A few of our recent posts related to standing up BOSH deployments using Genesis have all revolved around needing Vault to store your credentials safely. The vault-boshrelease makes this fairly straightforward, but there’s now a Genesis Vault template to make running Vault even easier!
The procedure is similar to the other Genesis deployments:
$ genesis new deployment --template vault $ cd vault-deployments $ genesis new site --template bosh-lite macbook $ git add macbook; git commit -m "Added macbook site" $ bosh target bosh-lite $ genesis new env macbook sandbox $ cd macbook/sandbox $ make deploy $ git add .; git commit -m "Added initial sandbox environment" # lather, rinse, repeat as needed for all of your sites/environments
Out of the box, you get an HA Vault using Consul as its encrypted backend datastore. However, to start using it, you will need to initialize your Vault. I recommend using the safe CLI for interacting with Vault:
$ safe target "https://<vault ip:8200>" macbook-vault $ safe vault init
This will output keys to use when unsealing the Vault, as well as the initial root user’s password. Save these somewhere secure, as they will be needed any time the Vault process gets restarted.
Next, we need to unseal the new Vault, using 3 distinct Unseal Keys from the list obtained during
safe vault init:
$ safe vault unseal $ safe vault unseal $ safe vault unseal
Now that Vault is initialized and unsealed, you can log in and pre-populate the handshake value used by many Genesis templates to detect if Vault is available:
$ safe auth Authenticating against macbook-vault at https://10.244.9.3:8200 Token: $ safe set secret/handshake initialized=true initialized: true $ safe tree . └── secret └── handshake $ safe get secret/handshake --- # secret/handshake initialized: "true"