Last active
August 21, 2019 04:47
-
-
Save opan/358dea670e5bb8c717ed8c4abf9970a6 to your computer and use it in GitHub Desktop.
Vagrantfile for setup Vault and ETCD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
$install_go = <<-SCRIPT | |
sudo apt-get update -y | |
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz | |
sudo tar -xvf go1.12.7.linux-amd64.tar.gz | |
sudo mv go /usr/local | |
cd ~ | |
mkdir -p go/bin | |
export GOROOT=/usr/local/go | |
export GOPATH=$HOME/go | |
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH | |
SCRIPT | |
# For easy setup: http://play.etcd.io/install | |
$install_etcd = <<-SCRIPT | |
# | |
# Install ETCD | |
# | |
ETCD_VER=v3.3.8 | |
# choose either URL | |
GOOGLE_URL=https://storage.googleapis.com/etcd | |
GITHUB_URL=https://github.com/coreos/etcd/releases/download | |
DOWNLOAD_URL=${GOOGLE_URL} | |
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz | |
rm -rf /tmp/test-etcd && mkdir -p /tmp/test-etcd | |
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz | |
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/test-etcd --strip-components=1 | |
sudo cp /tmp/test-etcd/etcd* /usr/local/bin | |
/usr/local/bin/etcd --version | |
ETCDCTL_API=3 /usr/local/bin/etcdctl version | |
# | |
# Setup first ETCD server | |
# | |
# make sure etcd process has write access to this directory | |
# remove this directory if the cluster is new; keep if restarting etcd | |
# rm -rf /tmp/etcd/s1 | |
# to write service file for etcd | |
cat > /tmp/s1.service <<EOF | |
[Unit] | |
Description=etcd | |
Documentation=https://github.com/coreos/etcd | |
Conflicts=etcd.service | |
Conflicts=etcd2.service | |
[Service] | |
Type=notify | |
Restart=always | |
RestartSec=5s | |
LimitNOFILE=40000 | |
TimeoutStartSec=0 | |
ExecStart=/usr/local/bin/etcd --name s1 \ | |
--data-dir /tmp/etcd/s1 \ | |
--listen-client-urls http://0.0.0.0:2379 \ | |
--advertise-client-urls http://0.0.0.0:2379 \ | |
--listen-peer-urls http://0.0.0.0:2380 \ | |
--initial-advertise-peer-urls http://0.0.0.0:2380 \ | |
--initial-cluster s1=http://0.0.0.0:2380 \ | |
--initial-cluster-token tkn \ | |
--initial-cluster-state new | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
sudo mv /tmp/s1.service /etc/systemd/system/s1.service | |
# | |
# Enable and run all ETCD servers | |
# | |
sudo systemctl daemon-reload | |
sudo systemctl enable s1.service | |
sudo systemctl start s1.service | |
SCRIPT | |
Vagrant.configure("2") do |config| | |
config.vm.box = "ubuntu/xenial64" | |
config.vm.hostname = 'etcd-box' | |
config.vm.network "private_network", ip: "192.168.99.3" | |
config.vm.provision "shell", inline: $install_etcd | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
$install_vault = <<-SCRIPT | |
# Download and install | |
cd ~ | |
cd /usr/local/bin | |
VAULT_VERSION="1.2.2" | |
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip | |
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS | |
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig | |
# wget https://releases.hashicorp.com/vault/1.2.2/vault_1.2.2_linux_amd64.zip | |
unzip vault_${VAULT_VERSION}_linux_amd64.zip | |
sudo chown root:root vault | |
# Enable mlock support | |
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) | |
# Create user Vault | |
sudo useradd --system --home /etc/vault.d --shell /bin/false vault | |
cd ~ | |
vault version | |
cat > /etc/systemd/system/vault.service <<EOF | |
[Unit] | |
Description="HashiCorp Vault - A tool for managing secrets" | |
Documentation=https://www.vaultproject.io/docs/ | |
Requires=network-online.target | |
After=network-online.target | |
ConditionFileNotEmpty=/etc/vault.d/vault.hcl | |
StartLimitIntervalSec=60 | |
StartLimitBurst=3 | |
[Service] | |
User=vault | |
Group=vault | |
ProtectSystem=full | |
ProtectHome=read-only | |
PrivateTmp=yes | |
PrivateDevices=yes | |
SecureBits=keep-caps | |
AmbientCapabilities=CAP_IPC_LOCK | |
Capabilities=CAP_IPC_LOCK+ep | |
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK | |
NoNewPrivileges=yes | |
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl | |
ExecReload=/bin/kill --signal HUP $MAINPID | |
KillMode=process | |
KillSignal=SIGINT | |
Restart=on-failure | |
RestartSec=5 | |
TimeoutStopSec=30 | |
StartLimitInterval=60 | |
StartLimitIntervalSec=60 | |
StartLimitBurst=3 | |
LimitNOFILE=65536 | |
LimitMEMLOCK=infinity | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
# Vault config dir | |
export VAULT_ADDR='http://0.0.0.0:8200' | |
sudo mkdir -p /etc/vault.d | |
cat > /etc/vault.d/vault.hcl <<EOF | |
storage "etcd" { | |
# List all ETCD servers | |
# address = "http://192.168.99.3:2379,http://192.168.99.3:22379,http://192.168.99.3:32379" | |
address = "http://192.168.99.3:2379" | |
etcd_api = "v3" | |
ha_enabled = "true" | |
# Set to false if there is only one ETCD server or ETCD servers is behind proxy-server | |
sync = "false" | |
} | |
listener "tcp" { | |
address = "0.0.0.0:8200" | |
tls_disable = "true" | |
} | |
api_addr = "http://192.168.99.2:8200" | |
EOF | |
sudo systemctl enable vault | |
sudo systemctl start vault | |
SCRIPT | |
Vagrant.configure("2") do |config| | |
config.vm.box = "ubuntu/xenial64" | |
config.vm.hostname = 'vault-box' | |
config.vm.network "private_network", ip: "192.168.99.2" | |
config.vm.provision "shell", inline: <<-SHELL | |
sudo apt-get update | |
sudo apt-get install unzip -y | |
SHELL | |
config.vm.provision "shell", inline: $install_vault | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment