update

packer/ansible/roles/helm_install/files/vault/README.MD

@@ -0,0 +1,127 @@
+## override-values.yaml 내용 확인
+#
+```
+# user_vault의 access_key, secret_key를 입력.
+# vault-auto-unseal key id를 입력.
+   seal "awskms" {
+     region     = "ap-northeast-2"
+     access_key = user_vault의 access_key
+     secret_key = user_vault의 secret_key
+     kms_key_id = aws kms vault-auto-unseal key id
+   }
+
+```
+## vault server 설치
+```
+helm install vault-server -n dsk-middle -f override-values.yaml .
+```
+
+## vault server 생성 확인
+```
+kubectl get pods -n dsk-middle
+```
+
+## vault server 초기화
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault operator init
+```
+위 명령어로 나온 key 값들은 반드시 파일로 저장 후 반드시 보관 필요\
+vault server 봉인 해제, ui 접속 등에 필요
+
+## vault server 봉인 해제. unseal key 5 개 중, 아무거나 3 개 필요
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal
+```
+### unseal key 입력
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal
+```
+### unseal key 입력
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal
+```
+### unseal key 입력
+
+## vault server login
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault login
+```
+### Initial Root Token 입력
+
+## vault secret engine 활성화. 사용 엔진 kv (key value)
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault secrets enable -version=2 -path=tls kv
+```
+## secret engine 활성화 확인
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault secrets list
+```
+
+## approle 활성화
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault auth enable approle
+```
+## approle 활성화 확인
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault auth list
+```
+
+## policy 생성. (secret에 접근하는 권한 설정)
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault policy write datasaker -<<EOF
+path "tls/data/client" {
+  capabilities = [ "read", "list" ]
+}
+
+path "tls/data/server" {
+  capabilities = [ "read", "list" ]
+}
+EOF
+```
+
+## policy 확인
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault policy list
+```
+## policy 세부 사항 확인
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault policy read datasaker
+```
+
+## role 생성
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault write auth/approle/role/datasaker token_policies="datasaker" token_ttl=12h token_max_ttl=24h
+```
+## role 생성 확인
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault list auth/approle/role
+```
+## role 세부사항 확인
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault read auth/approle/role/datasaker
+```
+
+## role의 role-id 획득
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault read auth/approle/role/datasaker/role-id
+```
+## role의 secret-id 획득
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault write -force auth/approle/role/datasaker/secret-id
+```
+
+## role-id와 secret-id는 vault agent가 참고하는 volume에 저장
+#### vault agent가 token 획득하는데 사용됨
+
+## tls 키 생성
+```
+/tls/generator.sh 실행
+```
+
+## 생성된 tls data 확인
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault kv get -mount=tls client
+```
+```
+kubectl exec -it -n dsk-middle vault-server-0 -- vault kv get -mount=tls server
+```