Skip to content

hashicorp-vault Plugin

This plugin installs hashicorp-vault in an existing Kubernetes cluster using the Helm chart for your tests or develops hashicorp-vault.

This plugin installs hashicorp-vault with replicas:3 by default value.


  - name: hashicorp-vault
    # id of the tool instance
    instanceID: default
        # name of the Helm repo
        name: hashicorp
        # url of the Helm repo
      # Helm chart information
        # local path of the chart; if chartPath != "", and repo.url will be ignored. e.g. "foo.tgz", "./foo.tgz", "/tmp/foo.tgz"
        chartPath: ""
        # name of the chart
        chartName: hashicorp/vault
        # release name of the chart
        releaseName: vault
        # k8s namespace where Vault will be installed
        namespace: vault
        # whether to wait for the release to be deployed or not
        wait: true
        # the time to wait for any individual Kubernetes operation (like Jobs for hooks). This defaults to 5m
        timeout: 5m
        valuesYaml: |
            enabled: true
            affinity: ""
              enabled: true
              replicas: 3
                enabled: true
                setNodeId: true
                injection: enabled

Default Configs

key default value description
chart.chartPath "" local chart path
chart.chartName hashicorp/vault chart name
chart.timeout 5m this config will wait 5 minutes to deploy
chart.releaseName vault helm release name
chart.upgradeCRDs true default update CRD config
chart.wait true whether to wait until installation is complete
chart.namespace vault namespace where helm to deploy
repo.url helm official repo address hashicorp helm repo name

Initialize all the Vault pods

After installing the Vault on k8s, you can initialize all pods of the Vault on k8s. To know more about the Vault, you can refer to:

At first, you must install jq tool: jq is a lightweight and flexible command-line JSON processor. Download jq

In the command below, the variable $NAMESPACE you should replace with "hashicorp" if you do not modify the namespace variable. Otherwise, use the namespace name you replaced.

  1. Initialize vault-0
    # Initialize vault-0 with one key share and one key threshold.
    kubectl exec vault-0 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
  2. Display the unseal key
    # Display the unseal key found in cluster-keys.json
    cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
  3. Create a variable to capture the Vault unseal key
    # Create a variable named VAULT_UNSEAL_KEY to capture the Vault unseal key.
    VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
  4. Unseal vault-0

    # Unseal vault-0 running on the vault-0 pod.
    kubectl exec vault-0  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
    You will see the above command's output like this. Make sure the value of Initialized is 'true' and the value of Sealed is 'false'.
    Key                     Value
    ---                     -----
    Seal Type               shamir
    Initialized             true
    Sealed                  false
    Total Shares            1
    Threshold               1
    Version                 1.9.2
    Storage Type            raft
    Cluster Name            vault-cluster-14052440
    Cluster ID              7630cd33-2ee1-39c1-db3f-e48a6d79970a
    HA Enabled              true
    HA Cluster              https://vault-0.vault-internal:8201
    HA Mode                 active
    Active Since            2022-04-23T16:45:47.6060163Z
    Raft Committed Index    30
    Raft Applied Index      30

  5. Initialize vault-1 and vault-2 like vault-0

# Initialize vault-1
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
# Initialize vault-2
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
  1. Verify all the pods status
    # Verify all the Vault pods are running and ready.
    kubectl get pods -n $NAMESPACE

You will see the above command's outputs like this below. Make sure all the pods are running and ready.

NAME                                 READY   STATUS    RESTARTS   AGE
vault-0                              1/1     Running   0          2m29s
vault-1                              1/1     Running   0          2m29s
vault-2                              1/1     Running   0          2m29s
vault-agent-injector-68dc986-bnsj2   1/1     Running   0          2m28s

  1. After the above operations, you want to use the Vault to write/read secrets. You need to follow the documentation of the hashicorp Vault:
  2. Set a secret in Vault
  3. Your First Secret