简介
Hashicorp公司的Vault是一款开源工具,用于在动态云环境中安全存储机密和敏感数据。同样由 Hashicorp 开发的 Packer 和 Terraform 可一起用于创建和部署 Vault 的映像。
在本教程中,您将使用 Packer 创建安装了 Vault 的系统的不可变快照,并使用 Terraform 协调其部署。
有关本教程的更详细版本,请参阅 如何在 DigitalOcean 上使用 Packer 和 Terraform 构建 Hashicorp Vault 服务器。
先决条件
- 在本地计算机上安装 Packer。有关说明,请访问 官方文档。
- 在本地计算机上安装 Terraform。请访问官方文档获取指南。
- 您的DigitalOcean账户具有读写权限的个人访问令牌(API密钥)。访问如何创建个人访问令牌创建一个。
- 用于验证已部署的Vault Droplets的SSH密钥,该密钥可在本地计算机上使用,并已添加到你的DigitalOcean账户中。你还需要它的指纹,添加后可从账户的安全页面复制。详细说明请参阅DigitalOcean文档或如何设置SSH密钥教程。
步骤 1 - 创建包装器模板
创建并移入 ~/vault-orchestration 目录,以存储 Vault 文件:
1mkdir ~/vault-orchestration
2cd ~/vault-orchestration
通过运行为 Packer 和 Terraform 配置创建单独的目录:
1mkdir packer terraform
导航至 Packer 目录:
1cd packer
使用模板变量
在你的 packer 子目录下创建一个 variables.json 来存储你的私有变量数据:
1nano variables.json
添加以下几行
1[label ~/vault-orchestration/packer/variables.json]
2{
3 "do_token": "your_do_api_key",
4 "base_system_image": "ubuntu-18-04-x64",
5 "region": "nyc3",
6 "size": "s-1vcpu-1gb"
7}
您将在即将创建的模板中使用这些变量。您可以根据 developer docs 编辑基础图像、区域和 Droplet 大小值。
将 your_doo_api_key 替换为您的 API 密钥,然后保存并关闭文件。
创建构建器和供应器
在名为 template.json 的文件中为 Vault 创建 Packer 模板:
1nano template.json
添加以下几行
1[label ~/vault-orchestration/packer/template.json]
2{
3 "builders": [{
4 "type": "digitalocean",
5 "api_token": "{{user `do_token`}}",
6 "image": "{{user `base_system_image`}}",
7 "region": "{{user `region`}}",
8 "size": "{{user `size`}}",
9 "ssh_username": "root"
10 }],
11 "provisioners": [{
12 "type": "shell",
13 "inline": [
14 "sleep 30",
15 "sudo apt-get update",
16 "sudo apt-get install unzip -y",
17 "curl -L https://releases.hashicorp.com/vault/1.3.2/vault_1.3.2_linux_amd64.zip -o vault.zip",
18 "unzip vault.zip",
19 "sudo chown root:root vault",
20 "mv vault /usr/local/bin/",
21 "rm -f vault.zip"
22 ]
23}]
24}
您只需定义一个 digitalocean 生成器。Packer 将使用提供的 API 密钥创建一个临时 Droplet,其大小、图像和区域均已定义。
供应器将使用指定的用户名通过 SSH 连接到 Droplet,并依次执行所有已定义的供应器,然后从 Droplet 创建 DigitalOcean 快照并将其删除。
它的类型是 "shell",将在目标上执行给定的命令。模板中的命令将等待系统启动30秒,然后下载并解压Vault 1.3.2。请查看Vault 官方下载页面 以获取 Linux 下的最新版本。
保存并关闭文件。
验证模板的有效性:
1packer validate -var-file=variables.json template.json
您将看到以下输出:
1[secondary_label Output]
2Template validated successfully.
第 2 步 - 建立快照
使用 Packer build 命令构建快照:
1packer build -var-file=variables.json template.json
你会看到很多输出,看起来就像这样:
1[secondary_label Output]
2digitalocean: output will be in this color.
3
4==> digitalocean: Creating temporary ssh key for droplet...
5==> digitalocean: Creating droplet...
6==> digitalocean: Waiting for droplet to become active...
7==> digitalocean: Using ssh communicator to connect: ...
8==> digitalocean: Waiting for SSH to become available...
9==> digitalocean: Connected to SSH!
10==> digitalocean: Provisioning with shell script: /tmp/packer-shell035430322
11...
12==> digitalocean: % Total % Received % Xferd Average Speed Time Time Time Current
13==> digitalocean: Dload Upload Total Spent Left Speed
14 digitalocean: Archive: vault.zip
15==> digitalocean: 100 45.5M 100 45.5M 0 0 154M 0 --:--:-- --:--:-- --:--:-- 153M
16 digitalocean: inflating: vault
17==> digitalocean: Gracefully shutting down droplet...
18==> digitalocean: Creating snapshot: packer-1581537927
19==> digitalocean: Waiting for snapshot to complete...
20==> digitalocean: Destroying droplet...
21==> digitalocean: Deleting temporary ssh key...
22Build 'digitalocean' finished.
23
24==> Builds finished. The artifacts of successful builds are:
25--> digitalocean: A snapshot was created: 'packer-1581537927' (ID: 58230938) in regions '...'
最后一行包含快照的名称(如 packer-1581537927)和括号中的 ID(此处突出显示)。请注意快照的 ID,因为下一步会用到它。
如果构建过程因 API 错误而失败,请等待几分钟,然后重试。
第 3 步 - 编写 Terraform 配置
导航至 terraform 子目录:
1cd ~/vault-orchestration/terraform
创建名为 do-provider.tf 的文件来存储提供程序:
1nano do-provider.tf
添加以下几行
1[label ~/vault-orchestration/terraform/do-provider.tf]
2variable "do_token" {
3}
4
5variable "ssh_fingerprint" {
6}
7
8variable "instance_count" {
9default = "1"
10}
11
12variable "do_snapshot_id" {
13}
14
15variable "do_name" {
16default = "vault"
17}
18
19variable "do_region" {
20}
21
22variable "do_size" {
23}
24
25variable "do_private_networking" {
26default = true
27}
28
29provider "digitalocean" {
30token = var.do_token
31}
该文件为digitalocean provider提供了一个 API 密钥。要指定这些变量的值,您需要创建一个_变量定义文件_,与 Packer 类似。文件名必须以 .tfvars 或 .tfvars.json 结尾。
保存并关闭文件。
创建变量定义文件:
1nano definitions.tfvars
添加以下几行
1[label ~/vault-orchestration/terraform/definitions.tf]
2do_token = "your_do_api_key"
3ssh_fingerprint = "your_ssh_key_fingerprint"
4do_snapshot_id = your_do_snapshot_id
5do_name = "vault"
6do_region = "nyc3"
7do_size = "s-1vcpu-1gb"
8instance_count = 1
替换 your_doo_api_key,your_ssh_key_fingerprint和your_do_snapshot_id`(上一步中记录的快照 ID)。do_region "和 "do_size "参数的值必须与 Packer 变量文件中的值相同。
保存并关闭文件。
创建以下文件来存储 Vault 快照部署配置:
1nano deployment.tf
添加以下几行
1[label ~/vault-orchestration/terraform/deployment.tf]
2resource "digitalocean_droplet" "vault" {
3count = var.instance_count
4image = var.do_snapshot_id
5name = var.do_name
6region = var.do_region
7size = var.do_size
8private_networking = var.do_private_networking
9ssh_keys = [
10 var.ssh_fingerprint
11]
12}
13
14output "instance_ip_addr" {
15value = {
16 for instance in digitalocean_droplet.vault:
17 instance.id => instance.ipv4_address
18}
19description = "The IP addresses of the deployed instances, paired with their IDs."
20}
你需要定义一个名为 "vault "的 "digitalocean_droplet "类型的单一 "资源"。根据变量值设置其参数,并从你的 DigitalOcean 账户向 Droplet 资源添加 SSH 密钥(使用其指纹)。将所有新部署实例的 IP 地址 "输出 "到控制台。
保存并关闭文件。
将目录初始化为 Terraform 项目:
1terraform init
您将看到以下输出:
1[secondary_label Output]
2
3Initializing the backend...
4
5Initializing provider plugins...
6
7The following providers do not have any version constraints in configuration,
8so the latest version was installed.
9
10To prevent automatic upgrades to new major versions that may contain breaking
11changes, it is recommended to add version = "..." constraints to the
12corresponding provider blocks in configuration, with the constraint strings
13suggested below.
14
15* provider.digitalocean: version = "~> 1.14"
16
17Terraform has been successfully initialized!
18
19You may now begin working with Terraform. Try running "terraform plan" to see
20any changes that are required for your infrastructure. All Terraform commands
21should now work.
22
23If you ever set or change modules or backend configuration for Terraform,
24rerun this command to reinitialize your working directory. If you forget, other
25commands will detect it and remind you to do so if necessary.
第 4 步 - 使用 Terraform 部署 Vault
测试配置的有效性:
1terraform validate
您将看到以下输出:
1[secondary_label Output]
2Success! The configuration is valid.
运行 "plan "命令,查看 Terraform 在配置基础架构时的尝试:
1terraform plan -var-file="definitions.tfvars"
输出结果类似于
1[secondary_label Output]
2Refreshing Terraform state in-memory prior to plan...
3The refreshed state will be used to calculate this plan, but will not be
4persisted to local or remote state storage.
5
6------------------------------------------------------------------------
7
8An execution plan has been generated and is shown below.
9Resource actions are indicated with the following symbols:
10+ create
11
12Terraform will perform the following actions:
13
14# digitalocean_droplet.vault[0] will be created
15+ resource "digitalocean_droplet" "vault" {
16 ...
17 }
18
19Plan: 1 to add, 0 to change, 0 to destroy.
20
21------------------------------------------------------------------------
22
23Note: You didn't specify an "-out" parameter to save this plan, so Terraform
24can't guarantee that exactly these actions will be performed if
25"terraform apply" is subsequently run.
执行计划:
1terraform apply -var-file="definitions.tfvars"
Droplet 将完成配置,您将看到类似下面的输出:
1[secondary_label Output]
2An execution plan has been generated and is shown below.
3Resource actions are indicated with the following symbols:
4+ create
5
6Terraform will perform the following actions:
7
8+ digitalocean_droplet.vault-droplet
9
10...
11
12Plan: 1 to add, 0 to change, 0 to destroy.
13
14...
15
16digitalocean_droplet.vault-droplet: Creating...
17
18...
19
20Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
21
22Outputs:
23
24instance_ip_addr = {
25"181254240" = "your_new_server_ip"
26}
第 5 步 - 验证已部署的 Droplet
运行以下程序连接到新的 Droplet:
1ssh root@your_server_ip
登录后,用以下命令运行 Vault:
1vault
你会看到它的 "帮助 "输出:
1[secondary_label Output]
2Usage: vault <command> [args]
3
4Common commands:
5 read Read data and retrieves secrets
6 write Write data, configuration, and secrets
7 delete Delete secrets and configuration
8 list List data or secrets
9 login Authenticate locally
10 agent Start a Vault agent
11 server Start a Vault server
12 status Print seal and HA status
13 unwrap Unwrap a wrapped secret
14
15Other commands:
16 audit Interact with audit devices
17 auth Interact with auth methods
18 debug Runs the debug command
19 kv Interact with Vault's Key-Value storage
20 lease Interact with leases
21 namespace Interact with namespaces
22 operator Perform operator-specific tasks
23 path-help Retrieve API help for paths
24 plugin Interact with Vault plugins and catalog
25 policy Interact with policies
26 print Prints runtime configurations
27 secrets Interact with secrets engines
28 ssh Initiate an SSH session
29 token Interact with tokens
结论
现在,您有了一个使用 Terraform 和 Packer 在 DigitalOcean Droplets 上部署 Hashicorp Vault 的自动化系统。要开始使用 Vault,您需要初始化它并进一步配置它。有关如何操作的说明,请访问官方文档。
有关使用 Terraform 的更多教程,请查看我们的 Terraform 内容页面。