Differences

This shows you the differences between two versions of the page.

--- hashicorp_vault [2026/02/11 19:19]
val [Transit secrets engine]
+++ hashicorp_vault [2026/02/25 19:53] (current)
val [Vault policy]
@@ Line 4: / Line 4: @@
   * [[https://habr.com/ru/articles/653927/|Используем Hashicorp Vault для хранения секретов]]
   * [[https://developer.hashicorp.com/vault/docs/secrets/transit|Transit secrets engine]]
+  * [[https://penkovski.com/post/vault-dev-server-docker-compose/|Vault Dev Server in Docker Compose]]
 ===== Установка и подключение =====
+  * [[https://hub.docker.com/r/hashicorp/vault/tags]]
 <code>
-# docker run -d --name my-vault -p 8200:8200 hashicorp/vault:latest
+# docker run -d --name my-vault -p 8200:8200 hashicorp/vault:1.21.3
 # docker logs my-vault
@@ Line 37: / Line 41: @@
 / # vault kv put secret/ansible/openvpn1 \
-username=student \
+username=vagrant \
-password=password
+password=strongpassword
 / # vault kv list secret/ansible/
@@ Line 57: / Line 61: @@
 ===== Transit secrets engine =====
+  * [[https://developer.hashicorp.com/vault/tutorials/encryption-as-a-service/eaas-transit|Encrypt data in transit with Vault]]
 <code>
 / # vault secrets enable transit
@@ Line 72: / Line 79: @@
 / # echo SGVsbG8gV29ybGQK | base64 -d
 </code><code>
-/ # vault write transit/keys/webd-k8s type=rsa-4096
+/ # vault write transit/keys/my-pgcluster type=rsa-4096
+/ # vault write transit/keys/my-keycloak type=rsa-4096
 </code>
 ===== Vault policy =====
+  * [[http://server.corpX.un:8200]]
 <code>
 / # vault policy write ansible-openvpn1 - <<EOF
@@ Line 94: / Line 106: @@
 / # ###vault policy delete ansible-openvpn1
 </code><code>
-/ # vault policy write webd-k8s - <<EOF
+/ # vault policy write my-pgcluster - <<EOF
-path "/transit/encrypt/webd-k8s" {
+path "/transit/encrypt/my-pgcluster" {
   capabilities = ["update"]
 }
-path "/transit/decrypt/webd-k8s" {
+path "/transit/decrypt/my-pgcluster" {
+  capabilities = ["update"]
+}
+EOF
+</code><code>
+/ # vault policy write my-keycloak - <<EOF
+path "/transit/encrypt/my-keycloak" {
+  capabilities = ["update"]
+}
+path "/transit/decrypt/my-keycloak" {
   capabilities = ["update"]
 }
@@ Line 146: / Line 167: @@
 server|gate# VAULT_ADDR='http://server.corpX.un:8200'
 server|gate#  VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
-server|gate#  export VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
 / # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.0/24"
@@ Line 155: / Line 175: @@
 ...
 </code><code>
-/ # vault write auth/token/roles/webd-k8s allowed_policies=webd-k8s bound_cidrs="192.168.X.0/24"
+/ # vault write auth/token/roles/my-pgcluster allowed_policies=my-pgcluster bound_cidrs="192.168.X.10, 192.168.X.221"
+/ # vault token create -role=my-pgcluster
+</code><code>
+/ # vault write auth/token/roles/my-keycloak allowed_policies=my-keycloak bound_cidrs="192.168.X.10, 192.168.X.221"
-/ # vault token create -role=webd-k8s
+/ # vault token create -role=my-keycloak
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools