Install Vault with DevStream¶
InstanceID Prefix¶
The instanceID
prefix must be vault
, the minimum tools configuration example:
Default Configs¶
key | default value | description |
---|---|---|
chart.chartPath | "" | local chart path |
chart.chartName | hashicorp/vault | chart name |
chart.version | "" | chart version |
chart.timeout | 5m | this config will wait 5 minutes to deploy |
chart.releaseName | vault | helm release name |
chart.upgradeCRDs | true | default update CRD config |
chart.wait | true | whether to wait until installation is complete |
chart.namespace | vault | namespace where helm to deploy |
repo.url | https://helm.releases.hashicorp.com | helm official repo address |
repo.name | hashicorp | helm repo name |
Initialize all the Vault pods¶
After installing the Vault on k8s, you can initialize all pods of the Vault on k8s. To know more about the Vault, you can refer to:
At first, you must install jq tool: jq is a lightweight and flexible command-line JSON processor. Download jq
In the command below, the variable $NAMESPACE
you should replace with "hashicorp" if you do not modify the namespace variable.
Otherwise, use the namespace name you replaced.
- Initialize vault-0
- Display the unseal key
- Create a variable to capture the Vault unseal key
-
Unseal vault-0
BashYou will see the above command's output like this. Make sure the value of# Unseal vault-0 running on the vault-0 pod. kubectl exec vault-0 -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
Initialized
is 'true' and the value ofSealed
is 'false'.BashKey Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.9.2 Storage Type raft Cluster Name vault-cluster-14052440 Cluster ID 7630cd33-2ee1-39c1-db3f-e48a6d79970a HA Enabled true HA Cluster https://vault-0.vault-internal:8201 HA Mode active Active Since 2022-04-23T16:45:47.6060163Z Raft Committed Index 30 Raft Applied Index 30
-
Initialize vault-1 and vault-2 like vault-0
Bash
# Initialize vault-1
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1 -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
# Initialize vault-2
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1 -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
- Verify all the pods status
You will see the above command's outputs like this below. Make sure all the pods are running and ready.
Bash
NAME READY STATUS RESTARTS AGE
vault-0 1/1 Running 0 2m29s
vault-1 1/1 Running 0 2m29s
vault-2 1/1 Running 0 2m29s
vault-agent-injector-68dc986-bnsj2 1/1 Running 0 2m28s
- After the above operations, you want to use the Vault to write/read secrets. You need to follow the documentation of the hashicorp Vault:
- Set a secret in Vault
- Your First Secret