Skip to content

Install Vault with DevStream

Default Configs

key default value description
chart.chartPath "" local chart path
chart.chartName hashicorp/vault chart name
chart.version "" chart version
chart.timeout 5m this config will wait 5 minutes to deploy
chart.releaseName vault helm release name
chart.upgradeCRDs true default update CRD config
chart.wait true whether to wait until installation is complete
chart.namespace vault namespace where helm to deploy
repo.url https://helm.releases.hashicorp.com helm official repo address
repo.name hashicorp helm repo name

Initialize all the Vault pods

After installing the Vault on k8s, you can initialize all pods of the Vault on k8s. To know more about the Vault, you can refer to:

At first, you must install jq tool: jq is a lightweight and flexible command-line JSON processor. Download jq

In the command below, the variable $NAMESPACE you should replace with "hashicorp" if you do not modify the namespace variable. Otherwise, use the namespace name you replaced.

  1. Initialize vault-0
    Bash
    # Initialize vault-0 with one key share and one key threshold.
    kubectl exec vault-0 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
    
  2. Display the unseal key
    Bash
    # Display the unseal key found in cluster-keys.json
    cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
    
  3. Create a variable to capture the Vault unseal key
    Bash
    # Create a variable named VAULT_UNSEAL_KEY to capture the Vault unseal key.
    VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
    
  4. Unseal vault-0

    Bash
    # Unseal vault-0 running on the vault-0 pod.
    kubectl exec vault-0  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
    
    You will see the above command's output like this. Make sure the value of Initialized is 'true' and the value of Sealed is 'false'.
    Bash
    Key                     Value
    ---                     -----
    Seal Type               shamir
    Initialized             true
    Sealed                  false
    Total Shares            1
    Threshold               1
    Version                 1.9.2
    Storage Type            raft
    Cluster Name            vault-cluster-14052440
    Cluster ID              7630cd33-2ee1-39c1-db3f-e48a6d79970a
    HA Enabled              true
    HA Cluster              https://vault-0.vault-internal:8201
    HA Mode                 active
    Active Since            2022-04-23T16:45:47.6060163Z
    Raft Committed Index    30
    Raft Applied Index      30
    

  5. Initialize vault-1 and vault-2 like vault-0

Bash
# Initialize vault-1
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
# Initialize vault-2
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
  1. Verify all the pods status
    Bash
    # Verify all the Vault pods are running and ready.
    kubectl get pods -n $NAMESPACE
    

You will see the above command's outputs like this below. Make sure all the pods are running and ready.

Bash
NAME                                 READY   STATUS    RESTARTS   AGE
vault-0                              1/1     Running   0          2m29s
vault-1                              1/1     Running   0          2m29s
vault-2                              1/1     Running   0          2m29s
vault-agent-injector-68dc986-bnsj2   1/1     Running   0          2m28s

  1. After the above operations, you want to use the Vault to write/read secrets. You need to follow the documentation of the hashicorp Vault:
  2. Set a secret in Vault
  3. Your First Secret