Vault Is a command line utility that is responsible for managing secrets – logins, passwords, keys, certificates. “Management” includes both storing and issuing secrets to specific applications with a note in their journal, to whom and when it happened.
In previous articles, we covered installing HashiCorp Vault and installing PostgreSQL 13 on Centos 8.
PostgreSQL settings
We create a base and a user. To do this, switch to the postgres user
$ sudo su - postgres
Create a database user
$ createuser vltusr
Switching to PostgreSQL shell
$ psql
Set a password for the database user
=# ALTER USER vltusr WITH ENCRYPTED password 'mypasswddd';
ALTER ROLE
Create a base and set the owner of the base
=# CREATE DATABASE vaultdb WITH ENCODING='UTF8' OWNER=vltusr;
CREATE DATABASE
Switching to vaultdb base
=# c vaultdb
You are now connected to database "vaultdb" as user "postgres".
Create a table
=# CREATE TABLE vault_kv_store (
parent_path TEXT COLLATE "C" NOT NULL,
path TEXT COLLATE "C",
key TEXT COLLATE "C",
value BYTEA,
CONSTRAINT pkey PRIMARY KEY (path, key)
);
Create an index
=# CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
We leave
=# q
$ exit
Testing the connection
$ sudo su - postgres
$ psql -U vltusr -h localhost -p 5432 vaultdb
Password for user vltusr:
mypasswddd
=# q
$ exit
Vault setup
Stop Vault
$ sudo systemctl stop vault
Editing the Vault config
$ sudo nano /etc/vault.d/vault.hcl
[…]
#storage "file" {
# path = "/var/lib/vault/data"
#}
storage "postgresql" {
connection_url = "postgres://vltusr:
mypasswddd
@localhost:5432/vaultdb?sslmode=disable"
table = "vault_kv_store"
max_parallel = "128"
}
[…]
We put SELinux into premissive mode, otherwise the Vault service will not start
$ sudo setenforce 0
$ sudo nano /etc/selinux/config
[…]
SELINUX=permissive
Launching Vault
$ sudo systemctl start vault
Checking the status
$ systemctl status vault
$ journalctl -u vault
Further, all the manipulations are as in the article on installing HashiCorp Vault in Centos 8:
- Adding Variables
- Service initialization, where tokens will be issued there
- Vault Printing
- Authorization (vault login)
PostgreSQL backup
Create a file with parameters for connecting to the database in order to create a PostgreSQL dump in the future without entering a password
$ sudo nano /root/.pgpass
# hostname:port:database:username:password
localhost:5432:vaultdb:vltusr:
mypasswddd
We expose the rights
$ sudo chmod 600 /root/.pgpass
Create a dump
$ sudo pg_dump -d "vaultdb" -h localhost -Fc -U vltusr -w -f "/mnt/$(date +%Y%m%d_%H%M%S)_vaultdb.dump"