Skip to content

Latest commit

 

History

History
167 lines (112 loc) · 6.46 KB

vault.mdx

File metadata and controls

167 lines (112 loc) · 6.46 KB
sidebar_label title description hide_table_of_contents type category sidebar_class_name logoUrl tags
Vault
Vault
Integration of the Vault add on into Spectro Cloud
true
integration
security
amd64
arm64
hide-from-sidebar
packs
vault
security

Versions Supported

HashiCorp provides documentation for many uses cases for Vault. For examples, refer to HashiCorp Vault documentation.

Initialize and Unseal Vault

If you enabled dev server mode, you do not need to initialize Vault and it is already unsealed. Use the root token you configured in the values.yaml file to sign in to Vault directly.

Before any operation can be performed on Vault, you need to initialize the first root token and keys that can be used to unseal Vault. You can do so by following these steps:

  1. Log in to Palette.

  2. Navigate to the left Main Menu and select Clusters.

  3. Select the cluster that has Vault installed to view its details page.

  4. Download the cluster kubeconfig file.

  5. Set up your local kubectl environment to use the kubeconfig file you downloaded. Review the Access Cluster with CLI guide for additional guidance.

  6. You need to get the Vault namespace and application name. Issue the following command to get the unique values.


    VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \
APP_NAME=$(echo "$VAULT_NAMESPACE" | sed 's/-ns$//')

  7. Set up port forwarding by issuing the following command so you can access the Vault UI:

    kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE

  8. Open your browser and access the Vault UI at https://localhost:8200/ui. You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token.

:::tip

If you do not want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to Vault documentation.

:::

Storage

In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts.

RKE2

When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field charts.vault.server.dataStorage.storageClass in values.yaml for the Vault pack in your cluster profile from null to a storage class that meets your needs. Refer to Kubernetes documentation on storage classes for more details.

HashiCorp provides documentation for many uses cases for Vault. For examples, refer to HashiCorp Vault documentation.

Initialize and Unseal Vault

If you enabled dev server mode, you do not need to initialize Vault and it is already unsealed. Use the root token you configured in the values.yaml file to sign in to Vault directly.

Before any operation can be performed on Vault, you need to initialize the first root token and keys that can be used to unseal Vault. You can do so by following these steps:

  1. Log in to Palette.

  2. Navigate to the left Main Menu and select Clusters.

  3. Select the cluster that has Vault installed to view its details page.

  4. Download the cluster kubeconfig file.

  5. Set up your local kubectl environment to use the kubeconfig file you downloaded. Review the Access Cluster with CLI guide for additional guidance.

  6. You need to get the Vault namespace and application name. Issue the following command to get the unique values.


    VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \
APP_NAME=$(echo "$VAULT_NAMESPACE" | sed 's/-ns$//')

  7. Set up port forwarding by issuing the following command so you can access the Vault UI:

    kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE

  8. Open your browser and access the Vault UI at https://localhost:8200/ui. You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token.

:::tip

If you do not want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to Vault documentation.

:::

Storage

In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts.

RKE2

When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class for the Vault server. To specify a storage class, change the value of the field charts.vault.server.dataStorage.storageClass in values.yaml for the Vault pack in your cluster profile from null to a storage class that meets your needs. Refer to Kubernetes documentation on storage classes for more details.

Terraform

Use the following Terraform code snippet to reference the Vault pack.

data "spectrocloud_registry" "public_registry" {
  name = "Public Repo"
}

data "spectrocloud_pack_simple" "pack-info" {
  name         = "vault"
  version      = "0.27.0"
  type         = "helm"
  registry_uid = data.spectrocloud_registry.public_registry.id
}