Setup Vault dan Certificate Management OpenStack Charm

Vault dipakai untuk certificate management pada OpenStack charm deployment.

1. Masuk ke Unit Vault

juju ssh vault/0

2. Set Environment Vault

Edit .profile:

nano .profile

Tambahkan:

export VAULT_ADDR='http://127.0.0.1:8200'

Reload profile:

source .profile

3. Init Vault

vault operator init -key-shares=5 -key-threshold=3

Output akan menghasilkan 5 unseal key dan 1 initial root token.

Simpan unseal key dan root token di password vault/internal secret manager. Jangan tempel token asli di artikel blog.

4. Set Token dan Unseal Vault

Edit .profile lagi:

nano .profile

Tambahkan token:

export VAULTTOKEN=<VAULTROOT_TOKEN>

Unseal minimal 3 key:

vault operator unseal <UNSEALKEY1>
vault operator unseal <UNSEALKEY2>
vault operator unseal <UNSEALKEY3>

Cek status:

vault status

5. Buat Token Sementara untuk Authorize Charm

vault token create -ttl=10m

Gunakan token tersebut untuk authorize charm:

juju run-action --wait vault/leader authorize-charm token=<VAULT_TOKEN>

6. Generate Root CA

juju run-action --wait vault/leader generate-root-ca

Jika perlu reissue certificate:

juju run-action vault/0 --wait reissue-certificates

7. Issue Umum: Vault Error Setelah MySQL/Cluster Bermasalah

Biasanya Vault perlu di-unseal ulang setelah reboot atau outage.

juju ssh vault/0
export VAULTTOKEN=<VAULTTOKEN>
vault operator unseal <UNSEALKEY1>
vault operator unseal <UNSEALKEY2>
vault operator unseal <UNSEALKEY3>
vault status

Cek leader data:

juju run -u vault/0 leader-get