Production Mode Vault

Learn how to run MPS and RPS using Vault in production server mode. The current local docker-compose file runs Vault in development mode which makes experimenting with the services easier since static tokens can be used for access and unsealing Vault is not required. The downside to this approach is that all Vault data is only stored in memory and is lost once the Vault container is stopped. Running Vault in production mode requires additional steps, but allows Vault data to persist after the container restarts.

Configure the Toolkit¶

1. Follow steps to Get the Toolkit, Set Environment Variables, and Set Kong JSON Web Token in the Get Started guide.

2. Update the vault section in the docker-compose.yml file with the section below.

   vault:
       image: "vault"
       networks:
         - openamtnetwork
       ports: 
         - "8200:8200"
       volumes:
         - private-volume:/vault/data:rw
         - ./vault:/vault/config:rw
       environment: 
         VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN}
         VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
       cap_add: 
         - IPC_LOCK
       entrypoint: vault server -config=/vault/config/vault.json
   

3. Create a folder named vault located in ./open-amt-cloud-toolkit driectory and create a new file named vault.json with the contents below:

   {
       "storage":{
           "file":{
               "path":"/vault/data"
           }
       },
       "listener":{
           "tcp":{
               "address":"0.0.0.0:8200",
               "tls_disable": "true"
           }
       },
       "default_lease_ttl":"168h",
       "max_lease_ttl":"0h",
       "ui":true,
       "log_level":"Debug"
   }
   

4. Run docker-compose to start the containers from the ./open-amt-cloud-toolkit directory.

   docker-compose up -d --build
   

Initialize and Unseal Vault¶

1. Navigate to http://localhost:8200 to initialize and unseal Vault.

   Danger - Download and Save Vault Keys

   Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost.

2. Please refer to HashiCorp documentation on how to Initialize and unseal Vault. Stop and return here after signing in to Vault with the root_token.

3. After initializing and unsealing the vault, you need to enable the Key Value engine.

4. Click Enable New Engine +.

5. Choose KV.

6. Click Next.

7. Leave the default path and choose version 2 from the drop down under Method Options.

8. Click Enable Engine.

Update ENV Variables¶

1. Open your .env file.

2. Change the SECRETS_PATH to kv/data/.

3. Update the VAULT_TOKEN to the Root Token generated by Vault.

   Example - Vault Section of .env file

   # VAULT
   SECRETS_PATH=kv/data/
   VAULT_ADDRESS=http://vault:8200
   VAULT_TOKEN=s.Mw7t070naY4PfyJk5KEkcX3I
   

4. Rebuild and restart your Docker images and containers.

   docker-compose up -d --build
   

5. Unseal Vault at https://localhost:8200 after restarting the container.

Next Steps¶

Continue from the Get Started steps to log in to the Sample Web UI and activate a device.