vault-圖形界面

vault官方沒有提供圖形界面功能，比較了幾個開源的圖形界面以後，以爲goldfish的功能相對完善。

goldfish部署

sudo mkdir /opt/goldfish && sudo chown `whoami:whoami`

git clone https://github.com/Caiyeon/goldfish.git
cd goldfish

#生成前端文件
bash build.sh
mv frontend /opt/goldfish/

#生成goldfish後端文件
go get github.com/caiyeon/goldfish
cd $GOPATH/src/github.com/caiyeon/goldfish
go build
mv goldfish /usr/local/bin/
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which goldfish))

# 生成配置文件
cat << EOF > config.hcl
listener "tcp" {
    address          = "0.0.0.0:8000"
    # 啓用https
    tls_disable      = 0
    tls_cert_file    = "ca/goldfish-server.crt"
    tls_key_file     = "ca/goldfish-server.key"
}

vault {
    address         = "https://vault:8200"
    approle_id      = "goldfish"
    # vault的ca根證書
    ca_cert         = "ca/ca.crt"
}
EOF

## 啓動goldfish
goldfish -config=./config.hcl
# 訪問goldfish
# https://goldfish<goldfish服務器ip>:8000

goldfish 初始化

由於goldfish是利用approle來對vault進行訪問，因此須要在vault裏面對goldfish進行配置

#啓用approle認證
vault auth-enable approle

# 爲goldfish建立策略
vault policy-write goldfish goldfish/vagrant/policies/goldfish.hcl

# 建立approle角色並關聯策略
vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish \
secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0

vault write auth/approle/role/goldfish/role-id role_id=goldfish

vault write secret/goldfish DefaultSecretPath="secret/" UserTransitKey="goldfish" BulletinPath="secret/bulletins/"

#生成密碼啓封goldfish
vault write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id

開始使用吧！