Hashicorp Vault: HA with Consul

在建置Vault时，因为以有使用Consul,所以它作为早期HA的solution,设定上非常简单,但随着Vault使用量大增，为减少Consul的负担，资料透过网路传输的时间及风险，後来改为Integrated Storage.

Vault设定

...
storage "consul" {
  service = "vault"
  token = "xxx-xxxx-xxx-xxx" # Consul token
  address = "10.x.x.x:8500"
  path    = "vault/"
  check_timeout = "3s"
  max_parallel = "800"
  scheme = "https"
  tls_ca_file = "/vault/vault-ca.cer"
  tls_cert_file = "/vault/vault-cert.cer"
  tls_key_file = "/vault/vualt-key.key"
}
api_addr =  "https://10.x.x.x:8200"
cluster_addr = "https://10.x.x.x:8200"
...

Consul 设定

因为Consul有设定ACL, 所以任何连线要使用Consul都建立ACL policy, 并create token,上方设定的token就是Consul产生的。

{
  "key_prefix": {
    "vault/": {
      "policy": "write"
    }
  },
  "node_prefix": {
    "": {
      "policy": "write"
    }
  },
  "service": {
    "vault": {
      "policy": "write"
    }
  },
  "agent_prefix": {
    "": {
      "policy": "write"
    }
  },
  "session_prefix": {
    "": {
      "policy": "write"
    }
  }
}