Install Vault with DevStream

Install Vault with DevStream

InstanceID Prefix

The instanceID prefix must be vault, the minimum tools configuration example:

YAML

tools:
- name: helm-installer
  instanceID: vault

Default Configs

key	default value	description
chart.chartPath	“”	local chart path
chart.chartName	hashicorp/vault	chart name
chart.version	“”	chart version
chart.timeout	5m	this config will wait 5 minutes to deploy
chart.releaseName	vault	helm release name
chart.upgradeCRDs	true	default update CRD config
chart.wait	true	whether to wait until installation is complete
chart.namespace	vault	namespace where helm to deploy
repo.url	https://helm.releases.hashicorp.com	helm official repo address
repo.name	hashicorp	helm repo name

Initialize all the Vault pods

After installing the Vault on k8s, you can initialize all pods of the Vault on k8s. To know more about the Vault, you can refer to:

At first, you must install jq tool: jq is a lightweight and flexible command-line JSON processor. Download jq

In the command below, the variable $NAMESPACE you should replace with “hashicorp” if you do not modify the namespace variable. Otherwise, use the namespace name you replaced.

Initialize vault-0

Bash

# Initialize vault-0 with one key share and one key threshold.
kubectl exec vault-0 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json

Display the unseal key

Bash

# Display the unseal key found in cluster-keys.json
cat cluster-keys.json | jq -r ".unseal_keys_b64[]"

Create a variable to capture the Vault unseal key

Bash

# Create a variable named VAULT_UNSEAL_KEY to capture the Vault unseal key.
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")

Unseal vault-0

Bash

# Unseal vault-0 running on the vault-0 pod.
kubectl exec vault-0  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY

You will see the above command’s output like this. Make sure the value of Initialized is ‘true’ and the value of Sealed is ‘false’.

Bash

Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.9.2
Storage Type            raft
Cluster Name            vault-cluster-14052440
Cluster ID              7630cd33-2ee1-39c1-db3f-e48a6d79970a
HA Enabled              true
HA Cluster              https://vault-0.vault-internal:8201
HA Mode                 active
Active Since            2022-04-23T16:45:47.6060163Z
Raft Committed Index    30
Raft Applied Index      30

Initialize vault-1 and vault-2 like vault-0

Bash

# Initialize vault-1
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY
# Initialize vault-2
kubectl exec vault-1 -n $NAMESPACE -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-1  -n $NAMESPACE -- vault operator unseal $VAULT_UNSEAL_KEY

Verify all the pods status

Bash

# Verify all the Vault pods are running and ready.
kubectl get pods -n $NAMESPACE

You will see the above command’s outputs like this below. Make sure all the pods are running and ready.

Bash

NAME                                 READY   STATUS    RESTARTS   AGE
vault-0                              1/1     Running   0          2m29s
vault-1                              1/1     Running   0          2m29s
vault-2                              1/1     Running   0          2m29s
vault-agent-injector-68dc986-bnsj2   1/1     Running   0          2m28s

After the above operations, you want to use the Vault to write/read secrets. You need to follow the documentation of the hashicorp Vault:
Set a secret in Vault
Your First Secret