Vault installation to minikube via Helm with TLS enabled
This tutorial walks through setting up end-to-end TLS on a HA Vault cluster in Kubernetes. You will create a private key and a wildcard certificate using the Kubernetes CA. You will store the certificate and the key in the Kubernetes secrets store. Finally you will configure the helm chart to use the kubernetes secret.
Prerequisites
This tutorial requires the Kubernetes command-line interface (CLI) and the Helm CLI installed, minikube, the Vault Helm chart, and the additional configuration to bring it all together.
First, follow the directions to install minikube, including VirtualBox or similar.
Next, install kubectl CLI and helm CLI.
NOTE: This tutorial was last tested in November 2022 on a macOS 12.6.1 using this configuration.
Docker version.
Display minikube version.
Helm version.
These are recommended software versions and the output displayed may vary depending on your environment and the software versions you use.
Start minikube
Minikube is a CLI tool that provisions and manages the lifecycle of single-node Kubernetes clusters running inside Virtual Machines (VM) on your local system.
Start a Kubernetes cluster.
The initialization process takes several minutes as it retrieves any necessary dependencies and executes various container images.
Verify the status of the minikube cluster.
Install the Vault Helm chart
Vault manages the secrets that are written to these mountable volumes. To provide these secrets a single Vault server is required. For this demonstration Vault can be run in development mode to automatically handle initialization, unsealing, and setup of a KV secrets engine.
Add the HashiCorp Helm repository.
Update all the repositories to ensure
helm
is aware of the latest versions.To verify, search repositories for vault in charts.
Create the certificate
create a working directory
Export the working directory location and the naming variables.
Generate the private key
Create the Certificate Signing Request (CSR).
Create the CSR configuration file
Generate the CSR
Issue the Certificate.
Create the csr yaml file to send it to Kubernetes.
Send the CSR to Kubernetes
Approve the CSR in Kubernetes.
Confirm the certificate was issued
Store the certificates and Key in the Kubernetes secrets store
Retrieve the certificate
Retrieve Kubernetes CA certificate
Create the Kubernetes namespace
Create the TLS secret
Output:
Deploy the vault cluster via helm with overrides
Create the
overrides.yaml
file.Recommendation
If you are using Prometheus for monitoring and alerting, we recommend to set the
cluster_name
in the HCL configuration. With the Vault Helm chart, this is accomplished with the config parameter.Deploy the Cluster
Example output:
Display the pods in the namespace that you created for vault
Initialize
vault-0
with one key share and one key threshold.The
operator init
command generates a root key that it disassembles into key shares-key-shares=1
and then sets the number of key shares required to unseal Vault-key-threshold=1
. These key shares are written to the output as unseal keys in JSON format-format=json
. Here the output is redirected to a file namedcluster-keys.json
.Display the unseal key found in
cluster-keys.json
.Insecure operation
Do not run an unsealed Vault in production with a single key share and a single key threshold. This approach is only used here to simplify the unsealing process for this demonstration.
Create a variable named
VAULT_UNSEAL_KEY
to capture the Vault unseal key.After initialization, Vault is configured to know where and how to access the storage, but does not know how to decrypt any of it. Unsealing is the process of constructing the root key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
Unseal Vault running on the
vault-0
pod.Insecure operation
Providing the unseal key with the command writes the key to your shell's history. This approach is only used here to simplify the unsealing process for this demonstration.
The
operator unseal
command reports that Vault is initialized and unsealed.Example output:
The Vault server is initialized and unsealed.
Join vault-1
and vault2
pods to the Raft cluster
Start an interactive shell session on the
vault-1
pod.Your system prompt is replaced with a new prompt / $.
Join the
vault-1
pod to the Raft cluster.Example output:
Exit the
vault-1
pod.Unseal
vault-1
.Start an interactive shell session on the
vault-2
pod.Your system prompt is replaced with a new prompt / $.
Join the
vault-2
pod to the Raft cluster.Example output:
Exit the
vault-2
pod.Unseal
vault-2
.Login to vault and confirm everything is working
Export the cluster root token
Login to
vault-0
with the root tokenList the raft peers.
Print the HA status
You now have a working 3 node cluster with TLS enabled at the pod level. Next you will create a secret and retrieve it via and API call to confirm TLS is working as expected.
Create a secret
Start an interactive shell session on the
vault-0
pod.Note
Your system prompt is replaced with a new prompt
/ $
.Enable the kv-v2 secrets engine
Create a secret at the path
secret/tls/apitest
with ausername
and apassword
Verify that the secret is defined at the path
secret/tls/apitest
Exit the
vault-0
pod.
Expose the vault service and retrieve the secret via the API
The Helm chart defined a Kubernetes service named vault that forwards requests to its endpoints (i.e. The pods named vault-0, vault-1, and vault-2).
Confirm the Vault service configuration
In another terminal, port forward the vault service.
In the original terminal, perform a
HTTPS
curl request to retrieve the secret you created in the previous section.Example output:
The secret you created earlier is displayed back to us.
Clean up
Stop the running local Kubernetes cluster.
This deactivates minikube, and all pods still exist at this point.
Delete the local Kubernetes cluster.
Be aware that
minikube delete
removes the minikube deployment including all pods. Be sure you want everything removed before continuing.Remove the files and the working directory you created.
Next steps
You launched Vault in high-availability via a Helm chart with TLS enabled. Learn more about the Vault Helm chart by reading the documentation or exploring the project source code.
Then you created and API call and requested a secret directly from Vault. Explore how pods can retrieve secrets through the Vault Injector service via annotations or secrets mounted on ephemeral volumes.