Skip to main content

Single Node Docker Install

We are going to focus on a Docker Single Node Install.

  • Persist Data
  • Private Certs
  • Gitlab SSO and JWT

To make this simple we will use the docker-toolkit project.

Clone Docker Toolkit (Optional)

If not already done clone the docker toolkit repo

git clone https://gitlab.com/D3vbd/docker-toolkit.git ~/docker-toolkit

This will setup the toolkit in the folder ~/docker-toolkit.

We will be using the vault folder.

~/docker-toolkit/vault

Configure

The config file is located at

vault/vault.d/vault.hcl

DNS Name

By default the config is setup for vault.localhost.

api_addr      = "https://vault.localhost"
cluster_addr  = "https://vault.localhost"
tip

This can easily be changed to any domain.

If you want to use a different domain, edit those lines

api_addr      = "https://vault.svc.lab"
cluster_addr  = "https://vault.svc.lab"

Certificates

The Certificates for the vault server are set in the tcp listener.

listener "tcp" {
  address                         = "0.0.0.0:8200"      
  cluster_address                 = "0.0.0.0:8201"        
  proxy_protocol_behavior         =  "use_always"

  tls_cert_file                         = "/vault/certs/vault.pem"    
  tls_key_file                          = "/vault/certs/vault.key"
  tls_client_ca_file                    = "/vault/certs/ca.pem"
  tls_require_and_verify_client_cert = "false"

}

You can configure the listener further here, use the vault docs as a guide.

NameHost LocationContainer Location
Ca Certificate~/docker-toolkit/vault/certs/ca.pem/vault/certs/ca.pem
Certificate~/docker-toolkit/vault/certs/vault.pem/vault/certs/vault.pem
Certificate Key~/docker-toolkit/vault/certs/vault.key/vault/certs/vault.key
info

The docker compose will control the volume binding if the host is using a different path

~/docker-toolkit/vault/certs

Different

~/vault/certs

Create New Certs

We can create the certificates using the scripts/gen_cert.sh script.

Make sure you created a new ca or your existing ca is set in

ca-certificates/ca_name/ca_name.pem ca-certificates/ca_name/ca_name.key

tip

Create a New CA

################ Optional Env var to set cert project path
# export CERTS_PROJ_PATH="~/docker-toolkit" 

############## New CA
./scripts/new_ca.sh \
    --ca-name my_ca_name \
    --certs-proj-path ~/docker-toolkit

############# Install CA
./scripts/install_ca.sh \
    --ca-name my_ca_name \
    --certs-proj-path ~/docker-toolkit

Run this script to generate a new certificate

./scripts/gen_cert.sh \
    --certs-proj-path ~/docker-toolkit \
    --ca-name $ca_name \
    --cert-name vault \
    --days-valid "3650" \
    --subject-cn "vault.localhost" \
    --subject-alt-name "DNS:vault.localhost,DNS:localhost,DNS:vault_0,IP:127.0.0.1"

This will create a certificate at...

certificates/vault/vault.pem certificates/vault/vault.key

Copy thos certifcates to the certs folder in vault/certs

cp ~/docker-toolklit/certificates/vault/* ~/docker-toolklit/vault/certs/

Now copy the ca

cp ~/docker-toolklit/ca-certificates/$ca_name/$ca_name.pem ~/docker-toolklit/vault/certs/ca.pem

Our Certificates are now prepared.

Docker Compose

Now its time to prepare the docker-compose.yml file.

Resource Limits

The default Limits are set

  • core: 2
  • memory: 2GB
services:
  vault:
    deploy:
      resources:
        limits:
          cpus: 2
          memory: "2048M"

Traefik Labels.

If you want to use traefik to expose your vault you can adjust the labels to match.

services:
  vault:
    labels:
      ############ Traefik
      - "traefik.enable=true"
      - "traefik.http.routers.vault.entrypoints=websecure"
      - "traefik.http.routers.vault.rule=Host(`vault.localhost`)" 
      - "traefik.http.routers.vault.tls=true"
      - "traefik.http.routers.vault.service=vault@docker"
      - "traefik.http.routers.vault.loadBalancer.server.port=8200"
      - "traefik.http.routers.vault.loadBalancer.server.scheme=https"
      #################### Health Check
      - "traefik.http.services.vault.loadbalancer.healthcheck.followredirects=true"
      - "traefik.http.services.vault.loadbalancer.healthcheck.hostname=vault"
      - "traefik.http.services.vault.loadbalancer.healthcheck.interval=10s"
      - "traefik.http.services.vault.loadbalancer.healthcheck.path=/v1/sys/health"
      - "traefik.http.services.vault.loadbalancer.healthcheck.method=GET"
      - "traefik.http.services.vault.loadbalancer.healthcheck.port=8200"
      - "traefik.http.services.vault.loadbalancer.healthcheck.scheme=https"
      - "traefik.http.services.vault.loadbalancer.healthcheck.timeout=5s"

Proxy Network

If not yet created, create the proxy docker network.

sudo docker create network proxy

Startup

Start the Vault Server Container using docker compose

sudo docker compose up -d

Visit the UI at https://vault.localhost:8200

UnSeal Keys and Root Token.

To make it simple you can just pick 1 key share. This will require only 1 unseal key to unseal the vault on restarts.

Save the Root Token and Unseal Key. They are IMPORTANT!

Dummy Values

{
  "keys": [
    "3e8fa60625e30f23a48be33bf9ce6b4a34887f24985e53229a57bdc63b1a19d3"
  ],
  "keys_base64": [
    "Po+mBiXjDyOki+M7+c5rSjSIfySYXlMimle9xjsaGdM="
  ],
  "root_token": "hvs.AhOoxTm7etEZG1hzzdMcm2Ev"
}

Now we are ready to start using our vault.