Vault
Versions Supported
- 0.27.x
- 0.22.x
HashiCorp provides documentation for many uses cases for Vault. For examples, refer to HashiCorp Vault documentation.
Initialize and Unseal Vault
If you enabled dev server mode, you do not need to initialize Vault and it is already unsealed. Use the root token you
configured in the values.yaml
file to sign in to Vault directly.
Before any operation can be performed on Vault, you need to initialize the first root token and keys that can be used to unseal Vault. You can do so by following these steps:
-
Log in to Palette.
-
Navigate to the left Main Menu and select Clusters.
-
Select the cluster that has Vault installed to view its details page.
-
Download the cluster kubeconfig file.
-
Set up your local kubectl environment to use the kubeconfig file you downloaded. Review the Access Cluster with CLI guide for additional guidance.
-
You need to get the Vault namespace and application name. Issue the following command to get the unique values.
VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \
APP_NAME=$(echo "$VAULT_NAMESPACE" | sed 's/-ns$//') -
Set up port forwarding by issuing the following command so you can access the Vault UI:
kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE
-
Open your browser and access the Vault UI at
https://localhost:8200/ui
. You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token.
If you do not want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to Vault documentation.
Storage
In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts.
RKE2
When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class
for the Vault server. To specify a storage class, change the value of the field
charts.vault.server.dataStorage.storageClass
in values.yaml
for the Vault pack in your cluster profile from null
to a storage class that meets your needs. Refer to
Kubernetes documentation on storage classes for more
details.
HashiCorp provides documentation for many uses cases for Vault. For examples, refer to HashiCorp Vault documentation.
Initialize and Unseal Vault
If you enabled dev server mode, you do not need to initialize Vault and it is already unsealed. Use the root token you
configured in the values.yaml
file to sign in to Vault directly.
Before any operation can be performed on Vault, you need to initialize the first root token and keys that can be used to unseal Vault. You can do so by following these steps:
-
Log in to Palette.
-
Navigate to the left Main Menu and select Clusters.
-
Select the cluster that has Vault installed to view its details page.
-
Download the cluster kubeconfig file.
-
Set up your local kubectl environment to use the kubeconfig file you downloaded. Review the Access Cluster with CLI guide for additional guidance.
-
You need to get the Vault namespace and application name. Issue the following command to get the unique values.
VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \
APP_NAME=$(echo "$VAULT_NAMESPACE" | sed 's/-ns$//') -
Set up port forwarding by issuing the following command so you can access the Vault UI:
kubectl port-forward $APP_NAME 8200:8200 --namespace $VAULT_NAMESPACE
-
Open your browser and access the Vault UI at
https://localhost:8200/ui
. You will receive a warning due to using a self-signed certificate, but you can ignore this warning. Follow the prompts on the UI to initialize your root token.
If you do not want to use the Vault UI, you can also initialize and unseal Vault using the Vault CLI or API. For more information, refer to Vault documentation.
Storage
In a production Vault server, backend storage is on a data persistent layer, is untrusted and only stores encrypted data. In a dev mode Vault server, all data is stored in-memory and will be erased when Vault restarts.
RKE2
When using Vault with the RKE2 distribution of Kubernetes in Palette Edge, you must explicitly specify a storage class
for the Vault server. To specify a storage class, change the value of the field
charts.vault.server.dataStorage.storageClass
in values.yaml
for the Vault pack in your cluster profile from null
to a storage class that meets your needs. Refer to
Kubernetes documentation on storage classes for more
details.
Terraform
Use the following Terraform code snippet to reference the Vault pack.
data "spectrocloud_registry" "public_registry" {
name = "Public Repo"
}
data "spectrocloud_pack_simple" "pack-info" {
name = "vault"
version = "0.27.0"
type = "helm"
registry_uid = data.spectrocloud_registry.public_registry.id
}