Production Mode Vault
Learn how to run MPS and RPS using Vault in production server mode. The current local docker-compose file runs Vault in development mode which makes experimenting with the services easier since static tokens can be used for access and unsealing Vault is not required. The downside to this approach is that all Vault data is only stored in memory and is lost once the Vault container is stopped. Running Vault in production mode requires additional steps, but allows Vault data to persist on host filesystem after the container restarts.
Configure the Toolkit¶
-
Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide.
-
Update the vault section in the
docker-compose.yml
file with the section below.vault: restart: always image: "vault" networks: - openamtnetwork ports: - "8200:8200" volumes: - private-volume:/vault/data:rw - ./vault:/vault/config:rw environment: VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN} VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200 cap_add: - IPC_LOCK entrypoint: vault server -config=/vault/config/vault.json
-
Create a folder named
vault
located in./open-amt-cloud-toolkit
driectory and create a new file namedvault.json
with the contents below:{ "storage":{ "file":{ "path":"/vault/data" } }, "listener":{ "tcp":{ "address":"0.0.0.0:8200", "tls_disable": "true" } }, "default_lease_ttl":"168h", "max_lease_ttl":"0h", "ui":true, "log_level":"Debug" }
-
Run docker-compose to start the containers from the ./open-amt-cloud-toolkit directory.
docker-compose up -d --build
Initialize and Unseal Vault¶
-
Navigate to
http://localhost:8200
to initialize and unseal Vault.Danger - Download and Save Vault Keys
Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost.
-
Please refer to HashiCorp documentation on how to Initialize and unseal Vault. Stop and return here after signing in to Vault with the
root_token
. -
After initializing and unsealing the vault, you need to enable the Key Value engine.
-
Click Enable New Engine +.
-
Choose KV.
-
Click Next.
-
Leave the default path and choose version 2 from the drop down under Method Options.
-
Click Enable Engine.
Update ENV Variables¶
-
Open your
.env
file. -
Change the
SECRETS_PATH
tokv/data/
. -
Update the
VAULT_TOKEN
to the Root Token generated by Vault.Example - Vault Section of .env file
# VAULT SECRETS_PATH=kv/data/ VAULT_ADDRESS=http://vault:8200 VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I
-
Rebuild and restart your Docker images and containers.
docker-compose up -d --build
-
Unseal Vault at
http://localhost:8200
after restarting the container.
Next Steps¶
Continue from the Get Started steps to log in to the Sample Web UI and activate a device.