Deploy Vault server in infrastructure cluster

Warning

vault-server is not part of Universe. This mode is supported for development and testing only

This step is a replacement for Install Vault agent step for infrastructure cluster.

Built-in Vault server requires a PersistentVolume to store data.

Follow steps from use local PersistentVolume document if your cluster doesn’t have an available CSI provider.

Commands in this section should run from the root directory of the universe-vault chart.

Copy
Copied!
            

cd ~/universe-helm-charts/universe-vault


Check universe-vault Chart documentation for all available options.

Copy
Copied!
            

cat << 'EOF' | tee values-builtin.yaml vault: enabled: true injector: enabled: true nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/master - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/control-plane server: enabled: true nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/master - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/control-plane dataStorage: storageClass: local-storage # use StorageClass provided by your CSI provider, or "local-storage" for local PV service: type: NodePort nodePort: 30002 # static node port, vault will be available on <icp_master_ip>:30002 EOF


Note

This command will deploy both: Vault server and Vault agent to the infrastructure cluster.

Copy
Copied!
            

helm install -n vault --create-namespace -f values-builtin.yaml vault .

Note

It is expected that vault-0 Pod will be in unready state after this step

Note

Examples in this section contain use of the jq tool to read specific field from a JSON document. This tool is not installed in most linux distributions by default but available in official repositories. Check jq download page for installation instruction.

Initialize Vault server

Copy
Copied!
            

kubectl exec -n vault vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json


Unseal Vault server

Copy
Copied!
            

VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]") kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY


vault-0 POD should be in ready state after the unseal operation completes

Note
  • save cluster-keys.json file, you will need it again to unseal Vault server POD if it restarts

Copy
Copied!
            

cat cluster-keys.json | jq -r ".root_token"


Use root token from the previous step

Copy
Copied!
            

kubectl exec -ti -n vault vault-0 -- /bin/sh vault login <token>


Vault PKI configuration

Previous Manual GRPC API usage
Next Vault PKI configuration
© Copyright 2023, NVIDIA. Last updated on Feb 7, 2024.