vault-图形界面

vault官方没有提供图形界面功能，比较了几个开源的图形界面以后，以为goldfish的功能相对完善。

goldfish部署

sudo mkdir /opt/goldfish && sudo chown `whoami:whoami`

git clone https://github.com/Caiyeon/goldfish.git
cd goldfish

#生成前端文件
bash build.sh
mv frontend /opt/goldfish/

#生成goldfish后端文件
go get github.com/caiyeon/goldfish
cd $GOPATH/src/github.com/caiyeon/goldfish
go build
mv goldfish /usr/local/bin/
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which goldfish))

# 生成配置文件
cat << EOF > config.hcl
listener "tcp" {
    address          = "0.0.0.0:8000"
    # 启用https
    tls_disable      = 0
    tls_cert_file    = "ca/goldfish-server.crt"
    tls_key_file     = "ca/goldfish-server.key"
}

vault {
    address         = "https://vault:8200"
    approle_id      = "goldfish"
    # vault的ca根证书
    ca_cert         = "ca/ca.crt"
}
EOF

## 启动goldfish
goldfish -config=./config.hcl
# 访问goldfish
# https://goldfish<goldfish服务器ip>:8000

goldfish 初始化

由于goldfish是利用approle来对vault进行访问，因此须要在vault里面对goldfish进行配置

#启用approle认证
vault auth-enable approle

# 为goldfish建立策略
vault policy-write goldfish goldfish/vagrant/policies/goldfish.hcl

# 建立approle角色并关联策略
vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish \
secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0

vault write auth/approle/role/goldfish/role-id role_id=goldfish

vault write secret/goldfish DefaultSecretPath="secret/" UserTransitKey="goldfish" BulletinPath="secret/bulletins/"

#生成密码启封goldfish
vault write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id

开始使用吧！