Check ``` vault token lookup <TOKEN> ``` **Note:** These examples generate tokens that do not expire. In practice, use reasonable TTLs and set up automated re-issuance. Step 4 - Put and Get Secrets Basic put using `vault` command ``` vault kv put kv/example.com cert=TEST key=TEST fullchain=TEST ``` Put from files using `vault` command ``` vault kv put kv/example.com cert=@/etc/letsencrypt/live/example.com/cert.pem key=@/etc/letsencrypt/live/example.com/privkey.pem fullchain=@/etc/letsencrypt/live/example.com/fullchain.pem ``` Basic get using `vault` command ``` vault kv get kv/example.com ``` Basic put using `curl` command ``` curl --header "X-Vault-Token: TOKEN" --request POST --data '{"data": {"cert": "TEST", "key": "TEST", "fullchain": "TEST"}}' https://vault.example.com/v1/kv/data/example.com ``` Basic get using `curl` command ``` curl --header "X-Vault-Token: TOKEN" --request GET https://vault.example.com/v1/kv/data/example.com | jq '.data.data' ``` GitHub link: https://github.com/apache/cloudstack/discussions/11597#discussioncomment-14355328 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
