Skip to content

Latest commit

 

History

History
69 lines (59 loc) · 2.93 KB

README.md

File metadata and controls

69 lines (59 loc) · 2.93 KB

Install HashiCorp Vault on K8s by Helm using HahsiCorp Consul storage backend

  1. Create NFS Server and K8s Cluster (My Private Lab provided by oVirt)
cd /Users/drs/Dropbox/01-Kubernetes/provisioning/ng_lab_home_nfs
terraform destroy --auto-approve; terraform apply --auto-approve
cd /Users/drs/Dropbox/01-Kubernetes/provisioning/ng_lab_home_k8s
terraform destroy --auto-approve; terraform apply --auto-approve

rsync -av [email protected]:.kube/config $HOME/.kube
kubectl get nodes
  1. create pv
#- My Home
cd /Users/drs/Dropbox/01-Kubernetes/scenario/vaultproject/helm
kubectl apply -f pv.yaml

#- For Friends
git clone https://github.com/rdamrong/consul-vault-helm.git
cd consul-vault-helm
kubectl apply -f pv.yaml
  1. Create Secret
kubectl create ns vault
kubectl -n vault create secret generic consul-gossip-key --from-literal=key='UXtObIAKDo7gfV07++izEB8Va7pBsG5YkzS5LaqNTlg='
#- Gossip Key generated from command 'consul keygen'
kubectl -n vault create secret tls tls-server --cert ./pki/server1.crt --key ./pki/server1.key
kubectl -n vault create secret tls tls-ca --cert ./pki/ca.crt --key ./pki/ca.key
#- kubectl -n vault create secret tls consul-consul-connect-inject-webhook-cert --cert ./pki/consul.crt --key ./pki/consul.key
kubectl -n vault create secret tls tls-consul --cert ./pki/consul.crt --key ./pki/consul.key
kubectl -n vault create secret tls  client-tls-init  --cert ./pki/consul.crt --key ./pki/consul.key
  1. Install Consul
helm install consul hashicorp/consul --create-namespace --namespace vault -f consul-vaules.yaml
  1. Install Vault
helm install vault hashicorp/vault --values vault-values.yaml --namespace vault
  1. Unseal
rm -f init-result.txt
kubectl exec --stdin=true --tty=true -n vault  vault-0 -- vault operator init > init-result.txt

cat init-result.txt | grep "Key 1" |awk '{print "kubectl exec -it -n vault vault-0 -- vault operator unseal "$4}' | sed -r "s/\x1B\[[0-9;]*[a-zA-Z]//g" | sh
cat init-result.txt | grep "Key 2" |awk '{print "kubectl exec -it -n vault vault-0 -- vault operator unseal "$4}' | sed -r "s/\x1B\[[0-9;]*[a-zA-Z]//g" | sh
cat init-result.txt | grep "Key 3" |awk '{print "kubectl exec -it -n vault vault-0 -- vault operator unseal "$4}' | sed -r "s/\x1B\[[0-9;]*[a-zA-Z]//g" | sh


cat init-result.txt | grep "Key 1" |awk '{print "kubectl exec -it -n vault vault-1 -- vault operator unseal "$4}' | sed -r "s/\x1B\[[0-9;]*[a-zA-Z]//g" | sh
cat init-result.txt | grep "Key 2" |awk '{print "kubectl exec -it -n vault vault-1 -- vault operator unseal "$4}' | sed -r "s/\x1B\[[0-9;]*[a-zA-Z]//g" | sh
cat init-result.txt | grep "Key 3" |awk '{print "kubectl exec -it -n vault vault-1 -- vault operator unseal "$4}' | sed -r "s/\x1B\[[0-9;]*[a-zA-Z]//g" | sh
  1. Expose and Test Connection
kubectl apply -f vault-svc.yaml
source .vaultrc
vault status

Unknonw Issue

  1. Configuring Gossip Encryption Solved, Sun 15 Oct 2023
  2. Use the same key in every Consul Compoment