본문 바로가기

리눅스

Vault 클러스터를 Consul을 백엔드 스토리지로 사용하여 구성하는 방법

반응형

Vault 클러스터를 Consul을 백엔드 스토리지로 사용하여 구성하는 방법

1. Consul 클러스터 설정

Consul 설정 파일

  • retry_join 항목에 클러스터 내 다른 Consul 서버들의 IP를 입력합니다.
  • 각 서버마다 node_name과 IP 주소를 고유하게 설정합니다.
vim /etc/consul.d/consul.hcl
datacenter = "dc1"
data_dir = "/opt/consul"
log_level = "INFO"
node_name = "consul-server-1" # 각 서버마다 고유하게 설정
server = true
bootstrap_expect = 3 # 클러스터 내 서버 수
bind_addr = "0.0.0.0"
client_addr = "0.0.0.0"

retry_join = ["<consul_server_1_ip>", "<consul_server_2_ip>", "<consul_server_3_ip>"]

2. Vault 설치 및 설정

Vault 설정 파일

  • /etc/vault.d/vault.hcl 파일을 작성합니다.
vim /etc/vault.d/vault.hcl
ui = true

storage "consul" {
  address = "http://<consul_server_1_ip>:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr     = "http://<vault_node_ip>:8200"

cluster_addr = "http://<vault_node_ip>:8201"
  • node111
sudo tee /etc/vault.d/vault.hcl > /dev/null <<EOF
ui = true

storage "consul" {
  address = "http://192.168.10.111:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr     = "http://192.168.10.111:8200"

cluster_addr = "http://192.168.10.111:8201"
EOF
  • node112
sudo tee /etc/vault.d/vault.hcl > /dev/null <<EOF
ui = true

storage "consul" {
  address = "http://192.168.10.112:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr     = "http://192.168.10.112:8200"

cluster_addr = "http://192.168.10.112:8201"
EOF
  • node113
sudo tee /etc/vault.d/vault.hcl > /dev/null <<EOF
ui = true

storage "consul" {
  address = "http://192.168.10.113:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr     = "http://192.168.10.113:8200"

cluster_addr = "http://192.168.10.113:8201"
EOF
sudo systemctl restart vault
sudo systemctl status vault --no-pager

3. Vault 초기화 및 클러스터 구성

환경 변수 설정

export VAULT_ADDR='http://127.0.0.1:8200'

Vault 초기화

클러스터의 첫 번째 서버에서 Vault를 초기화합니다.

vault operator init
vault operator init | tee ~/vault_info.txt
$ vault operator init | tee ~/vault_info.txt
Unseal Key 1: 7qE/9CLs9OPTn4ut9QUrlLDIXwntSLdoTxHFOlu3zFoW
Unseal Key 2: NEuisx3YC8na909/jySJ/6BUOALJMw0e7mmrQtkKTZvP
Unseal Key 3: qA4e9pfVBi51c16jNZyAxmz/hUGzQ/cxsfHV802lKKK6
Unseal Key 4: 0iUdUWmWiPPdlCBJlgmiIYwd9pz3XiIyOgj5D2Xb24YG
Unseal Key 5: /VK2XQGX5zqSHPk44NNHpZhIstHRgJoYFgDPJ0D9Wj2k

Initial Root Token: hvs.sfCXAR8OyuWmrjjog2C9AuQp

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

환경 변수 설정

export VAULT_TOKEN="hvs.sfCXAR8OyuWmrjjog2C9AuQp"

언실(Sealing) 해제

초기화된 Vault를 언실하기 위해 언실 키를 사용합니다.

vault operator unseal <unseal_key>
vault operator unseal 7qE/9CLs9OPTn4ut9QUrlLDIXwntSLdoTxHFOlu3zFoW
vault operator unseal NEuisx3YC8na909/jySJ/6BUOALJMw0e7mmrQtkKTZvP
vault operator unseal qA4e9pfVBi51c16jNZyAxmz/hUGzQ/cxsfHV802lKKK6
vault operator unseal 0iUdUWmWiPPdlCBJlgmiIYwd9pz3XiIyOgj5D2Xb24YG
vault operator unseal /VK2XQGX5zqSHPk44NNHpZhIstHRgJoYFgDPJ0D9Wj2k
vault login <root_token>
vault login hvs.sfCXAR8OyuWmrjjog2C9AuQp
$ vault login hvs.sfCXAR8OyuWmrjjog2C9AuQp
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.sfCXAR8OyuWmrjjog2C9AuQp
token_accessor       yugqYhDAQBhLRhPJnLksMSxd
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
vault operator members
$ vault operator members
Host Name    API Address                   Cluster Address                Active Node    Version    Upgrade Version    Redundancy Zone    Last Echo
---------    -----------                   ---------------                -----------    -------    ---------------    ---------------    ---------
node111      http://192.168.10.111:8200    https://192.168.10.111:8201    true           1.17.2     n/a                n/a                n/a

클러스터에 노드 추가

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="hvs.sfCXAR8OyuWmrjjog2C9AuQp"
더보기

---

나머지 서버에서 첫 번째 서버에 연결하여 클러스터에 참여시킵니다.

vault operator raft join http://<첫_번째_서버_ip>:8200
vault operator raft join http://192.168.10.111:8200

---

각 노드 언실(Sealing) 해제

  • 클러스터에 참여한 각 노드를 언실합니다.
vault operator unseal <unseal_key>
vault operator unseal 7qE/9CLs9OPTn4ut9QUrlLDIXwntSLdoTxHFOlu3zFoW
vault operator unseal NEuisx3YC8na909/jySJ/6BUOALJMw0e7mmrQtkKTZvP
vault operator unseal qA4e9pfVBi51c16jNZyAxmz/hUGzQ/cxsfHV802lKKK6
vault operator unseal 0iUdUWmWiPPdlCBJlgmiIYwd9pz3XiIyOgj5D2Xb24YG
vault operator unseal /VK2XQGX5zqSHPk44NNHpZhIstHRgJoYFgDPJ0D9Wj2k

consul_services_vault_instances

4. 클러스터 상태 확인

모든 서버에서 vault status 명령어를 사용하여 클러스터 상태를 확인합니다.

vault status
$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.17.2
Build Date      2024-07-05T15:19:12Z
Storage Type    consul
Cluster Name    vault-cluster-e03a8aab
Cluster ID      8721ff61-c3a5-dd91-1229-6440b69d072d
HA Enabled      true
HA Cluster      https://192.168.10.111:8201
HA Mode         active
Active Since    2024-07-25T20:28:50.541824928+09:00

클러스터에 있는 각 노드의 상태와 설정 정보 확인

vault operator members
$ vault operator members
Host Name    API Address                   Cluster Address                Active Node    Version    Upgrade Version    Redundancy Zone    Last Echo
---------    -----------                   ---------------                -----------    -------    ---------------    ---------------    ---------
node111      http://192.168.10.111:8200    https://192.168.10.111:8201    true           1.17.2     n/a                n/a                n/a
node112      http://192.168.10.112:8200    https://192.168.10.112:8201    false          1.17.2     n/a                n/a                2024-07-25T20:44:24+09:00
node113      http://192.168.10.113:8200    https://192.168.10.113:8201    false          1.17.2     n/a                n/a                2024-07-25T20:44:21+09:00

 

정상적으로 클러스터가 구성되었다면 각 서버에서 Vault의 상태 정보를 확인할 수 있습니다.

 

sudo tee /etc/vault.d/vault.hcl > /dev/null <<EOF ui = true Storage "consul" { address = "http://192.168.10.113:8500" path = "vault/" } Listener " tcp" { 주소 = "0.0.0.0:8200" tls_disable = 1 } api_addr = "http://192.168.10.113:8200" Cluster_addr = "http://192.168.10.113:8201" EOF
 
728x90
반응형