Production Mode Vault
Learn how to run MPS and RPS using Vault in production server mode. The current local docker-compose.yml
file runs Vault in development mode which makes experimenting with the services easier since static tokens can be used for access and unsealing Vault is not required. The downside to this approach is that all Vault data is only stored in memory and is lost once the Vault container is stopped. Running Vault in production mode requires additional steps, but allows Vault data to persist on host filesystem after the container restarts.
Configure the Toolkit¶
-
Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide.
-
Update the vault section in the
docker-compose.yml
file with the section below.vault: restart: always image: hashicorp/vault networks: - openamtnetwork ports: - "8200:8200" volumes: - private-volume:/vault/data:rw - ./vault:/vault/config:rw environment: VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN} VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200 cap_add: - IPC_LOCK entrypoint: vault server -config=/vault/config/vault.json
-
Create a folder named
vault
located in./open-amt-cloud-toolkit
directory and create a new file namedvault.json
in that folder with the contents below:{ "storage":{ "file":{ "path":"/vault/data" } }, "listener":{ "tcp":{ "address":"0.0.0.0:8200", "tls_disable": "true" } }, "default_lease_ttl":"168h", "max_lease_ttl":"0h", "ui":true, "log_level":"Debug" }
-
Run `docker compose`` to start the containers from the ./open-amt-cloud-toolkit directory.
docker compose up -d --build
Initialize and Unseal Vault¶
-
Navigate to
http://localhost:8200
to initialize and unseal Vault.Danger - Download and Save Vault Keys
Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost.
-
Please refer to HashiCorp documentation on how to Initialize and unseal Vault. Stop and return here after signing in to Vault with the
root_token
. -
After initializing and unsealing the vault, you need to enable the Key Value engine.
-
Click Enable New Engine +.
-
Choose KV.
-
Click Next.
-
Leave the default path and choose version 2 from the drop down under Method Options.
-
Click Enable Engine.
Update ENV Variables¶
-
Open your
.env
file. -
Change the
SECRETS_PATH
tokv/data/
. -
Update the
VAULT_TOKEN
to the Root Token generated by Vault.Example - Vault Section of .env file
# VAULT SECRETS_PATH=kv/data/ VAULT_ADDRESS=http://vault:8200 VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I
-
Rebuild and restart your Docker images and containers.
docker compose up -d --build
-
Unseal Vault at
http://localhost:8200
after restarting the container.
Next Steps¶
Continue from the Get Started steps to log in to the Sample Web UI and activate a device.