Hello Guys ,
Welcome back to my block couple of weeks back i need to work on a specific client request when they want to change the passwords of all of the server for the automation_user without interrupting the automation and daily operation so they ask me how one can achieve this. They came to me with below problem statement
So the problem statement like this
Business own the around 1000 server and
they want to change the password for the automation user
they want to rotate the password every 90 days and
there should not be any interruption in the operations
So I came up with an idea if we have to go through the exercise every 90 days so we have to do it again and again so its best we should automate it so they we don't face the problem again and again and it will keep on doing it in the background
So i recommended the we should setup a vault and let the vault manage the passwords(store the passwords) and since the HashiCorp vault is the community driven and open source its of my choice below are the steps i have taken to set it up
Download and Unzip the vault binary on the server
cd /opt/ sudo wget https://releases.hashicorp.com/vault/0.10.3/vault_0.10.3_linux_amd64.zip && sudo unzip vault_0.10.3_linux_amd64.zip -d .
Copy the binary to appropriate paths on the linux system
sudo cp vault /usr/bin/
Create the config , data, and logs directory so that vault can store the data
sudo mkdir /etc/vault sudo mkdir /vault-data sudo mkdir -p /var/log/vault/
Create the config file with below configs
sudo vi /etc/vault/config.json
Below are the config
Note: here 192.168.1.18 is the ip address of my server
{
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"api_addr": "http://192.168.1.18:8200",
"storage": {
"file": {
"path" : "/vault-data"
}
},
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui":true
}Create a service file to start,stop and restart the service
sudo vi /etc/systemd/system/vault.service
Below are the configs
[Unit] Description=vault service Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault/config.json [Service] EnvironmentFile=-/etc/sysconfig/vault Environment=GOMAXPROCS=2 Restart=on-failure ExecStart=/usr/bin/vault server -config=/etc/vault/config.json StandardOutput=/var/log/vault/output.log StandardError=/var/log/vault/error.log LimitMEMLOCK=infinity ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGTERM [Install] WantedBy=multi-user.target
Start the service
sudo systemctl start vault.service
Check the status
sudo systemctl status vault.service
In order to connect from command line make the below changes in the bashrc config
export VAULT_ADDR=http://192.168.1.18:8200 echo "export VAULT_ADDR=http://192.168.1.18:8200" >> ~/.bashrc
Check the vault status
vault status
Initialise the vault
vault operator init > /etc/vault/init.file
Access the vault and unseal the same from UI using the keys available in the init.file which is available at /etc/vault/init.file
http://IPADDRESS:8200/ui
In the part 2 will cover the integration with AAP and how we can do it...
No comments:
Post a Comment