Skip to content

Production Mode Vault

Learn how to run MPS and RPS using Vault in production server mode. The current local docker-compose.yml file runs Vault in development mode which makes experimenting with the services easier since static tokens can be used for access and unsealing Vault is not required. The downside to this approach is that all Vault data is only stored in memory and is lost once the Vault container is stopped. Running Vault in production mode requires additional steps, but allows Vault data to persist on host filesystem after the container restarts.

Configure the Toolkit

  1. Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide.

  2. Update the vault section in the docker-compose.yml file with the section below.

    vault:
        restart: always
        image: hashicorp/vault
        networks:
          - openamtnetwork
        ports: 
          - "8200:8200"
        volumes:
          - private-volume:/vault/data:rw
          - ./vault:/vault/config:rw
        environment: 
          VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN}
          VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
        cap_add: 
          - IPC_LOCK
        entrypoint: vault server -config=/vault/config/vault.json
    

  3. Create a folder named vault located in ./open-amt-cloud-toolkit directory and create a new file named vault.json in that folder with the contents below:

    {
        "storage":{
            "file":{
                "path":"/vault/data"
            }
        },
        "listener":{
            "tcp":{
                "address":"0.0.0.0:8200",
                "tls_disable": "true"
            }
        },
        "default_lease_ttl":"168h",
        "max_lease_ttl":"0h",
        "ui":true,
        "log_level":"Debug"
    }
    

  4. Run `docker compose`` to start the containers from the ./open-amt-cloud-toolkit directory.

    docker compose up -d --build
    

Initialize and Unseal Vault

  1. Navigate to http://localhost:8200 to initialize and unseal Vault.

    Danger - Download and Save Vault Keys

    Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost.

  2. Please refer to HashiCorp documentation on how to Initialize and unseal Vault. Stop and return here after signing in to Vault with the root_token.

  3. After initializing and unsealing the vault, you need to enable the Key Value engine.

  4. Click Enable New Engine +.

  5. Choose KV.

  6. Click Next.

  7. Leave the default path and choose version 2 from the drop down under Method Options.

  8. Click Enable Engine.

Update ENV Variables

  1. Open your .env file.

  2. Change the SECRETS_PATH to kv/data/.

  3. Update the VAULT_TOKEN to the Root Token generated by Vault.

    Example - Vault Section of .env file

    # VAULT
    SECRETS_PATH=kv/data/
    VAULT_ADDRESS=http://vault:8200
    VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I
    
  4. Rebuild and restart your Docker images and containers.

    docker compose up -d --build
    
  5. Unseal Vault at http://localhost:8200 after restarting the container.

Next Steps

Continue from the Get Started steps to log in to the Sample Web UI and activate a device.