The Vault is a software to centrally manage and control access to secrets that are shared between multiple services and applications. The idea is to offload all the overhead of storing, encrypting, decrypting and even refreshing secrets to the central vault server and provide limited (and even time limited) access to secrets required by applications.
-
Watch this offical video to learn more about the concept of Vault.
Introduction to Vault | Vault - HashiCorp Learn
or you can read the Getting Started Guide .
-
Important concepts in Vault:
- Secret Engines : Secret engines are pluggable components that allow secret management for all kinds of backend services. by default only the
key-valuesecret engine is enabled. - Storage Backends : Storage backends are pluggable components where all the secrets are stored in an encrypted format and are managed by the vault server.
- Secret Engines : Secret engines are pluggable components that allow secret management for all kinds of backend services. by default only the
-
Points to note
- Vault runs as a server-client setup and only server ever accesses the secret engines and storage backends.
- Vault needs to be initialized on first load and it needs to be unsealed after every restart.
- By default, only the key-value the secret engine is enabled and vault can be configured to add in more secret engines and storage backends.
- We are using the
Standalonemode in this configuration, which required a persistent storage mounted to the server. - The
devmode should not be used as is only stored the data in-memory and is unsafe overall.
https://deepsource.io/blog/setup-vault-kubernetes/
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vaultto run in dev mode we can run:
helm install vault \
--set "server.dev.enabled=true" \
--set "ui.externalPort=8200"
hashicorp/vault
or if we need to change more configurations we can use a file.
helm install vault hashicorp/vault \
-f override-values.ymlFor more indepth configurations have a look at Vault Helm Configuration page.
After the vaut is run it needs to be initialized with the following:
kubectl exec -it vault-o -- vault operator initBy default this generates 5 secret keys and 1 root token and to unseal the default key you need to provide(threshold) is 3. You can change this by providing additional parameters to above command.
The vault is sealed after initialization and we need to unseal it to be able to use it. This is done by running the following command 3( default threshold) times and providing different keys each time.
vault operator unseal
# or via kubectl
kubectl exec -it vault-o -- vault operator unsealThis can also be done via UI if you enable that in the configuration.
After the vault is unsealed we need to login into the vault using the root token. The command for the same is:
vault login <Initial_Root_Token>The root user has all the capabilities so it is not a recommended way to access the vault. You should create a new user for general services, and even a new one for every service that wants to access the vault.
For that, first create a new policy and then create a new token that uses the specified policy.
To create a new policy use:
vault policy write my-policy - << EOF
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/*" {
capabilities = ["create", "update"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
EOFNote: We are passing the policy in
hclformat directly into the command.
You can consult the ACL Section to write the policy.
To create a new token using the newly created policy use:
vault token create -field token -policy=my-policyThe configuration for our setup is available in override-values.yml file in the root directory of the project.
The configuration sets:
standalonemode which needs a persistent storage mounted.uiwhich is accessible athttp://localhost:8200/ui. For this to workserviceshould be enabled andServiceTypeshould be set.apiwhich is accessible athttp://localhost:8200
- TLS communication for vault
- setup vault with kubernetes to mount secrets directly
- Getting Started with vault - Very basics of Vault and setting it up.
- Vault on Kubernetes Deployment Guide - Setup vault using vault helm (prebuilt helm chart).
- Vault Helm Configuration - Additional configurations of the vault helm chart.