Vault HashiCorp. PostgreSQL storage type

Vault Is a command line utility that is responsible for managing secrets – logins, passwords, keys, certificates. “Management” includes both storing and issuing secrets to specific applications with a note in their journal, to whom and when it happened.

In previous articles, we covered installing HashiCorp Vault and installing PostgreSQL 13 on Centos 8.

PostgreSQL settings

We create a base and a user. To do this, switch to the postgres user

                      
                        $ sudo su - postgres
                      
                    

Create a database user

                      
                        $ createuser vltusr
                      
                    

Switching to PostgreSQL shell

                      
                        $ psql
                      
                    

Set a password for the database user

                      
                        =# ALTER USER vltusr WITH ENCRYPTED password 'mypasswddd';
ALTER ROLE
                      
                    

Create a base and set the owner of the base

                      
                        =# CREATE DATABASE vaultdb WITH ENCODING='UTF8' OWNER=vltusr;
CREATE DATABASE
                      
                    

Switching to vaultdb base

                      
                        =# c vaultdb
You are now connected to database "vaultdb" as user "postgres".
                      
                    

Create a table

                      
                        =# CREATE TABLE vault_kv_store (
   parent_path TEXT COLLATE "C" NOT NULL,
   path        TEXT COLLATE "C",
   key         TEXT COLLATE "C",
   value       BYTEA,
   CONSTRAINT pkey PRIMARY KEY (path, key)
);
                      
                    

Create an index

                      
                        =# CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
                      
                    

We leave

                      
                        =# q
$ exit
                      
                    

Testing the connection

                      
                        $ sudo su - postgres
$ psql -U vltusr -h localhost -p 5432 vaultdb
Password for user vltusr: 
                        
                          mypasswddd
                        
                        
=# q
$ exit
                      
                    

Vault setup

Stop Vault

                      
                        $ sudo systemctl stop vault
                      
                    

Editing the Vault config

                      
                        $ sudo nano /etc/vault.d/vault.hcl
[…]
#storage "file" {
#  path  = "/var/lib/vault/data"
#}
storage "postgresql" {
  connection_url = "postgres://vltusr:
                        
                          mypasswddd
                        
                        @localhost:5432/vaultdb?sslmode=disable"
  table          = "vault_kv_store"
  max_parallel   = "128"
}

                        
                          […]
                        
                      
                    

We put SELinux into premissive mode, otherwise the Vault service will not start

                      
                        $ sudo setenforce 0
$ sudo nano /etc/selinux/config
[…]
SELINUX=permissive
                      
                    

Launching Vault

                      
                        $ sudo systemctl start vault
                      
                    

Checking the status

                      
                        $ systemctl status vault
$ journalctl -u vault
                      
                    

Further, all the manipulations are as in the article on installing HashiCorp Vault in Centos 8:

  • Adding Variables
  • Service initialization, where tokens will be issued there
  • Vault Printing
  • Authorization (vault login)

PostgreSQL backup

Create a file with parameters for connecting to the database in order to create a PostgreSQL dump in the future without entering a password

                      
                        $ sudo nano /root/.pgpass
# hostname:port:database:username:password
localhost:5432:vaultdb:vltusr:
                        
                          mypasswddd
                        
                      
                    

We expose the rights

                      
                        $ sudo chmod 600 /root/.pgpass
                      
                    

Create a dump

                      
                        $ sudo pg_dump -d "vaultdb" -h localhost -Fc -U vltusr -w -f "/mnt/$(date +%Y%m%d_%H%M%S)_vaultdb.dump"
                      
                    

Related Posts