Mainflux.mainflux/docker/addons/vault/README.md

This is Vault service deployment to be used with Mainflux.

When the Vault service is started, some initialization steps need to be done to set things up.

## Setup

The following scripts are provided, which work on the running Vault service in Docker.

1. `vault-init.sh`

Calls `vault operator init` to perform the initial vault initialization and generates
a `data/secrets` file which contains the Vault unseal keys and root tokens.

After this step, the corresponding Vault environment variables (`MF_VAULT_TOKEN`, `MF_VAULT_UNSEAL_KEY_1`,
`MF_VAULT_UNSEAL_KEY_2`, `MF_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file.

Example contents for `data/secrets`:

```
Unseal Key 1: Ay0YZecYJ2HVtNtXfPootXK5LtF+JZoDmBb7IbbYdLBI
Unseal Key 2: P6hb7x2cglv0p61jdLyNE3+d44cJUOFaDt9jHFDfr8Df
Unseal Key 3: zSBfDHzUiWoOzXKY1pnnBqKO8UD2MDLuy8DNTxNtEBFy
Unseal Key 4: 5oJuDDuMI0I8snaw/n4VLNpvndvvKi6JlkgOxuWXqMSz
Unseal Key 5: ZhsUkk2tXBYEcWgz4WUCHH9rocoW6qZoiARWlkE5Epi5

Initial Root Token: s.V2hdd00P4bHtUQnoWZK2hSaS

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
bash-4.4

Use 3 out of five keys presented and put it into .env file and than start the composition again Vault should be in unsealed state ( take a note that this is not recommended in terms of security, this is deployment for development) A real production deployment can use Vault auto unseal mode where vault gets unseal keys from some 3rd party KMS ( on AWS for example)
```

2. `vault-unseal.sh`

This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get
secrets.

The unseal environment variables need to be set in `.env` for the script to work.

This script should not be necessary to run after the initial setup, since the Vault service unseals itself when
starting the container.

3. `vault-set-pki.sh`

This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate.
After it runs, it copes the necessary certificates and keys to the `docker/ssl/certs` folder.

The CA parameters are obtained from the environment variables starting with `MF_VAULT_CA` in `.env` file.

## Vault CLI 

It can also be useful to run the Vault CLI for inspection and administration work.

This can be done directly using the Vault image in Docker: `docker run -it mainflux/vault:latest vault`

```
Usage: vault <command> [args]

Common commands:
    read        Read data and retrieves secrets
    write       Write data, configuration, and secrets
    delete      Delete secrets and configuration
    list        List data or secrets
    login       Authenticate locally
    agent       Start a Vault agent
    server      Start a Vault server
    status      Print seal and HA status
    unwrap      Unwrap a wrapped secret

Other commands:
    audit          Interact with audit devices
    auth           Interact with auth methods
    debug          Runs the debug command
    kv             Interact with Vault's Key-Value storage
    lease          Interact with leases
    monitor        Stream log messages from a Vault server
    namespace      Interact with namespaces
    operator       Perform operator-specific tasks
    path-help      Retrieve API help for paths
    plugin         Interact with Vault plugins and catalog
    policy         Interact with policies
    print          Prints runtime configurations
    secrets        Interact with secrets engines
    ssh            Initiate an SSH session
    token          Interact with tokens
```

### Vault Web UI

The Vault Web UI is accessible by default on `http://localhost:8200/ui`.
NOISSSUE - Vault integration as an addon. (#1266) Integrates Vault PKI service as a service addon. Also adds some helper scripts to help setup the CA in Vault, as well as some docs to explain how to use them. Originally based from https://github.com/mteodor/vault. Signed-off-by: Joao Matos <joao@tritao.eu> Co-authored-by: Dušan Borovčanin <dusan.borovcanin@mainflux.com> 2020-10-31 20:44:25 +00:00			`This is Vault service deployment to be used with Mainflux.`

			`When the Vault service is started, some initialization steps need to be done to set things up.`

			`## Setup`

			`The following scripts are provided, which work on the running Vault service in Docker.`

			1. `vault-init.sh`

			Calls `vault operator init` to perform the initial vault initialization and generates
			a `data/secrets` file which contains the Vault unseal keys and root tokens.

			After this step, the corresponding Vault environment variables (`MF_VAULT_TOKEN`, `MF_VAULT_UNSEAL_KEY_1`,
			`MF_VAULT_UNSEAL_KEY_2`, `MF_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file.

			Example contents for `data/secrets`:

			```
			`Unseal Key 1: Ay0YZecYJ2HVtNtXfPootXK5LtF+JZoDmBb7IbbYdLBI`
			`Unseal Key 2: P6hb7x2cglv0p61jdLyNE3+d44cJUOFaDt9jHFDfr8Df`
			`Unseal Key 3: zSBfDHzUiWoOzXKY1pnnBqKO8UD2MDLuy8DNTxNtEBFy`
			`Unseal Key 4: 5oJuDDuMI0I8snaw/n4VLNpvndvvKi6JlkgOxuWXqMSz`
			`Unseal Key 5: ZhsUkk2tXBYEcWgz4WUCHH9rocoW6qZoiARWlkE5Epi5`

			`Initial Root Token: s.V2hdd00P4bHtUQnoWZK2hSaS`

			`Vault initialized with 5 key shares and a key threshold of 3. Please securely`
			`distribute the key shares printed above. When the Vault is re-sealed,`
			`restarted, or stopped, you must supply at least 3 of these keys to unseal it`
			`before it can start servicing requests.`

			`Vault does not store the generated master key. Without at least 3 key to`
			`reconstruct the master key, Vault will remain permanently sealed!`

			`It is possible to generate new unseal keys, provided you have a quorum of`
			`existing unseal keys shares. See "vault operator rekey" for more information.`
			`bash-4.4`

			`Use 3 out of five keys presented and put it into .env file and than start the composition again Vault should be in unsealed state ( take a note that this is not recommended in terms of security, this is deployment for development) A real production deployment can use Vault auto unseal mode where vault gets unseal keys from some 3rd party KMS ( on AWS for example)`
			```

			2. `vault-unseal.sh`

			`This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get`
			`secrets.`

			The unseal environment variables need to be set in `.env` for the script to work.

			`This script should not be necessary to run after the initial setup, since the Vault service unseals itself when`
			`starting the container.`

			3. `vault-set-pki.sh`

			`This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate.`
			After it runs, it copes the necessary certificates and keys to the `docker/ssl/certs` folder.

			The CA parameters are obtained from the environment variables starting with `MF_VAULT_CA` in `.env` file.

			`## Vault CLI`

			`It can also be useful to run the Vault CLI for inspection and administration work.`

			This can be done directly using the Vault image in Docker: `docker run -it mainflux/vault:latest vault`

			```
			`Usage: vault <command> [args]`

			`Common commands:`
			`read Read data and retrieves secrets`
			`write Write data, configuration, and secrets`
			`delete Delete secrets and configuration`
			`list List data or secrets`
			`login Authenticate locally`
			`agent Start a Vault agent`
			`server Start a Vault server`
			`status Print seal and HA status`
			`unwrap Unwrap a wrapped secret`

			`Other commands:`
			`audit Interact with audit devices`
			`auth Interact with auth methods`
			`debug Runs the debug command`
			`kv Interact with Vault's Key-Value storage`
			`lease Interact with leases`
			`monitor Stream log messages from a Vault server`
			`namespace Interact with namespaces`
			`operator Perform operator-specific tasks`
			`path-help Retrieve API help for paths`
			`plugin Interact with Vault plugins and catalog`
			`policy Interact with policies`
			`print Prints runtime configurations`
			`secrets Interact with secrets engines`
			`ssh Initiate an SSH session`
			`token Interact with tokens`
			```

			`### Vault Web UI`

			The Vault Web UI is accessible by default on `http://localhost:8200/ui`.