hashicorp-vault Plugin

This plugin installs hashicorp-vault in an existing Kubernetes cluster using the Helm chart for your tests or develops hashicorp-vault.

This plugin installs hashicorp-vault with replicas:3 by default value.

Usage

  1. tools:
  2. # name of the tool
  3. - name: hashicorp-vault
  4.   # the id of the tool instance
  5.   instanceID: default
  6.   options:
  7.     # need to create the namespace or not, default: false
  8.     create_namespace: true
  9.     repo:
  10.       # name of the Helm repo
  11.       name: hashicorp
  12.       # url of the Helm repo
  13.       url: https://helm.releases.hashicorp.com
  14.     # Helm chart information
  15.     chart:
  16.       # name of the chart
  17.       chart_name: hashicorp/vault
  18.       # release name of the chart
  19.       release_name: vault
  20.       # The k8s namespace is where you deploy the Vault to k8s
  21.       namespace: hashicorp
  22.       # whether to wait for the release to be deployed or not
  23.       wait: true
  24.       # the time to wait for any individual Kubernetes operation (like Jobs for hooks). This defaults to 5m0s
  25.       timeout: 5m
  26.       values_yaml: |
  27.         global:
  28.           enabled: true
  29.         server:
  30.           affinity: ""
  31.           ha:
  32.             enabled: true
  33.             replicas: 3
  34.             raft:
  35.               enabled: true
  36.               setNodeId: true
  37.           namespaceSelector:
  38.             matchLabels:
  39.               injection: enabled

Initialize all the Vault pods

After installing the Vault on k8s, you can initialize all pods of the Vault on k8s. To know more about the Vault, you can refer to:

At first, you must install jq tool: jq is a lightweight and flexible command-line JSON processor. Download jq

In the command below, the variable $NAMESPACE you should replace with “hashicorp” if you do not modify the namespace variable. Otherwise, use the namespace name you replaced.

  1. Initialize vault-0
  1. # Initialize vault-0 with one key share and one key threshold.
  2. kubectl exec vault-0 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
  1. Display the unseal key
  1. # Display the unseal key found in cluster-keys.json
  2. cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
  1. Create a variable to capture the Vault unseal key
  1. # Create a variable named VAULT_UNSEAL_KEY to capture the Vault unseal key.
  2. VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
  1. Unseal vault-0
  1. # Unseal vault-0 running on the vault-0 pod.
  2. kubectl exec vault-0  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY

You will see the above command’s output like this. Make sure the value of Initialized is ‘true’ and the value of Sealed is ‘false’.

  1. Key                     Value
  2. ---                     -----
  3. Seal Type               shamir
  4. Initialized             true
  5. Sealed                  false
  6. Total Shares            1
  7. Threshold               1
  8. Version                 1.9.2
  9. Storage Type            raft
  10. Cluster Name            vault-cluster-14052440
  11. Cluster ID              7630cd33-2ee1-39c1-db3f-e48a6d79970a
  12. HA Enabled              true
  13. HA Cluster              https://vault-0.vault-internal:8201
  14. HA Mode                 active
  15. Active Since            2022-04-23T16:45:47.6060163Z
  16. Raft Committed Index    30
  17. Raft Applied Index      30
  1. Initialize vault-1 and vault-2 like vault-0
  1. # Initialize vault-1
  2. kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
  3. VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
  4. kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
  5. # Initialize vault-2
  6. kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
  7. VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
  8. kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
  1. Verify all the pods status
  1. # Verify all the Vault pods are running and ready.
  2. kubectl get pods -n $NAMESPACE

You will see the above command’s outputs like this below. Make sure all the pods are running and ready.

  1. NAME                                 READY   STATUS    RESTARTS   AGE
  2. vault-0                              1/1     Running   0          2m29s
  3. vault-1                              1/1     Running   0          2m29s
  4. vault-2                              1/1     Running   0          2m29s
  5. vault-agent-injector-68dc986-bnsj2   1/1     Running   0          2m28s
  1. After the above operations, you want to use the Vault to write/read secrets. You need to follow the documentation of the hashicorp Vault:
  2. Set a secret in Vault
  3. Your First Secret