admin/3engines_doc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5a5b218a130d4745260f0426270df080b341d125
3engines_doc/site/kubernetes/Installing-HashiCorp-Vault-on-3Engines-Cloud-Magnum.html.html
govardhan 5a5b218a13 build site generated
2025-06-19 21:50:45 +05:30

213 lines
82 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="Documentation for 3Engines services and products"><meta name=author content=3Engines><link rel=canonical href=https://docs.3Engines.com/kubernetes/Installing-HashiCorp-Vault-on-3Engines-Cloud-Magnum.html.html><link rel=icon href=../assets/favicon.ico><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.6.14"><title>Installing HashiCorp Vault on 3Engines Cloud Magnum🔗 - 3Engines Documentation</title><link rel=stylesheet href=../assets/stylesheets/main.342714a4.min.css><link rel=stylesheet href=../assets/stylesheets/palette.06af60db.min.css><script src=https://unpkg.com/iframe-worker/shim></script><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><link rel=stylesheet href=../stylesheets/extra.css><script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> <link href="../assets/stylesheets/glightbox.min.css" rel="stylesheet"/><style>
html.glightbox-open { overflow: initial; height: 100%; }
.gslide-title { margin-top: 0px; user-select: text; }
.gslide-desc { color: #666; user-select: text; }
.gslide-image img { background: white; }
.gscrollbar-fixer { padding-right: 15px; }
.gdesc-inner { font-size: 0.75rem; }
body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}</style> <script src="../assets/javascripts/glightbox.min.js"></script></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=blue-grey data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#installing-hashicorp-vault-on-3engines-cloud-magnum class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../index.html title="3Engines Documentation" class="md-header__button md-logo" aria-label="3Engines Documentation" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> 3Engines Documentation </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Installing HashiCorp Vault on 3Engines Cloud Magnum🔗 </span> </div> </div> </div> <form class=md-header__option data-md-component=palette> <input class=md-option data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme=default data-md-color-primary=blue-grey data-md-color-accent=indigo aria-label="Switch to dark mode" type=radio name=__palette id=__palette_0> <label class="md-header__button md-icon" title="Switch to dark mode" for=__palette_1 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg> </label> <input class=md-option data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme=slate data-md-color-primary=indigo data-md-color-accent=indigo aria-label="Switch to light mode" type=radio name=__palette id=__palette_1> <label class="md-header__button md-icon" title="Switch to light mode" for=__palette_0 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg> </label> </form> <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </label> <nav class=md-search__options aria-label=Search> <a href=javascript:void(0) class="md-search__icon md-icon" title=Share aria-label=Share data-clipboard data-clipboard-text data-md-component=search-share tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg> </a> <button type=reset class="md-search__icon md-icon" title=Clear aria-label=Clear tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg> </button> </nav> <div class=md-search__suggest data-md-component=search-suggest></div> </form> <div class=md-search__output> <div class=md-search__scrollwrap tabindex=0 data-md-scrollfix> <div class=md-search-result data-md-component=search-result> <div class=md-search-result__meta> Initializing search </div> <ol class=md-search-result__list role=presentation></ol> </div> </div> </div> </div> </div> </nav> </header> <div class=md-container data-md-component=container> <nav class=md-tabs aria-label=Tabs data-md-component=tabs> <div class=md-grid> <ul class=md-tabs__list> <li class=md-tabs__item> <a href=../index.html class=md-tabs__link> Home </a> </li> <li class=md-tabs__item> <a href=../cloud/cloud.html.html class=md-tabs__link> Cloud </a> </li> <li class=md-tabs__item> <a href=../datavolume/datavolume.html.html class=md-tabs__link> Data Volume </a> </li> <li class=md-tabs__item> <a href=../networking/networking.html.html class=md-tabs__link> Networking </a> </li> <li class=md-tabs__item> <a href=../s3/s3.html.html class=md-tabs__link> S3 </a> </li> <li class=md-tabs__item> <a href=../windows/windows.html.html class=md-tabs__link> Windows </a> </li> </ul> </div> </nav> <main class=md-main data-md-component=main> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component=sidebar data-md-type=navigation> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label=Navigation data-md-level=0> <label class=md-nav__title for=__drawer> <a href=../index.html title="3Engines Documentation" class="md-nav__button md-logo" aria-label="3Engines Documentation" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg> </a> 3Engines Documentation </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../index.html class=md-nav__link> <span class=md-ellipsis> Home </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_2> <label class=md-nav__link for=__nav_2 id=__nav_2_label tabindex=0> <span class=md-ellipsis> Cloud </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_2_label aria-expanded=false> <label class=md-nav__title for=__nav_2> <span class="md-nav__icon md-icon"></span> Cloud </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../cloud/cloud.html.html class=md-nav__link> <span class=md-ellipsis> Overview </span> </a> </li> <li class=md-nav__item> <a href=../cloud/Dashboard-Overview-Project-Quotas-And-Flavors-Limits-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Dashboard Overview Project Quotas And Flavors Limits on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-access-the-VM-from-OpenStack-console-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to access the VM from OpenStack console on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-clone-existing-and-configured-VMs-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to clone existing and configured VMs on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-fix-unresponsive-console-issue-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to fix unresponsive console issue on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-generate-ec2-credentials-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to generate and manage EC2 credentials on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-generate-or-use-Application-Credentials-via-CLI-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to generate or use Application Credentials via CLI on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-use-GUI-in-Linux-VM-on-3Engines-Cloud-and-access-it-from-local-Linux-computer.html.html class=md-nav__link> <span class=md-ellipsis> How to Use GUI in Linux VM on 3Engines Cloud and access it From Local Linux Computer </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-To-Create-a-New-Linux-VM-With-NVIDIA-Virtual-GPU-in-the-OpenStack-Dashboard-Horizon-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How To Create a New Linux VM With NVIDIA Virtual GPU in the OpenStack Dashboard Horizon on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-use-Docker-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to install and use Docker on Ubuntu 24.04 </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-use-Security-Groups-in-Horizon-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to use Security Groups in Horizon on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-create-key-pair-in-OpenStack-Dashboard-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create key pair in OpenStack Dashboard on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-create-new-Linux-VM-in-OpenStack-Dashboard-Horizon-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create new Linux VM in OpenStack Dashboard Horizon on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-install-Python-virtualenv-or-virtualenvwrapper-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to install Python virtualenv or virtualenvwrapper on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-start-a-VM-from-a-snapshot-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to start a VM from a snapshot on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/Status-Power-State-and-dependences-in-billing-of-instances-VMs-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Status Power State and dependencies in billing of instance VMs on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-upload-your-custom-image-using-OpenStack-CLI-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to upload your custom image using OpenStack CLI on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/VM-created-with-option-Create-New-Volume-No-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> VM created with option Create New Volume No on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/VM-created-with-option-Create-New-Volume-Yes-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> VM created with option Create New Volume Yes on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/What-is-an-OpenStack-domain-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> What is an OpenStack domain on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/What-is-an-OpenStack-project-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> What is an OpenStack project on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-create-a-Linux-VM-and-access-it-from-Windows-desktop-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create a Linux VM and access it from Windows desktop on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-create-a-Linux-VM-and-access-it-from-Linux-command-line-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create a Linux VM and access it from Linux command line on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/DNS-as-a-Service-on-3Engines-Cloud-Hosting.html.html class=md-nav__link> <span class=md-ellipsis> DNS as a Service on 3Engines Cloud Hosting </span> </a> </li> <li class=md-nav__item> <a href=../cloud/What-Image-Formats-are-available-in-OpenStack-3Engines-Cloud-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> What Image Formats are Available in OpenStack 3Engines Cloud cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-upload-custom-image-to-3Engines-Cloud-cloud-using-OpenStack-Horizon-dashboard.html.html class=md-nav__link> <span class=md-ellipsis> How to upload custom image to 3Engines Cloud cloud using OpenStack Horizon dashboard </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-create-Windows-VM-on-OpenStack-Horizon-and-access-it-via-web-console-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create Windows VM on OpenStack Horizon and access it via web console on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-transfer-volumes-between-domains-and-projects-using-Horizon-dashboard-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to transfer volumes between domains and projects using Horizon dashboard on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/Spot-instances-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Spot instances on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-create-instance-snapshot-using-Horizon-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create instance snapshot using Horizon on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-start-a-VM-from-instance-snapshot-using-Horizon-dashboard-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to start a VM from instance snapshot using Horizon dashboard on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/How-to-create-a-VM-using-the-OpenStack-CLI-client-on-3Engines-Cloud-cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create a VM using the OpenStack CLI client on 3Engines Cloud cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/OpenStack-user-roles-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> OpenStack User Roles on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/Resizing-a-virtual-machine-using-OpenStack-Horizon-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Resizing a virtual machine using OpenStack Horizon on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../cloud/Block-storage-and-object-storage-performance-limits-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Block storage and object storage performance limits on 3Engines Cloud </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3> <label class=md-nav__link for=__nav_3 id=__nav_3_label tabindex=0> <span class=md-ellipsis> Data Volume </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_3_label aria-expanded=false> <label class=md-nav__title for=__nav_3> <span class="md-nav__icon md-icon"></span> Data Volume </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../datavolume/datavolume.html.html class=md-nav__link> <span class=md-ellipsis> Overview </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-attach-a-volume-to-VM-less-than-2TB-on-Linux-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to attach a volume to VM less than 2TB on Linux on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-attach-a-volume-to-VM-more-than-2TB-on-Linux-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to attach a volume to VM more than 2TB on Linux on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/Ephemeral-vs-Persistent-storage-option-Create-New-Volume-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Ephemeral vs Persistent storage option Create New Volume on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-export-a-volume-over-NFS-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to export a volume over NFS on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-export-a-volume-over-NFS-outside-of-a-project-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to export a volume over NFS outside of a project on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-extend-the-volume-in-Linux-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to extend the volume in Linux on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-mount-object-storage-in-Linux-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to mount object storage in Linux on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-move-data-volume-between-two-VMs-using-OpenStack-Horizon-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to move data volume between two VMs using OpenStack Horizon on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-many-objects-can-I-put-into-Object-Storage-container-bucket-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How many objects can I put into Object Storage container bucket on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-create-volume-Snapshot-and-attach-as-Volume-on-Linux-or-Windows-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create volume Snapshot and attach as Volume on Linux or Windows on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/Volume-snapshot-inheritance-and-its-consequences-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Volume snapshot inheritance and its consequences on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-To-Create-Backup-Of-Your-Volume-From-Windows-Machine-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to Create Backup of Your Volume From Windows Machine on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-To-Attach-Volume-To-Windows-VM-On-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How To Attach Volume To Windows VM On 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-create-or-delete-volume-snapshot-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create or delete volume snapshot on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/How-to-restore-volume-from-snapshot-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to restore volume from snapshot on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../datavolume/Bootable-versus-non-bootable-volumes-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Bootable versus non-bootable volumes on 3Engines Cloud </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4> <label class=md-nav__link for=__nav_4 id=__nav_4_label tabindex=0> <span class=md-ellipsis> Networking </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_4_label aria-expanded=false> <label class=md-nav__title for=__nav_4> <span class="md-nav__icon md-icon"></span> Networking </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../networking/networking.html.html class=md-nav__link> <span class=md-ellipsis> Overview </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-can-I-access-my-VMs-using-names-instead-of-IP-addresses-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How can I access my VMs using names instead of IP addresses on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-to-Add-or-Remove-Floating-IPs-to-your-VM-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to Add or Remove Floating IPs to your VM on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/Cannot-access-VM-with-SSH-or-PING-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Cannot access VM with SSH or PING on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/Cannot-ping-VM-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Cannot ping VM on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-to-connect-to-your-virtual-machine-via-SSH-in-Linux-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to connect to your virtual machine via SSH in Linux on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-to-create-a-network-with-router-in-Horizon-Dashboard-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to create a network with router in Horizon Dashboard on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-can-I-open-new-ports-port-80-for-http-for-my-service-or-instance-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How can I open new ports for http for my service or instance on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/Generating-a-SSH-keypair-in-Linux-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Generating an SSH keypair in Linux on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-to-add-SSH-key-from-Horizon-web-console-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to add SSH key from Horizon web console on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-is-my-VM-visible-in-the-internet-with-no-Floating-IP-attached-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How is my VM visible in the internet with no Floating IP attached on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-to-run-and-configure-Firewall-as-a-service-and-VPN-as-a-service-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to run and configure Firewall as a service and VPN as a service on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../networking/How-to-Import-SSH-Public-Key-to-OpenStack-Horizon-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to import SSH public key to OpenStack Horizon on 3Engines Cloud </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_5> <label class=md-nav__link for=__nav_5 id=__nav_5_label tabindex=0> <span class=md-ellipsis> S3 </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_5_label aria-expanded=false> <label class=md-nav__title for=__nav_5> <span class="md-nav__icon md-icon"></span> S3 </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../s3/s3.html.html class=md-nav__link> <span class=md-ellipsis> Overview </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-delete-large-S3-bucket-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to Delete Large S3 Bucket on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-mount-object-storage-container-as-a-file-system-in-Linux-using-s3fs-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to Mount Object Storage Container as a File System in Linux Using s3fs on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/Bucket-sharing-using-s3-bucket-policy-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Bucket sharing using s3 bucket policy on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-use-Object-Storage-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to use Object Storage on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-access-private-object-storage-using-S3cmd-or-boto3-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to access private object storage using S3cmd or boto3 on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-To-Install-boto3-In-Windows-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to Install Boto3 in Windows on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/Server-Side-Encryption-with-Customer-Managed-Keys-SSE-C-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Server-Side Encryption with Customer-Managed Keys (SSE-C) on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-mount-object-storage-container-from-3Engines-Cloud-as-file-system-on-local-Windows-computer.html.html class=md-nav__link> <span class=md-ellipsis> How to mount object storage container from 3Engines Cloud as file system on local Windows computer </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-install-s3cmd-on-Linux-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to install s3cmd on Linux on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-access-object-storage-from-3Engines-Cloud-using-boto3.html.html class=md-nav__link> <span class=md-ellipsis> How to access object storage from 3Engines Cloud using boto3 </span> </a> </li> <li class=md-nav__item> <a href=../s3/How-to-access-object-storage-from-3Engines-Cloud-using-s3cmd.html.html class=md-nav__link> <span class=md-ellipsis> How to access object storage from 3Engines Cloud using s3cmd </span> </a> </li> <li class=md-nav__item> <a href=../s3/Configuration-files-for-s3cmd-command-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Configuration files for s3cmd command on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../s3/S3-bucket-object-versioning-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> S3 bucket object versioning on 3Engines Cloud </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_6> <label class=md-nav__link for=__nav_6 id=__nav_6_label tabindex=0> <span class=md-ellipsis> Windows </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_6_label aria-expanded=false> <label class=md-nav__title for=__nav_6> <span class="md-nav__icon md-icon"></span> Windows </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../windows/windows.html.html class=md-nav__link> <span class=md-ellipsis> Overview </span> </a> </li> <li class=md-nav__item> <a href=../windows/How-to-access-a-VM-from-Windows-PuTTY-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to access a VM from Windows PuTTY on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../windows/Connecting-to-a-Windows-VM-via-RDP-through-a-Linux-bastion-host-port-forwarding-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Connecting to a Windows VM via RDP through a Linux bastion host port forwarding on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../windows/How-to-connect-to-a-virtual-machine-via-SSH-from-Windows-10-Command-Prompt-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to connect to a virtual machine via SSH from Windows 10 Command Prompt on 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../windows/How-To-Create-SSH-Key-Pair-In-Windows-On-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to Create SSH Key Pair in Windows 10 On 3Engines Cloud </span> </a> </li> <li class=md-nav__item> <a href=../windows/Can-I-change-my-password-through-RDP-on-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> Can I change my password through RDP on 3Engines Cloud? </span> </a> </li> <li class=md-nav__item> <a href=../windows/How-To-Create-SSH-Key-Pair-In-Windows-11-On-3Engines-Cloud.html.html class=md-nav__link> <span class=md-ellipsis> How to Create SSH Key Pair in Windows 11 On 3Engines Cloud </span> </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component=sidebar data-md-type=toc> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--secondary" aria-label="On this page"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> On this page </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#what-we-are-going-to-cover class=md-nav__link> <span class=md-ellipsis> What We Are Going To Cover🔗 </span> </a> </li> <li class=md-nav__item> <a href=#prerequisites class=md-nav__link> <span class=md-ellipsis> Prerequisites🔗 </span> </a> </li> <li class=md-nav__item> <a href=#step-1-install-cfssl class=md-nav__link> <span class=md-ellipsis> Step 1 Install CFSSL🔗 </span> </a> </li> <li class=md-nav__item> <a href=#step-2-generate-tls-certificates class=md-nav__link> <span class=md-ellipsis> Step 2 Generate TLS certificates🔗 </span> </a> </li> <li class=md-nav__item> <a href=#step-3-install-consul-helm-chart class=md-nav__link> <span class=md-ellipsis> Step 3 Install Consul Helm chart🔗 </span> </a> </li> <li class=md-nav__item> <a href=#step-4-install-vault-helm-chart class=md-nav__link> <span class=md-ellipsis> Step 4 Install Vault Helm chart🔗 </span> </a> </li> <li class=md-nav__item> <a href=#sealing-and-unsealing-the-vault class=md-nav__link> <span class=md-ellipsis> Sealing and unsealing the Vault🔗 </span> </a> </li> <li class=md-nav__item> <a href=#step-5-unseal-vault class=md-nav__link> <span class=md-ellipsis> Step 5 Unseal Vault🔗 </span> </a> </li> <li class=md-nav__item> <a href=#step-6-run-vault-ui class=md-nav__link> <span class=md-ellipsis> Step 6 Run Vault UI🔗 </span> </a> </li> <li class=md-nav__item> <a href=#return-livenessprobe-to-production-value class=md-nav__link> <span class=md-ellipsis> Return livenessProbe to production value🔗 </span> </a> </li> <li class=md-nav__item> <a href=#troubleshooting class=md-nav__link> <span class=md-ellipsis> Troubleshooting🔗 </span> </a> </li> <li class=md-nav__item> <a href=#what-to-do-next class=md-nav__link> <span class=md-ellipsis> What To Do Next🔗 </span> </a> </li> </ul> </nav> </div> </div> </div> <div class=md-content data-md-component=content> <article class="md-content__inner md-typeset"> <h1 id=installing-hashicorp-vault-on-3engines-cloud-magnum>Installing HashiCorp Vault on 3Engines Cloud Magnum<a href=#installing-hashicorp-vault-on-brand-name-cloud-name-magnum title="Permalink to this headline">🔗</a><a class=headerlink href=#installing-hashicorp-vault-on-3engines-cloud-magnum title="Permanent link">&para;</a></h1> <p>In Kubernetes, a <em>Secret</em> is an object that contains passwords, tokens, keys or any other small pieces of data. Using <em>Secrets</em> ensures that the probability of exposing confidential data while creating, running and editing Pods is much smaller. The main problem is that <em>Secrets</em> are stored unencrypted in <em>etcd</em> so anyone with</p> <blockquote> <ul> <li>API access, as well as anyone who</li> <li>can create a Pod or create a Deployment in a namespace</li> </ul> </blockquote> <p>can also retrieve or modify a Secret.</p> <p>You can apply a number of strategies to improve the security of the cluster or you can install a specialized solution such as <a href=https://www.vaultproject.io/ >HashiCorp Vault</a>. It offers</p> <blockquote> <ul> <li>secure storage of all kinds of secrets passwords, TLS certificates, database credentials, API encryption keys and others,</li> <li>encryption of all of the data,</li> <li>dynamic serving of the credentials,</li> <li>granular access policies for users, applications, and services,</li> <li>logging and auditing of data usage,</li> <li>revoking or deleting any key or secret,</li> <li>setting automated secret rotation for administrators and users alike.</li> </ul> </blockquote> <p>In this article, we shall install HashiCorp Vault within a Magnum Kubernetes cluster, on 3Engines Cloud cloud.</p> <h2 id=what-we-are-going-to-cover>What We Are Going To Cover<a href=#what-we-are-going-to-cover title="Permalink to this headline">🔗</a><a class=headerlink href=#what-we-are-going-to-cover title="Permanent link">&para;</a></h2> <blockquote> <ul> <li>Install self-signed TLS certificates with CFSSL</li> <li>Generate certificates to enable encryption of traffic with Vault</li> <li>Install Consul storage backend for High Availability</li> <li>Install Vault</li> <li>Sealing and unsealing the Vault</li> <li>Unseal Vault</li> <li>Run Vault UI</li> <li>Return livenessProbe to production value</li> <li>Troubleshooting</li> </ul> </blockquote> <h2 id=prerequisites>Prerequisites<a href=#prerequisites title="Permalink to this headline">🔗</a><a class=headerlink href=#prerequisites title="Permanent link">&para;</a></h2> <p>No. 1 <strong>Account</strong></p> <p>You need a 3Engines Cloud hosting account with access to the Horizon interface: <a href=https://horizon.3Engines.com>https://horizon.3Engines.com</a>.</p> <p>No. 2 <strong>Familiarity with kubectl</strong></p> <p>You should have an appropriate Kubernetes cluster up and running, with <strong>kubectl</strong> pointing to it <a href=How-To-Access-Kubernetes-Cluster-Post-Deployment-Using-Kubectl-On-3Engines-Cloud-OpenStack-Magnum.html.html>How To Access Kubernetes Cluster Post Deployment Using Kubectl On 3Engines Cloud OpenStack Magnum</a></p> <p>No. 3 <strong>Familiarity with deploying Helm charts</strong></p> <p>This article will introduce you to Helm charts on Kubernetes:</p> <p><a href=Deploying-Helm-Charts-on-Magnum-Kubernetes-Clusters-on-3Engines-Cloud-Cloud.html.html>Deploying Helm Charts on Magnum Kubernetes Clusters on 3Engines Cloud Cloud</a></p> <h2 id=step-1-install-cfssl>Step 1 Install CFSSL<a href=#step-1-install-cfssl title="Permalink to this headline">🔗</a><a class=headerlink href=#step-1-install-cfssl title="Permanent link">&para;</a></h2> <p>To ensure that Vault communication with the cluster is encrypted, we need to provide TLS certificates.</p> <p>We will use the self-signed TLS certificates issued by a private Certificate Authority. To generate them we will use CFSSL utilities: <strong>cfssl</strong> and <strong>cfssljson</strong>.</p> <p><strong>cfssl</strong> is a CLI utility. <strong>cfssljson</strong> takes the JSON output from <strong>cfssl</strong> and writes certificates, keys, and CSR (certificate signing requests).</p> <p>We need to download the binaries of both tools: <strong>cfssl</strong> and <strong>cfssljson</strong> from <a href=https://github.com/cloudflare/cfssl>https://github.com/cloudflare/cfssl</a> and make them executable:</p> <div class=highlight><pre><span></span><code><span id=__span-0-1><a id=__codelineno-0-1 name=__codelineno-0-1 href=#__codelineno-0-1></a>curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64 -o cfssl
</span><span id=__span-0-2><a id=__codelineno-0-2 name=__codelineno-0-2 href=#__codelineno-0-2></a>curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson
</span><span id=__span-0-3><a id=__codelineno-0-3 name=__codelineno-0-3 href=#__codelineno-0-3></a>chmod +x cfssl
</span><span id=__span-0-4><a id=__codelineno-0-4 name=__codelineno-0-4 href=#__codelineno-0-4></a>chmod +x cfssljson
</span></code></pre></div> <p>Then we also need to add them to our path:</p> <div class=highlight><pre><span></span><code><span id=__span-1-1><a id=__codelineno-1-1 name=__codelineno-1-1 href=#__codelineno-1-1></a>sudo mv cfssl cfssljson /usr/local/bin
</span></code></pre></div> <h2 id=step-2-generate-tls-certificates>Step 2 Generate TLS certificates<a href=#step-2-generate-tls-certificates title="Permalink to this headline">🔗</a><a class=headerlink href=#step-2-generate-tls-certificates title="Permanent link">&para;</a></h2> <p>Before we start, lets create a dedicated namespace where all Vault-related Kubernetes resources will live:</p> <div class=highlight><pre><span></span><code><span id=__span-2-1><a id=__codelineno-2-1 name=__codelineno-2-1 href=#__codelineno-2-1></a>kubectl create namespace vault
</span></code></pre></div> <p>We will need to issue two sets of certificates. The first set will be a root certificate for Certificate Authority. The second will reference the CA certificate and create the actual Vault cert.</p> <p>To create the key request for CA, we will base it on a JSON file <strong>ca-csr.json</strong>. Create this file in your favorite editor, and if you want to, substitute the certificate details to your own use case:</p> <p><strong>ca-csr.json</strong></p> <div class=highlight><pre><span></span><code><span id=__span-3-1><a id=__codelineno-3-1 name=__codelineno-3-1 href=#__codelineno-3-1></a>{
</span><span id=__span-3-2><a id=__codelineno-3-2 name=__codelineno-3-2 href=#__codelineno-3-2></a> &quot;hosts&quot;: [
</span><span id=__span-3-3><a id=__codelineno-3-3 name=__codelineno-3-3 href=#__codelineno-3-3></a> &quot;cluster.local&quot;
</span><span id=__span-3-4><a id=__codelineno-3-4 name=__codelineno-3-4 href=#__codelineno-3-4></a> ],
</span><span id=__span-3-5><a id=__codelineno-3-5 name=__codelineno-3-5 href=#__codelineno-3-5></a> &quot;key&quot;: {
</span><span id=__span-3-6><a id=__codelineno-3-6 name=__codelineno-3-6 href=#__codelineno-3-6></a> &quot;algo&quot;: &quot;rsa&quot;,
</span><span id=__span-3-7><a id=__codelineno-3-7 name=__codelineno-3-7 href=#__codelineno-3-7></a> &quot;size&quot;: 2048
</span><span id=__span-3-8><a id=__codelineno-3-8 name=__codelineno-3-8 href=#__codelineno-3-8></a> },
</span><span id=__span-3-9><a id=__codelineno-3-9 name=__codelineno-3-9 href=#__codelineno-3-9></a> &quot;names&quot;: [
</span><span id=__span-3-10><a id=__codelineno-3-10 name=__codelineno-3-10 href=#__codelineno-3-10></a> {
</span><span id=__span-3-11><a id=__codelineno-3-11 name=__codelineno-3-11 href=#__codelineno-3-11></a> &quot;C&quot;: &quot;Poland&quot;,
</span><span id=__span-3-12><a id=__codelineno-3-12 name=__codelineno-3-12 href=#__codelineno-3-12></a> &quot;L&quot;: &quot;Warsaw&quot;,
</span><span id=__span-3-13><a id=__codelineno-3-13 name=__codelineno-3-13 href=#__codelineno-3-13></a> &quot;O&quot;: &quot;MyOrganization&quot;
</span><span id=__span-3-14><a id=__codelineno-3-14 name=__codelineno-3-14 href=#__codelineno-3-14></a> }
</span><span id=__span-3-15><a id=__codelineno-3-15 name=__codelineno-3-15 href=#__codelineno-3-15></a> ]
</span><span id=__span-3-16><a id=__codelineno-3-16 name=__codelineno-3-16 href=#__codelineno-3-16></a>}
</span></code></pre></div> <p>Then issue the command to generate a self-signed root CA certificate.</p> <div class=highlight><pre><span></span><code><span id=__span-4-1><a id=__codelineno-4-1 name=__codelineno-4-1 href=#__codelineno-4-1></a>cfssl gencert -initca ca-csr.json | cfssljson -bare ca
</span></code></pre></div> <p>You should see output similar to the following:</p> <div class=highlight><pre><span></span><code><span id=__span-5-1><a id=__codelineno-5-1 name=__codelineno-5-1 href=#__codelineno-5-1></a>2023/01/02 15:27:36 [INFO] generating a new CA key and certificate from CSR
</span><span id=__span-5-2><a id=__codelineno-5-2 name=__codelineno-5-2 href=#__codelineno-5-2></a>2023/01/02 15:27:36 [INFO] generate received request
</span><span id=__span-5-3><a id=__codelineno-5-3 name=__codelineno-5-3 href=#__codelineno-5-3></a>2023/01/02 15:27:36 [INFO] received CSR
</span><span id=__span-5-4><a id=__codelineno-5-4 name=__codelineno-5-4 href=#__codelineno-5-4></a>2023/01/02 15:27:36 [INFO] generating key: rsa-2048
</span><span id=__span-5-5><a id=__codelineno-5-5 name=__codelineno-5-5 href=#__codelineno-5-5></a>2023/01/02 15:27:36 [INFO] encoded CSR
</span><span id=__span-5-6><a id=__codelineno-5-6 name=__codelineno-5-6 href=#__codelineno-5-6></a>2023/01/02 15:27:36 [INFO] signed certificate with serial number 472447709029717049436439292623827313295747809061
</span></code></pre></div> <p>Also, as a result, three entities are generated:</p> <blockquote> <ul> <li>the private key,</li> <li>the CSR, and the</li> <li>self-signed certificate (<em>ca.pem</em>, <em>ca.csr</em>, <em>ca-key.pem</em>).</li> </ul> </blockquote> <p>The next step is to create Vault certificates, which reference the private CA. To do so, first create a configuration file <em>ca-config.json</em>, to override the default configuration. This is especially useful for changing certificate validity:</p> <p><strong>ca-config.json</strong></p> <div class=highlight><pre><span></span><code><span id=__span-6-1><a id=__codelineno-6-1 name=__codelineno-6-1 href=#__codelineno-6-1></a>{
</span><span id=__span-6-2><a id=__codelineno-6-2 name=__codelineno-6-2 href=#__codelineno-6-2></a> &quot;signing&quot;: {
</span><span id=__span-6-3><a id=__codelineno-6-3 name=__codelineno-6-3 href=#__codelineno-6-3></a> &quot;default&quot;: {
</span><span id=__span-6-4><a id=__codelineno-6-4 name=__codelineno-6-4 href=#__codelineno-6-4></a> &quot;expiry&quot;: &quot;17520h&quot;
</span><span id=__span-6-5><a id=__codelineno-6-5 name=__codelineno-6-5 href=#__codelineno-6-5></a> },
</span><span id=__span-6-6><a id=__codelineno-6-6 name=__codelineno-6-6 href=#__codelineno-6-6></a> &quot;profiles&quot;: {
</span><span id=__span-6-7><a id=__codelineno-6-7 name=__codelineno-6-7 href=#__codelineno-6-7></a> &quot;default&quot;: {
</span><span id=__span-6-8><a id=__codelineno-6-8 name=__codelineno-6-8 href=#__codelineno-6-8></a> &quot;usages&quot;: [&quot;signing&quot;, &quot;key encipherment&quot;, &quot;server auth&quot;, &quot;client auth&quot;],
</span><span id=__span-6-9><a id=__codelineno-6-9 name=__codelineno-6-9 href=#__codelineno-6-9></a> &quot;expiry&quot;: &quot;17520h&quot;
</span><span id=__span-6-10><a id=__codelineno-6-10 name=__codelineno-6-10 href=#__codelineno-6-10></a> }
</span><span id=__span-6-11><a id=__codelineno-6-11 name=__codelineno-6-11 href=#__codelineno-6-11></a> }
</span><span id=__span-6-12><a id=__codelineno-6-12 name=__codelineno-6-12 href=#__codelineno-6-12></a> }
</span><span id=__span-6-13><a id=__codelineno-6-13 name=__codelineno-6-13 href=#__codelineno-6-13></a>}
</span></code></pre></div> <p>Then generate the Vault keys, referencing this file and the CA keys:</p> <div class=highlight><pre><span></span><code><span id=__span-7-1><a id=__codelineno-7-1 name=__codelineno-7-1 href=#__codelineno-7-1></a>cfssl gencert \
</span><span id=__span-7-2><a id=__codelineno-7-2 name=__codelineno-7-2 href=#__codelineno-7-2></a> -ca ./ca.pem \
</span><span id=__span-7-3><a id=__codelineno-7-3 name=__codelineno-7-3 href=#__codelineno-7-3></a> -ca-key ./ca-key.pem \
</span><span id=__span-7-4><a id=__codelineno-7-4 name=__codelineno-7-4 href=#__codelineno-7-4></a> -config ca-config.json \
</span><span id=__span-7-5><a id=__codelineno-7-5 name=__codelineno-7-5 href=#__codelineno-7-5></a> -profile default \
</span><span id=__span-7-6><a id=__codelineno-7-6 name=__codelineno-7-6 href=#__codelineno-7-6></a> -hostname=&quot;vault,vault.vault.svc.cluster.local,localhost,127.0.0.1&quot; \
</span><span id=__span-7-7><a id=__codelineno-7-7 name=__codelineno-7-7 href=#__codelineno-7-7></a> ca-csr.json | cfssljson -bare vault
</span></code></pre></div> <p>The result will be the following:</p> <div class=highlight><pre><span></span><code><span id=__span-8-1><a id=__codelineno-8-1 name=__codelineno-8-1 href=#__codelineno-8-1></a>2023/01/02 16:19:52 [INFO] generate received request
</span><span id=__span-8-2><a id=__codelineno-8-2 name=__codelineno-8-2 href=#__codelineno-8-2></a>2023/01/02 16:19:52 [INFO] received CSR
</span><span id=__span-8-3><a id=__codelineno-8-3 name=__codelineno-8-3 href=#__codelineno-8-3></a>2023/01/02 16:19:52 [INFO] generating key: rsa-2048
</span><span id=__span-8-4><a id=__codelineno-8-4 name=__codelineno-8-4 href=#__codelineno-8-4></a>2023/01/02 16:19:52 [INFO] encoded CSR
</span><span id=__span-8-5><a id=__codelineno-8-5 name=__codelineno-8-5 href=#__codelineno-8-5></a>2023/01/02 16:19:52 [INFO] signed certificate with serial number 709743788174272015258726707100830785425213226283
</span></code></pre></div> <p>Also, another three files get created in your working folder: <em>vault.pem</em>, <em>vault.csr</em>, <em>vault-key.pem</em>.</p> <p>The last step is to store the generated keys as Kubernetes TLS secrets on our cluster:</p> <div class=highlight><pre><span></span><code><span id=__span-9-1><a id=__codelineno-9-1 name=__codelineno-9-1 href=#__codelineno-9-1></a>kubectl -n vault create secret tls tls-ca --cert ./ca.pem --key ./ca-key.pem -n vault
</span><span id=__span-9-2><a id=__codelineno-9-2 name=__codelineno-9-2 href=#__codelineno-9-2></a>kubectl -n vault create secret tls tls-server --cert ./vault.pem --key ./vault-key.pem -n vault
</span></code></pre></div> <p>The naming of those secrets reflects the Vault Helm chart default names.</p> <h2 id=step-3-install-consul-helm-chart>Step 3 Install Consul Helm chart<a href=#step-3-install-consul-helm-chart title="Permalink to this headline">🔗</a><a class=headerlink href=#step-3-install-consul-helm-chart title="Permanent link">&para;</a></h2> <p>The Consul backend will ensure High Availability of our Vault installation. Consul will live in a namespace that we have already created, <strong>vault</strong>.</p> <p>Here is an override configuration file for the Consul Helm chart: <em>consul-values.yaml</em>.</p> <p><strong>consul-values.yaml</strong></p> <div class=highlight><pre><span></span><code><span id=__span-10-1><a id=__codelineno-10-1 name=__codelineno-10-1 href=#__codelineno-10-1></a>global:
</span><span id=__span-10-2><a id=__codelineno-10-2 name=__codelineno-10-2 href=#__codelineno-10-2></a> datacenter: vault-kubernetes-guide
</span><span id=__span-10-3><a id=__codelineno-10-3 name=__codelineno-10-3 href=#__codelineno-10-3></a>
</span><span id=__span-10-4><a id=__codelineno-10-4 name=__codelineno-10-4 href=#__codelineno-10-4></a>client:
</span><span id=__span-10-5><a id=__codelineno-10-5 name=__codelineno-10-5 href=#__codelineno-10-5></a> enabled: true
</span><span id=__span-10-6><a id=__codelineno-10-6 name=__codelineno-10-6 href=#__codelineno-10-6></a>
</span><span id=__span-10-7><a id=__codelineno-10-7 name=__codelineno-10-7 href=#__codelineno-10-7></a>server:
</span><span id=__span-10-8><a id=__codelineno-10-8 name=__codelineno-10-8 href=#__codelineno-10-8></a> replicas: 1
</span><span id=__span-10-9><a id=__codelineno-10-9 name=__codelineno-10-9 href=#__codelineno-10-9></a> bootstrapExpect: 1
</span><span id=__span-10-10><a id=__codelineno-10-10 name=__codelineno-10-10 href=#__codelineno-10-10></a> disruptionBudget:
</span><span id=__span-10-11><a id=__codelineno-10-11 name=__codelineno-10-11 href=#__codelineno-10-11></a> maxUnavailable: 0
</span></code></pre></div> <p>Now install the <em>hashicorp</em> repository of Helm charts and verify that <em>vault</em> is in it:</p> <div class=highlight><pre><span></span><code><span id=__span-11-1><a id=__codelineno-11-1 name=__codelineno-11-1 href=#__codelineno-11-1></a>helm repo add hashicorp https://helm.releases.hashicorp.com
</span><span id=__span-11-2><a id=__codelineno-11-2 name=__codelineno-11-2 href=#__codelineno-11-2></a>helm search repo hashicorp/vault
</span></code></pre></div> <p>As the last step, install Consul chart:</p> <div class=highlight><pre><span></span><code><span id=__span-12-1><a id=__codelineno-12-1 name=__codelineno-12-1 href=#__codelineno-12-1></a>helm install consul hashicorp/consul -f consul-values.yaml -n vault
</span></code></pre></div> <p>This is the report about success of the installation:</p> <div class=highlight><pre><span></span><code><span id=__span-13-1><a id=__codelineno-13-1 name=__codelineno-13-1 href=#__codelineno-13-1></a>NAME: consul
</span><span id=__span-13-2><a id=__codelineno-13-2 name=__codelineno-13-2 href=#__codelineno-13-2></a>LAST DEPLOYED: Thu Feb 9 18:52:58 2023
</span><span id=__span-13-3><a id=__codelineno-13-3 name=__codelineno-13-3 href=#__codelineno-13-3></a>NAMESPACE: vault
</span><span id=__span-13-4><a id=__codelineno-13-4 name=__codelineno-13-4 href=#__codelineno-13-4></a>STATUS: deployed
</span><span id=__span-13-5><a id=__codelineno-13-5 name=__codelineno-13-5 href=#__codelineno-13-5></a>REVISION: 1
</span><span id=__span-13-6><a id=__codelineno-13-6 name=__codelineno-13-6 href=#__codelineno-13-6></a>NOTES:
</span><span id=__span-13-7><a id=__codelineno-13-7 name=__codelineno-13-7 href=#__codelineno-13-7></a>Thank you for installing HashiCorp Consul!
</span><span id=__span-13-8><a id=__codelineno-13-8 name=__codelineno-13-8 href=#__codelineno-13-8></a>
</span><span id=__span-13-9><a id=__codelineno-13-9 name=__codelineno-13-9 href=#__codelineno-13-9></a>Your release is named consul.
</span></code></pre></div> <p>Shortly, several Consul pods will get deployed in the <em>vault</em> namespace. Run the following command to verify it:</p> <div class=highlight><pre><span></span><code><span id=__span-14-1><a id=__codelineno-14-1 name=__codelineno-14-1 href=#__codelineno-14-1></a>kubectl get pods -n vault
</span></code></pre></div> <p>Wait until all of the pods are <strong>Running</strong> and then proceed with the next step.</p> <h2 id=step-4-install-vault-helm-chart>Step 4 Install Vault Helm chart<a href=#step-4-install-vault-helm-chart title="Permalink to this headline">🔗</a><a class=headerlink href=#step-4-install-vault-helm-chart title="Permanent link">&para;</a></h2> <p>We are now ready to install Vault.</p> <p>First, lets provide file <em>vault-values.yaml</em> which will override configuration file for the Vault Helm chart. These overrides ensure turning on encryption, High Availability, setting up larger time for <em>readinessProbe</em> and exposing the UI as LoadBalancer service type:</p> <p><strong>vault-values.yaml</strong></p> <div class=highlight><pre><span></span><code><span id=__span-15-1><a id=__codelineno-15-1 name=__codelineno-15-1 href=#__codelineno-15-1></a># Vault Helm Chart Value Overrides
</span><span id=__span-15-2><a id=__codelineno-15-2 name=__codelineno-15-2 href=#__codelineno-15-2></a>global:
</span><span id=__span-15-3><a id=__codelineno-15-3 name=__codelineno-15-3 href=#__codelineno-15-3></a> enabled: true
</span><span id=__span-15-4><a id=__codelineno-15-4 name=__codelineno-15-4 href=#__codelineno-15-4></a> tlsDisable: false
</span><span id=__span-15-5><a id=__codelineno-15-5 name=__codelineno-15-5 href=#__codelineno-15-5></a>
</span><span id=__span-15-6><a id=__codelineno-15-6 name=__codelineno-15-6 href=#__codelineno-15-6></a>injector:
</span><span id=__span-15-7><a id=__codelineno-15-7 name=__codelineno-15-7 href=#__codelineno-15-7></a> enabled: true
</span><span id=__span-15-8><a id=__codelineno-15-8 name=__codelineno-15-8 href=#__codelineno-15-8></a> image:
</span><span id=__span-15-9><a id=__codelineno-15-9 name=__codelineno-15-9 href=#__codelineno-15-9></a> repository: &quot;hashicorp/vault-k8s&quot;
</span><span id=__span-15-10><a id=__codelineno-15-10 name=__codelineno-15-10 href=#__codelineno-15-10></a> tag: &quot;0.14.1&quot;
</span><span id=__span-15-11><a id=__codelineno-15-11 name=__codelineno-15-11 href=#__codelineno-15-11></a>
</span><span id=__span-15-12><a id=__codelineno-15-12 name=__codelineno-15-12 href=#__codelineno-15-12></a> resources:
</span><span id=__span-15-13><a id=__codelineno-15-13 name=__codelineno-15-13 href=#__codelineno-15-13></a> requests:
</span><span id=__span-15-14><a id=__codelineno-15-14 name=__codelineno-15-14 href=#__codelineno-15-14></a> memory: 500Mi
</span><span id=__span-15-15><a id=__codelineno-15-15 name=__codelineno-15-15 href=#__codelineno-15-15></a> cpu: 500m
</span><span id=__span-15-16><a id=__codelineno-15-16 name=__codelineno-15-16 href=#__codelineno-15-16></a> limits:
</span><span id=__span-15-17><a id=__codelineno-15-17 name=__codelineno-15-17 href=#__codelineno-15-17></a> memory: 1000Mi
</span><span id=__span-15-18><a id=__codelineno-15-18 name=__codelineno-15-18 href=#__codelineno-15-18></a> cpu: 1000m
</span><span id=__span-15-19><a id=__codelineno-15-19 name=__codelineno-15-19 href=#__codelineno-15-19></a>
</span><span id=__span-15-20><a id=__codelineno-15-20 name=__codelineno-15-20 href=#__codelineno-15-20></a>server:
</span><span id=__span-15-21><a id=__codelineno-15-21 name=__codelineno-15-21 href=#__codelineno-15-21></a> # These Resource Limits are in line with node requirements in the
</span><span id=__span-15-22><a id=__codelineno-15-22 name=__codelineno-15-22 href=#__codelineno-15-22></a> # Vault Reference Architecture for a Small Cluster
</span><span id=__span-15-23><a id=__codelineno-15-23 name=__codelineno-15-23 href=#__codelineno-15-23></a>
</span><span id=__span-15-24><a id=__codelineno-15-24 name=__codelineno-15-24 href=#__codelineno-15-24></a> image:
</span><span id=__span-15-25><a id=__codelineno-15-25 name=__codelineno-15-25 href=#__codelineno-15-25></a> repository: &quot;hashicorp/vault&quot;
</span><span id=__span-15-26><a id=__codelineno-15-26 name=__codelineno-15-26 href=#__codelineno-15-26></a> tag: &quot;1.9.2&quot;
</span><span id=__span-15-27><a id=__codelineno-15-27 name=__codelineno-15-27 href=#__codelineno-15-27></a>
</span><span id=__span-15-28><a id=__codelineno-15-28 name=__codelineno-15-28 href=#__codelineno-15-28></a> # For HA configuration and because we need to manually init the vault,
</span><span id=__span-15-29><a id=__codelineno-15-29 name=__codelineno-15-29 href=#__codelineno-15-29></a> # we need to define custom readiness/liveness Probe settings
</span><span id=__span-15-30><a id=__codelineno-15-30 name=__codelineno-15-30 href=#__codelineno-15-30></a> readinessProbe:
</span><span id=__span-15-31><a id=__codelineno-15-31 name=__codelineno-15-31 href=#__codelineno-15-31></a> enabled: true
</span><span id=__span-15-32><a id=__codelineno-15-32 name=__codelineno-15-32 href=#__codelineno-15-32></a> path: &quot;/v1/sys/health?standbyok=true&amp;sealedcode=204&amp;uninitcode=204&quot;
</span><span id=__span-15-33><a id=__codelineno-15-33 name=__codelineno-15-33 href=#__codelineno-15-33></a> livenessProbe:
</span><span id=__span-15-34><a id=__codelineno-15-34 name=__codelineno-15-34 href=#__codelineno-15-34></a> enabled: true
</span><span id=__span-15-35><a id=__codelineno-15-35 name=__codelineno-15-35 href=#__codelineno-15-35></a> path: &quot;/v1/sys/health?standbyok=true&quot;
</span><span id=__span-15-36><a id=__codelineno-15-36 name=__codelineno-15-36 href=#__codelineno-15-36></a> initialDelaySeconds: 360
</span><span id=__span-15-37><a id=__codelineno-15-37 name=__codelineno-15-37 href=#__codelineno-15-37></a>
</span><span id=__span-15-38><a id=__codelineno-15-38 name=__codelineno-15-38 href=#__codelineno-15-38></a> extraEnvironmentVars:
</span><span id=__span-15-39><a id=__codelineno-15-39 name=__codelineno-15-39 href=#__codelineno-15-39></a> VAULT_CACERT: /vault/userconfig/tls-ca/tls.crt
</span><span id=__span-15-40><a id=__codelineno-15-40 name=__codelineno-15-40 href=#__codelineno-15-40></a>
</span><span id=__span-15-41><a id=__codelineno-15-41 name=__codelineno-15-41 href=#__codelineno-15-41></a> # extraVolumes is a list of extra volumes to mount. These will be exposed
</span><span id=__span-15-42><a id=__codelineno-15-42 name=__codelineno-15-42 href=#__codelineno-15-42></a> # to Vault in the path `/vault/userconfig/&lt;name&gt;/`.
</span><span id=__span-15-43><a id=__codelineno-15-43 name=__codelineno-15-43 href=#__codelineno-15-43></a> # These reflect the Kubernetes vault and ca secrets created
</span><span id=__span-15-44><a id=__codelineno-15-44 name=__codelineno-15-44 href=#__codelineno-15-44></a> extraVolumes:
</span><span id=__span-15-45><a id=__codelineno-15-45 name=__codelineno-15-45 href=#__codelineno-15-45></a> - type: secret
</span><span id=__span-15-46><a id=__codelineno-15-46 name=__codelineno-15-46 href=#__codelineno-15-46></a> name: tls-server
</span><span id=__span-15-47><a id=__codelineno-15-47 name=__codelineno-15-47 href=#__codelineno-15-47></a> - type: secret
</span><span id=__span-15-48><a id=__codelineno-15-48 name=__codelineno-15-48 href=#__codelineno-15-48></a> name: tls-ca
</span><span id=__span-15-49><a id=__codelineno-15-49 name=__codelineno-15-49 href=#__codelineno-15-49></a>
</span><span id=__span-15-50><a id=__codelineno-15-50 name=__codelineno-15-50 href=#__codelineno-15-50></a> standalone:
</span><span id=__span-15-51><a id=__codelineno-15-51 name=__codelineno-15-51 href=#__codelineno-15-51></a> enabled: false
</span><span id=__span-15-52><a id=__codelineno-15-52 name=__codelineno-15-52 href=#__codelineno-15-52></a>
</span><span id=__span-15-53><a id=__codelineno-15-53 name=__codelineno-15-53 href=#__codelineno-15-53></a> # Run Vault in &quot;HA&quot; mode.
</span><span id=__span-15-54><a id=__codelineno-15-54 name=__codelineno-15-54 href=#__codelineno-15-54></a> ha:
</span><span id=__span-15-55><a id=__codelineno-15-55 name=__codelineno-15-55 href=#__codelineno-15-55></a> enabled: true
</span><span id=__span-15-56><a id=__codelineno-15-56 name=__codelineno-15-56 href=#__codelineno-15-56></a> replicas: 3
</span><span id=__span-15-57><a id=__codelineno-15-57 name=__codelineno-15-57 href=#__codelineno-15-57></a> config: |
</span><span id=__span-15-58><a id=__codelineno-15-58 name=__codelineno-15-58 href=#__codelineno-15-58></a> ui = true
</span><span id=__span-15-59><a id=__codelineno-15-59 name=__codelineno-15-59 href=#__codelineno-15-59></a>
</span><span id=__span-15-60><a id=__codelineno-15-60 name=__codelineno-15-60 href=#__codelineno-15-60></a> listener &quot;tcp&quot; {
</span><span id=__span-15-61><a id=__codelineno-15-61 name=__codelineno-15-61 href=#__codelineno-15-61></a> tls_disable = 0
</span><span id=__span-15-62><a id=__codelineno-15-62 name=__codelineno-15-62 href=#__codelineno-15-62></a> address = &quot;0.0.0.0:8200&quot;
</span><span id=__span-15-63><a id=__codelineno-15-63 name=__codelineno-15-63 href=#__codelineno-15-63></a> tls_cert_file = &quot;/vault/userconfig/tls-server/tls.crt&quot;
</span><span id=__span-15-64><a id=__codelineno-15-64 name=__codelineno-15-64 href=#__codelineno-15-64></a> tls_key_file = &quot;/vault/userconfig/tls-server/tls.key&quot;
</span><span id=__span-15-65><a id=__codelineno-15-65 name=__codelineno-15-65 href=#__codelineno-15-65></a> tls_min_version = &quot;tls12&quot;
</span><span id=__span-15-66><a id=__codelineno-15-66 name=__codelineno-15-66 href=#__codelineno-15-66></a> }
</span><span id=__span-15-67><a id=__codelineno-15-67 name=__codelineno-15-67 href=#__codelineno-15-67></a> storage &quot;consul&quot; {
</span><span id=__span-15-68><a id=__codelineno-15-68 name=__codelineno-15-68 href=#__codelineno-15-68></a> path = &quot;vault&quot;
</span><span id=__span-15-69><a id=__codelineno-15-69 name=__codelineno-15-69 href=#__codelineno-15-69></a> address = &quot;consul-consul-server:8500&quot;
</span><span id=__span-15-70><a id=__codelineno-15-70 name=__codelineno-15-70 href=#__codelineno-15-70></a> }
</span><span id=__span-15-71><a id=__codelineno-15-71 name=__codelineno-15-71 href=#__codelineno-15-71></a>
</span><span id=__span-15-72><a id=__codelineno-15-72 name=__codelineno-15-72 href=#__codelineno-15-72></a># Vault UI
</span><span id=__span-15-73><a id=__codelineno-15-73 name=__codelineno-15-73 href=#__codelineno-15-73></a>ui:
</span><span id=__span-15-74><a id=__codelineno-15-74 name=__codelineno-15-74 href=#__codelineno-15-74></a> enabled: true
</span><span id=__span-15-75><a id=__codelineno-15-75 name=__codelineno-15-75 href=#__codelineno-15-75></a> serviceType: &quot;LoadBalancer&quot;
</span><span id=__span-15-76><a id=__codelineno-15-76 name=__codelineno-15-76 href=#__codelineno-15-76></a> serviceNodePort: null
</span><span id=__span-15-77><a id=__codelineno-15-77 name=__codelineno-15-77 href=#__codelineno-15-77></a> externalPort: 8200
</span></code></pre></div> <p>Then run the installation:</p> <div class=highlight><pre><span></span><code><span id=__span-16-1><a id=__codelineno-16-1 name=__codelineno-16-1 href=#__codelineno-16-1></a>helm install vault hashicorp/vault -n vault -f vault-values.yaml
</span></code></pre></div> <p>As a result, several pods get created:</p> <div class=highlight><pre><span></span><code><span id=__span-17-1><a id=__codelineno-17-1 name=__codelineno-17-1 href=#__codelineno-17-1></a>kubectl get pods -n vault
</span><span id=__span-17-2><a id=__codelineno-17-2 name=__codelineno-17-2 href=#__codelineno-17-2></a>NAME READY STATUS RESTARTS AGE
</span><span id=__span-17-3><a id=__codelineno-17-3 name=__codelineno-17-3 href=#__codelineno-17-3></a>consul-consul-client-655fq 1/1 Running 0 104s
</span><span id=__span-17-4><a id=__codelineno-17-4 name=__codelineno-17-4 href=#__codelineno-17-4></a>consul-consul-client-dkngt 1/1 Running 0 104s
</span><span id=__span-17-5><a id=__codelineno-17-5 name=__codelineno-17-5 href=#__codelineno-17-5></a>consul-consul-client-nnbnl 1/1 Running 0 104s
</span><span id=__span-17-6><a id=__codelineno-17-6 name=__codelineno-17-6 href=#__codelineno-17-6></a>consul-consul-connect-injector-8447d8d97b-8hkj8 1/1 Running 0 104s
</span><span id=__span-17-7><a id=__codelineno-17-7 name=__codelineno-17-7 href=#__codelineno-17-7></a>consul-consul-server-0 1/1 Running 0 104s
</span><span id=__span-17-8><a id=__codelineno-17-8 name=__codelineno-17-8 href=#__codelineno-17-8></a>consul-consul-webhook-cert-manager-7c4ccbdd4c-d89bw 1/1 Running 0 104s
</span><span id=__span-17-9><a id=__codelineno-17-9 name=__codelineno-17-9 href=#__codelineno-17-9></a>vault-0 1/1 Running 0 23s
</span><span id=__span-17-10><a id=__codelineno-17-10 name=__codelineno-17-10 href=#__codelineno-17-10></a>vault-1 1/1 Running 0 23s
</span><span id=__span-17-11><a id=__codelineno-17-11 name=__codelineno-17-11 href=#__codelineno-17-11></a>vault-2 1/1 Running 0 23s
</span><span id=__span-17-12><a id=__codelineno-17-12 name=__codelineno-17-12 href=#__codelineno-17-12></a>vault-agent-injector-6c7cfc768-kv968 1/1 Running 0 23s
</span></code></pre></div> <h2 id=sealing-and-unsealing-the-vault>Sealing and unsealing the Vault<a href=#sealing-and-unsealing-the-vault title="Permalink to this headline">🔗</a><a class=headerlink href=#sealing-and-unsealing-the-vault title="Permanent link">&para;</a></h2> <p>Right after the installation, Vault server starts in a <em>sealed</em> state. It knows where and how to access the physical storage but, by design, it is lacking the key to decrypt any of it. The only operations you can do when Vault is sealed are to</p> <blockquote> <ul> <li>unseal Vault and</li> <li>check the status of the seal.</li> </ul> </blockquote> <p>The reverse process, called <em>unsealing</em>, consists of creating the plaintext root key necessary to read the decryption key.</p> <p>In real life, there would be an administrator who could first generate the so-called <em>key shares</em> or <em>unseal keys</em>, which is a set of exactly <strong>five</strong> text strings. Then they would disperse these keys to two or more people, so that the secrets would be hard to gather for a potential attacker. And to perform the unsealing, at least three out of those five strings would have to be presented to the Vault, in any order.</p> <p>In this article, however, you are both the administrator and the user and can set up things your way. First you will</p> <blockquote> <ul> <li>generate the keys and have them available in plain sight and then you will</li> <li>enter three out of those five strings back to the system.</li> </ul> </blockquote> <p>You will have a limited but sufficient amount of time to enter the keys; the value <em>livenessProbe</em> in file <strong>vault-values.yaml</strong> is 360 seconds, which will give you ample time to enter the keys.</p> <p>At the end of the article we show how to interactively set it to <strong>60</strong> seconds, so that the cluster can check health of the pods more frequently.</p> <h2 id=step-5-unseal-vault>Step 5 Unseal Vault<a href=#step-5-unseal-vault title="Permalink to this headline">🔗</a><a class=headerlink href=#step-5-unseal-vault title="Permanent link">&para;</a></h2> <p>Three nodes in the Kubernetes cluster represent Vault and are named <em>vault-0</em>, <em>vault-1</em>, <em>vault-2</em>. To make the Vault functional, you will have to unseal all three of them.</p> <p>To start, enter the container in <em>vault-0</em>:</p> <div class=highlight><pre><span></span><code><span id=__span-18-1><a id=__codelineno-18-1 name=__codelineno-18-1 href=#__codelineno-18-1></a>kubectl -n vault exec -it vault-0 -- sh
</span></code></pre></div> <p>Then from inside the pod, get the keys:</p> <div class=highlight><pre><span></span><code><span id=__span-19-1><a id=__codelineno-19-1 name=__codelineno-19-1 href=#__codelineno-19-1></a>vault operator init
</span></code></pre></div> <p>The result will be the following, you will get the 5 unseal keys and a root token. Save these keys to Notepad, so you have convenient access to them later:</p> <div class=highlight><pre><span></span><code><span id=__span-20-1><a id=__codelineno-20-1 name=__codelineno-20-1 href=#__codelineno-20-1></a>Unseal Key 1: jcJj2ukVBNG5K01PX3UkskPotc+tGAvalG5CqBveS6LN
</span><span id=__span-20-2><a id=__codelineno-20-2 name=__codelineno-20-2 href=#__codelineno-20-2></a>Unseal Key 2: OBzqfTYL9lmmvuewk85kPxpgc0D/CDVXrY9cdBElA3hJ
</span><span id=__span-20-3><a id=__codelineno-20-3 name=__codelineno-20-3 href=#__codelineno-20-3></a>Unseal Key 3: M6QysiGixui4SlqB7Jdgv0jaHn8m45V91iabrxRvNo6v
</span><span id=__span-20-4><a id=__codelineno-20-4 name=__codelineno-20-4 href=#__codelineno-20-4></a>Unseal Key 4: H7T5BHR2isbBSHfu2q4aKG0hvvA13uXlT9799whxmuL+
</span><span id=__span-20-5><a id=__codelineno-20-5 name=__codelineno-20-5 href=#__codelineno-20-5></a>Unseal Key 5: rtbXv3TqdUeN3luelJa8OOI/CKlILANXxFVkyE/SKv4c
</span><span id=__span-20-6><a id=__codelineno-20-6 name=__codelineno-20-6 href=#__codelineno-20-6></a>
</span><span id=__span-20-7><a id=__codelineno-20-7 name=__codelineno-20-7 href=#__codelineno-20-7></a>Initial Root Token: s.Pt7xVk5rShSuIJqRPqBFWY5H
</span></code></pre></div> <p>Then, from within the pod <em>vault-0</em>, unseal it by typing:</p> <div class=highlight><pre><span></span><code><span id=__span-21-1><a id=__codelineno-21-1 name=__codelineno-21-1 href=#__codelineno-21-1></a>vault operator unseal
</span></code></pre></div> <p>You will get prompted for the key, then paste key 1 from your notepad. Repeat this process 3 times in the <em>vault-0</em> pod, each time providing a different key out of those five you have just generated.</p> <p>This is what the entire process looks like:</p> <p><a class=glightbox href=../_images/unsealing_the_pod.png data-type=image data-width=100% data-height=auto data-desc-position=bottom><img alt=unsealing_the_pod.png src=../_images/unsealing_the_pod.png></a></p> <p>In third attempt, the values change to <strong>Initialized</strong> to be <strong>true</strong> and <strong>sealed</strong> to be <strong>false</strong>:</p> <div class=highlight><pre><span></span><code><span id=__span-22-1><a id=__codelineno-22-1 name=__codelineno-22-1 href=#__codelineno-22-1></a>Key Value
</span><span id=__span-22-2><a id=__codelineno-22-2 name=__codelineno-22-2 href=#__codelineno-22-2></a>--- -----
</span><span id=__span-22-3><a id=__codelineno-22-3 name=__codelineno-22-3 href=#__codelineno-22-3></a>Seal Type shamir
</span><span id=__span-22-4><a id=__codelineno-22-4 name=__codelineno-22-4 href=#__codelineno-22-4></a>Initialized true
</span><span id=__span-22-5><a id=__codelineno-22-5 name=__codelineno-22-5 href=#__codelineno-22-5></a>Sealed false
</span><span id=__span-22-6><a id=__codelineno-22-6 name=__codelineno-22-6 href=#__codelineno-22-6></a>... ...
</span></code></pre></div> <p>The pod is unsealed.</p> <p><strong>Now repeat the same process for</strong> <em>vault-1</em> <strong>and</strong> <em>vault-2</em> <strong>pods</strong>.</p> <p>To stop using the console in <em>vault-0</em>, press Ctrl-D on keyboard. Then enter <em>vault-1</em> with command</p> <div class=highlight><pre><span></span><code><span id=__span-23-1><a id=__codelineno-23-1 name=__codelineno-23-1 href=#__codelineno-23-1></a>kubectl -n vault exec -it vault-1 -- sh
</span></code></pre></div> <p>and unseal it by entering at least three keys. Then the similar procedure for <em>vault-2</em>. Only when all three pods are unsealed will the Vault become active.</p> <h2 id=step-6-run-vault-ui>Step 6 Run Vault UI<a href=#step-6-run-vault-ui title="Permalink to this headline">🔗</a><a class=headerlink href=#step-6-run-vault-ui title="Permanent link">&para;</a></h2> <p>With our configuration, Vault UI is exposed on port 8200 of a dedicated LoadBalancer that got created.</p> <p>To check the LoadBalancer, run:</p> <div class=highlight><pre><span></span><code><span id=__span-24-1><a id=__codelineno-24-1 name=__codelineno-24-1 href=#__codelineno-24-1></a>kubectl -n vault get svc
</span></code></pre></div> <p>Check the external IP of the LoadBalancer (it could take a couple of minutes when external IP is available):</p> <div class=highlight><pre><span></span><code><span id=__span-25-1><a id=__codelineno-25-1 name=__codelineno-25-1 href=#__codelineno-25-1></a>NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
</span><span id=__span-25-2><a id=__codelineno-25-2 name=__codelineno-25-2 href=#__codelineno-25-2></a>...
</span><span id=__span-25-3><a id=__codelineno-25-3 name=__codelineno-25-3 href=#__codelineno-25-3></a>vault-ui LoadBalancer 10.254.49.9 64.225.129.145 8200:32091/TCP 143m
</span></code></pre></div> <p>Type the external IP to the browser, specifying HTTPS and port 8200. The site may ask you for the certificate and can complain that there is a risk of proceeding. You should accept all the risks and see that Vault UI is available, similar to the image below. To login, provide the token which you obtained earlier:</p> <p><a class=glightbox href=../_images/vault_created.png data-type=image data-width=100% data-height=auto data-desc-position=bottom><img alt=vault_created.png src=../_images/vault_created.png></a></p> <p>You can now start using the Vault.</p> <p><a class=glightbox href=../_images/start_using_vault.png data-type=image data-width=100% data-height=auto data-desc-position=bottom><img alt=start_using_vault.png src=../_images/start_using_vault.png></a></p> <h2 id=return-livenessprobe-to-production-value>Return livenessProbe to production value<a href=#return-livenessprobe-to-production-value title="Permalink to this headline">🔗</a><a class=headerlink href=#return-livenessprobe-to-production-value title="Permanent link">&para;</a></h2> <p><em>livenessProbe</em> in Kubernetes is time in which the system checks the health of the nodes. That would normally not be a concern of yours but if you do not unseal the Vault within that amount of time, the unsealing wont work. Under normal circumstances, the value would be <strong>60</strong> seconds so that in case of any disturbance, the system would react within one minute instead of six. But it is very hard to copy and enter three strings under one minute as would happen if the value of <strong>60</strong> were present in file <strong>vault-values.yaml</strong>. You would almost inevitably see Kubernetes error <strong>137</strong>, meaning that you did not perform the required operations in time.</p> <p>In file <strong>vault-values.yaml</strong> the following section defined <strong>360</strong> seconds as the time for activating the <em>livenessProbe</em>:</p> <div class=highlight><pre><span></span><code><span id=__span-26-1><a id=__codelineno-26-1 name=__codelineno-26-1 href=#__codelineno-26-1></a>livenessProbe:
</span><span id=__span-26-2><a id=__codelineno-26-2 name=__codelineno-26-2 href=#__codelineno-26-2></a> enabled: true
</span><span id=__span-26-3><a id=__codelineno-26-3 name=__codelineno-26-3 href=#__codelineno-26-3></a> path: &quot;/v1/sys/health?standbyok=true&quot;
</span><span id=__span-26-4><a id=__codelineno-26-4 name=__codelineno-26-4 href=#__codelineno-26-4></a> initialDelaySeconds: 360
</span></code></pre></div> <p>To return the value of <em>livenessProbe</em> to <strong>60</strong>, execute the command:</p> <div class=highlight><pre><span></span><code><span id=__span-27-1><a id=__codelineno-27-1 name=__codelineno-27-1 href=#__codelineno-27-1></a>kubectl edit statefulset vault -n vault
</span></code></pre></div> <p>You can now access the equivalent of file <strong>vault-values.yaml</strong> inside the Kubernetes cluster. The command will automatically enter a Vim-like editor so press the <strong>O</strong> key on the keyboard in order to be able to change the value with it:</p> <p><a class=glightbox href=../_images/vim_editor_change.png data-type=image data-width=100% data-height=auto data-desc-position=bottom><img alt=vim_editor_change.png src=../_images/vim_editor_change.png></a></p> <p>When done, save and leave Vim with the standard <strong>:w</strong> and <strong>:q</strong> syntax.</p> <h2 id=troubleshooting>Troubleshooting<a href=#troubleshooting title="Permalink to this headline">🔗</a><a class=headerlink href=#troubleshooting title="Permanent link">&para;</a></h2> <p>Check the events, which can point out hints of what needs to be improved:</p> <div class=highlight><pre><span></span><code><span id=__span-28-1><a id=__codelineno-28-1 name=__codelineno-28-1 href=#__codelineno-28-1></a>kubectl get events -n vault
</span></code></pre></div> <p>If there are errors and you want to delete Vault installation in order to repeat the process from a clean slate, note that <strong>MutatingWebhookConfiguration</strong> might be left in the default namespace. Delete it prior to trying again:</p> <div class=highlight><pre><span></span><code><span id=__span-29-1><a id=__codelineno-29-1 name=__codelineno-29-1 href=#__codelineno-29-1></a>kubectl get MutatingWebhookConfiguration
</span><span id=__span-29-2><a id=__codelineno-29-2 name=__codelineno-29-2 href=#__codelineno-29-2></a>
</span><span id=__span-29-3><a id=__codelineno-29-3 name=__codelineno-29-3 href=#__codelineno-29-3></a>kubectl delete MutatingWebhookConfiguration consul-consul-connect-injector
</span><span id=__span-29-4><a id=__codelineno-29-4 name=__codelineno-29-4 href=#__codelineno-29-4></a>kubectl delete MutatingWebhookConfiguration vault-agent-injector-cfg
</span></code></pre></div> <h2 id=what-to-do-next>What To Do Next<a href=#what-to-do-next title="Permalink to this headline">🔗</a><a class=headerlink href=#what-to-do-next title="Permanent link">&para;</a></h2> <p>Now you have Vault server as a part of the cluster and you can also use it from the IP address it got installed to.</p> <p>Another way to improve Kubernetes security is securing applications with HTTPS using ingress:</p> <p><a href=Deploying-HTTPS-Services-on-Magnum-Kubernetes-in-3Engines-Cloud-Cloud.html.html>Deploying HTTPS Services on Magnum Kubernetes in 3Engines Cloud Cloud</a>.</p> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> <button type=button class="md-top md-icon" data-md-component=top hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg> Back to top </button> </main> <footer class=md-footer> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "..", "features": ["content.code.annotate", "content.code.copy", "content.tooltips", "navigation.tabs", "navigation.sections", "navigation.footer", "navigation.indexes", "navigation.sections", "navigation.top", "navigation.tracking", "search.highlight", "search.share", "search.suggest", "toc.follow"], "search": "../assets/javascripts/workers/search.d50fe291.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": null}</script> <script src=../assets/javascripts/bundle.13a4f30d.min.js></script> <script id="init-glightbox">const lightbox = GLightbox({"touchNavigation": false, "loop": false, "zoomable": true, "draggable": true, "openEffect": "zoom", "closeEffect": "zoom", "slideEffect": "slide"});
document$.subscribe(() => { lightbox.reload() });
</script></body> </html>
Reference in New Issue View Git Blame Copy Permalink