Installing Vault on Kubernetes

This recipe will show you how to get a Vault service on Kubernetes. Let's perform the following steps to get Vault installed using Helm charts:

  1. Clone the chart repository:
$ git clone https://github.com/hashicorp/vault-helm.git
$ cd vault-helm
  1. Check out the latest stable release: 
$ git checkout v$(curl --silent "https://api.github.com/repos/hashicorp/vault-helm/releases/latest" | 
grep '"tag_name":' | 
sed -E 's/.*"v([^"]+)".*/1/')
  1. If you would like to install a highly available Vault, skip to Step 4; otherwise, install the standalone version using the Helm chart parameters shown here:
$ helm install --name vault --namespace vault ./
  1. To deploy a highly available version that uses an HA storage backend such as Consul, use the following Helm chart parameters. This will deploy Vault using a StatefulSet with three replicas:
$ helm install --name vault --namespace vault --set='server.ha.enabled=true' ./
  1. Verify the status of the pods. You will notice that the pods aren't ready since the readiness probe requires Vault to be initialized first:
$ $ kubectl get pods -nvault
NAME                                  READY STATUS  RESTARTS AGE
vault-0                               0/1   Running 0        83s
vault-agent-injector-5fb898d6cd-rct82 1/1   Running 0        84s
  1. Check the initialization status. It should be false:
$ kubectl exec -it vault-0 -nvault -- vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     false
Sealed          true
Total Shares    0
Threshold       0
Unseal Progress 0/0
Unseal Nonce    n/a
Version         n/a
HA Enabled      false
  1. Initialize the Vault instance. The following command will return an unseal key and root token:
$ kubectl exec -it vault-0 -nvault -- vault operator init -n 1 -t 1

Unseal Key 1: lhLeU6SRdUNQgfpWAqWknwSxns1tfWP57iZQbbYtFSE=
Initial Root Token: s.CzcefEkOYmCt70fGSbHgSZl4
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
  1. Unseal Vault using the unseal key from the output of the following command:
$ kubectl exec -it vault-0 -nvault -- vault operator unseal lhLeU6SRdUNQgfpWAqWknwSxns1tfWP57iZQbbYtFSE=
Key          Value
---          -----
Seal Type    shamir
Initialized  true
Sealed       false
Total Shares 1
Threshold    1
Version      1.3.1
Cluster Name vault-cluster-6970c528
Cluster ID   dd88cca8-20bb-326c-acb3-2d924bb1805c
HA Enabled   false
  1. Verify the pod's status. You will see that the readiness probe has been validated and that the pod is ready: 
$ kubectl get pods -nvault
NAME                                  READY STATUS  RESTARTS AGE
vault-0                               1/1   Running 0        6m29s
vault-agent-injector-5fb898d6cd-rct82 1/1   Running 0        6m30s

Vault is ready to be used after it is initialized. Now, you know how to get Vault running on Kubernetes.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.157.197