Getting started with HashiCorp Vault on Kubernetes

April 28, 2019    kubernetes   vault   linux   security

Introduction

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. What this means is that you can safely store all your App secrets in Vault without having to worry anymore how to store, provide, and use those secrets, we will see how to install it on a running kubernetes cluster and save and read a secret by our application, in this page we will be using Vault version 1.1.1, we will be using dynamic secrets, that means that each pod will have a different secret and that secret will expire once the pod is killed.

Before you start you will need Consul, Vault client binaries and Minikube or any running cluster, you can find the files used here in this repo.

This is the part one of two

Preparing the cluster

Let’s start minikube and validate that we can reach our cluster with minikube start and then with kubectl get nodes, also the dashboard can become handy you can invoke it like this minikube dashboard

Creating certificates for Consul and Vault

Vault needs a backend to store data, this backend can be consul, etcd, postgres, and many more, so the first thing that we are going to do is create a certificate so consul and vault can speak to each other securely.

Consul

The next steps would be to create an encryption key for the consul cluster and to create all the kubernetes resources associated with it

Vault

Once we have Consul running starting vault should be straight forward, we need to create all kubernetes resources associated with it and then initialize and unseal the vault.

Closing notes

As you can see it takes a while to configure a Vault server but I really like the pattern that renders for the apps using it, in the next post we will see how to unlock it automatically with kubernetes and also how to mount the secrets automatically to our pods so our applications can use it :), this post was heavily inspired by this one and this one.

Errata

If you spot any error or have any suggestion, please send me a message so it gets fixed.

Also, you can check the source code and changes in the generated code and the sources here



comments powered by Disqus