Deploy HashiCorp Vault on Kubernetes using Helm
Today we will learn how to deploy HashiCorp Vault on Kubernetes using Helm chart. We will use the official HashiCorp helm chart for the deployment. Here is the overview of steps we will follow:
- We will download helm chart for vault
- Then we will deploy the vault and expose the vault UI with nodeport service.
- Next, we will unseal the vault for the use.
Prerequisites:
- Kubernetes cluster.
- Helm
HashiCorp Vault
HashiCorp Vault is a secrets management tool that is specifically built to control access to sensitive credentials. It can be used to store sensitive data while also dynamically generating access to specific services/applications on a lease basis.
Deploying HashiCorp Vault on Kubernetes:
Step1. Clone the Helm Chart for the HashiCorp Vault.
Repository URL: https://github.com/hashicorp/vault-helm
$ git clone https://github.com/hashicorp/vault-helm.gitStep2. Edit the values.yaml file to access the Vault UI
- Go to the repository cloned.
$ cd vault-helm- Open the values.yaml files in an editor.
- Then find the “service” in the file and uncomment “nodePort” in the file
- It will look like this:
- Then find “Vault UI” in the file and enable ui.
- Make the value “true” for “activeVaultPodOnly”
- Change the “serviceType” to “NodePort”.
- Give the same port number in “serviceNodePort” used above. i.e 30000
- The changes would look like this
- Save the file.
Step3. Deploying the Vault.
- Create a namespace for vault.
$ kubectl create namespace vault- Add hashicorp repository in helm and check the chard is added successfully.
$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm search repo hashicorp/vault- Search for the specific version
$ helm search repo hashicorp/vault -l
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.15.0 1.8.1 Official HashiCorp Vault Chart
hashicorp/vault 0.14.0 1.8.0 Official HashiCorp Vault Chart
hashicorp/vault 0.13.0 1.7.3 Official HashiCorp Vault Chart
hashicorp/vault 0.12.0 1.7.2 Official HashiCorp Vault Chart
hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart
hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart
hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart
hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart
hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart
hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart
hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart
hashicorp/vault 0.5.0 Install and configure Vault on Kubernetes.
hashicorp/vault 0.4.0 Install and configure Vault on Kubernetes.- Install the specific version in the vault namespace with values.yaml file
$ helm install -f values.yaml vault hashicorp/vault --namespace vault --version 0.14.0
NAME: vault
LAST DEPLOYED: Sat Aug 28 13:45:51 2021
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://www.vaultproject.io/docs/
Your release is named vault. To learn more about the release, try:
$ helm status vault
$ helm get manifest vault- Check the pods, services and other components.
$ kubectl get po -n vault
NAME READY STATUS RESTARTS AGE
vault-0 0/1 Running 0 34s
vault-agent-injector-768d4c4bf5-rjkpx 1/1 Running 0 37s
$ kubectl get svc -n vault
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
vault ClusterIP 10.105.161.201 8200/TCP,8201/TCP 49s
vault-agent-injector-svc ClusterIP 10.97.140.124 443/TCP 49s
vault-internal ClusterIP None 8200/TCP,8201/TCP 49s
vault-ui NodePort 10.108.162.186 8200:30000/TCP 49sError Case:
vault-0 does not get ready. You can check by get pod command.
$ kubectl get pod -n vault
NAME READY STATUS RESTARTS AGE
vault-0 0/1 Running 0 34s
vault-agent-injector-768d4c4bf5-rjkpx 1/1 Running 0 37sBelow are the logs that we can check by the command:
$ kubectl logs -f vault-0 -n vault 2021-08-28T08:16:27.987Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
2021-08-28T08:16:30.885Z [INFO] core: security barrier not initialized
2021-08-28T08:16:30.885Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:16:35.785Z [INFO] core: security barrier not initialized
2021-08-28T08:16:35.785Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:16:40.850Z [INFO] core: security barrier not initialized
2021-08-28T08:16:40.850Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:16:45.840Z [INFO] core: security barrier not initialized
2021-08-28T08:16:45.840Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:16:50.857Z [INFO] core: security barrier not initialized
2021-08-28T08:16:50.857Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:16:55.826Z [INFO] core: security barrier not initialized
2021-08-28T08:16:55.826Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:17:00.818Z [INFO] core: security barrier not initialized
2021-08-28T08:17:00.818Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:17:05.835Z [INFO] core: security barrier not initialized
2021-08-28T08:17:05.835Z [INFO] core: seal configuration missing, not initialized
2021-08-28T08:17:10.800Z [INFO] core: security barrier not initialized
2021-08-28T08:17:10.800Z [INFO] core: seal configuration missing, not initialized This happens due to the default state of a vault is sealed and we have to unseal the vault in order to use it.
Step4. Unsealing the Vault.
- To unseal the vault, we need to initialise the vault operator that will provide some Unseal keys that is going to be used to unseal the vault. Save the Unseal keys and Initial Root Token in a file for later use.
$ kubectl exec -ti vault-0 -n vault -- vault operator init
Unseal Key 1: fBgeKlqc5yMhPdof/YGYcY5ZOa9kKvhw7lFGh/NSvfpS
Unseal Key 2: jAvGUI5rrsDIlHd26KluJ2JU0hQX5Ia7EzMbxv/Jj6av
Unseal Key 3: 1JQv0L1yhl9cERcUMA0Magz4sCJ/lPBHseeRJFP20A2L
Unseal Key 4: tCBrx9dEnUrtFz2cfNO/AsGhENGLTDM4ugy1bqZe1JoL
Unseal Key 5: DW2tCWDdHRyNXbN6DulcQpKuhEMG5acYSkOU3G2pkCr9
Initial Root Token: s.Yz4mBj1oSVkjKpF3HgZhLoXY
............- Unseal the vault using the keys shared above until the threshold is met:
$ kubectl exec -ti vault-0 -n vault -- vault operator unseal
$ kubectl exec -ti vault-0 -n vault -- vault operator unseal
$ kubectl exec -ti vault-0 -n vault -- vault operator unseal On the prompt paste different keys each time. Then this is the output after unsealing the vault:
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.8.1
Storage Type file
Cluster Name vault-cluster-5ece2bab
Cluster ID 419584f5-943c-2fee-55ef-2e1e641cd084
HA Enabled false
Now check the vault-0 and now it reports READY 1/1.
$ kubectl get pod -n vault
NAME READY STATUS RESTARTS AGE
vault-0 1/1 Running 0 31m
vault-agent-injector-768d4c4bf5-rjkpx 1/1 Running 0 31m Step5. Login in the Vault UI on Exposed Port
- Open the UI on the 30000 port as configured in nodeport service.
- Use the root token obtained in step4.
Conclusion:
Here we have learned how to deploy HashiCorp Vault using Helm in Kubernetes. This will work with all types of Kubernetes services such as AWS EKS, Azure AKS, Minikube, etc.
