Installing Config Sesame¶
Below you find several different options to install the tool and Hashicorp Vault, and how to connect them.
Installing Into a Python Virtualenv¶
These commands install config-sesame
into its own virtualenv in your home.
It can be easily removed again, since most everything is contained
within the virtualenv’s directory.
Also see Installing Python Software in case your machine lacks Python
or tools like virtualenv
.
#release="config-sesame"
release="https://github.com/1and1/config-sesame/archive/master.zip#egg=config-sesame"
# install "config-sesame" to its own virtualenv
mkdir -p ~/.local/virtualenvs
test -d ~/.local/virtualenvs/config-sesame \
|| virtualenv ~/.local/virtualenvs/config-sesame
~/.local/virtualenvs/config-sesame/bin/pip install -U pip setuptools wheel
~/.local/virtualenvs/config-sesame/bin/pip install -U "$release"
mkdir ~/bin 2>/dev/null && exec $SHELL -l
ln -s ~/.local/virtualenvs/config-sesame/bin/config-sesame ~/bin
config-sesame --version
On Linux, if you want to safely store the credentials to access Vault in your account’s keyring, execute these additional commands:
sudo apt-get install libdbus-glib-1-dev python-dev libffi-dev build-essential
~/.local/virtualenvs/config-sesame/bin/pip install secretstorage dbus-python keyring
See keyring installation for more details on that.
Installing Hashicorp Vault¶
See Vault’s documentation for detailed instructions.
For a simple development / test installation on Ubuntu,
this works when called in a root
shell:
version=0.5.3
curl -sLS "https://releases.hashicorp.com/vault/${version}/vault_${version}_linux_amd64.zip" \
| funzip >/usr/local/bin/vault
chmod a+x /usr/local/bin/vault
apt-get install supervisor
adduser vault --ingroup daemon --home /var/lib/vault --system --disabled-password
cat >/etc/supervisor/conf.d/vault.conf <<'EOF'
[program:vault]
command = /usr/local/bin/vault server -dev
user = vault
redirect_stderr = True
autostart = True
EOF
supervisorctl update
supervisorctl tail -2200 vault
Warning
As mentioned above, this is intended for experimenting with Vault on your workstation. Do NOT run it this way on anything that is intended for production use.
Providing Credentials for Vault¶
Make sure your Vault server is up and reachable by using these commands:
export VAULT_ADDR="http://127.0.0.1:8200"
vault status
If the server runs on a remote machine, adapt the VAULT_ADDR
accordingly.
Let’s try accessing the server via config-sesame
next. First, add the
vault root token to your keyring, by calling the config-sesame login
command
which will prompt you for the token and remember it in a safe place.
For the test setup as outlined above, you’ll find that token in the file
/var/lib/vault/.vault-token
.
You can also set the VAULT_TOKEN
environment variable
or create the ~/.vault-token
file (which is not as secure as using the keyring),
otherwise you’ll be prompted for the token on the console each time it is needed.
Finally call the config-sesame help
command, and it should show some information
about your running Vault service.
Note that in a production setup, you will have a personal access token, e.g. obtained via LDAP or similar credentials.
Production Deployment¶
The project contains a debian
directory that supports building
a self-contained Python virtualenv wrapped into a Debian package
(an “omnibus” package, all passengers on board).
The packaged virtualenv is kept in sync with the host’s interpreter automatically.
See dh-virtualenv for more details.
On platforms that are not some Debian flavour, consider using rpmvenv, platter or fpm.
The motivation to strongly prefer native packages for deployment can be found in
Python Application Deployment with Native Packages.
Note that you need to install the usual Debian development tools and dh-virtualenv
(at least version 0.10), before you can actually build the DEB package.
These incantations will perform that for you (on Xenial):
sudo apt-get install build-essential debhelper devscripts equivs
sudo mk-build-deps --install debian/control
Jessie only comes with version 0.7
– that might work,
otherwise you have to build a newer version from source,
or use 0.10
from backports.
Then, if you have all pre-requisites satisfied, try this:
dpkg-buildpackage -uc -us -b
or, if you followed the instructions to create a developer working directory, this instead:
invoke deb
The resulting package, if all went well, can be found in the parent of your project directory
for the direct dpkg-buildpackage
call, and in dist
when you used invoke
.
You can upload it to a Debian package repository via e.g. dput, see dput-webdav
for a hassle-free solution that works with Artifactory and Bintray.