Vault

Vault helps secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets, and other sensitive data using a UI, CLI, or HTTP API.

Components

Vault integration has the following components:

Versions

  • 0.6.0.
  • 0.3.1.

Supported Use cases

  1. Running a Vault Service:
    • Vault is set up to run in Dev mode by default and so, Vault will be unsealed and initialized.
    • For production use cases, we recommend disabling Dev mode and enable HA.
    • Also, see Production Checklist recommendations.
  2. Injecting application secrets from an external Vault into pods (Agent Injector).
    • For running agent injector alone in the cluster, use v0.6.0 of Vault pack.
    • Make sure to set injector.externalVaultAddr to point to the external Vault server.

How secrets are injected in deployments?

In Kubernetes clusters with Vault integrated, secrets can be injected into the application pods by adding the following annotations:

vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-<unique_name>: /path/to/secret
vault.hashicorp.com/role: "<role using which the secret can be fetced>"

More information on consuming Vault secrets can be found in Vault docs

Ingress

Follow below steps to configure Ingress on Vault Server

  1. Make sure serviceType is not set for Vault Server. That way, serviceType will default to ClusterIP
    • Version 0.6.0 - line #289
    • Version 0.3.1 - line #96
  2. Ingress
    • Enable Ingress ; Change enabled from false to "true"
    • Set Ingress rules like annotations, path, hosts etc.
    • Version 0.6.0 - line #146
    • Version 0.3.1 - line #96

With these config changes, you can access Vault service on the Ingress Controller LoadBalancer hostname / IP

References