Network Operator Application Notes 23.10.0 - Sphinx Test
NVIDIA Docs Hub  NVIDIA Networking  Networking Software  Cloud Orchestration  Network Operator Application Notes 23.10.0 - Sphinx Test  Deploy Vault server in infrastructure cluster
1.0

Deploy Vault server in infrastructure cluster

Warning

vault-server is not part of Universe. This mode is supported for development and testing only

This step is a replacement for Install Vault agent step for infrastructure cluster.

Built-in Vault server requires a PersistentVolume to store data.

Follow steps from use local PersistentVolume document if your cluster doesn’t have an available CSI provider.

Commands in this section should run from the root directory of the universe-vault chart.

Copy
Copied!
            

            
cd ~/universe-helm-charts/universe-vault

Prepare values for Vault helm chart

Check universe-vault Chart documentation for all available options.

Copy
Copied!
            

            
cat << 'EOF' | tee values-builtin.yaml
vault:
enabled: true
injector:
enabled: true
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/master
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/control-plane
server:
enabled: true
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/master
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/control-plane
dataStorage:
storageClass: local-storage # use StorageClass provided by your CSI provider, or "local-storage" for local PV
service:
type: NodePort
nodePort: 30002 # static node port, vault will be available on <icp_master_ip>:30002
EOF

Deploy Vault helm chart

Note

This command will deploy both: Vault server and Vault agent to the infrastructure cluster.

Copy
Copied!
            

            
helm install -n vault --create-namespace -f values-builtin.yaml vault .

Note

It is expected that vault-0 Pod will be in unready state after this step

Initialize and unseal Vault

Note

Examples in this section contain use of the jq tool to read specific field from a JSON document. This tool is not installed in most linux distributions by default but available in official repositories. Check jq download page for installation instruction.

Initialize Vault server

Copy
Copied!
            

            
kubectl exec -n vault vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json

Unseal Vault server

Copy
Copied!
            

            
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY

vault-0 POD should be in ready state after the unseal operation completes

Note

  • save cluster-keys.json file, you will need it again to unseal Vault server POD if it restarts

Get root token

Copy
Copied!
            

            
cat cluster-keys.json | jq -r ".root_token"

Run shell in vault-0 POD

Use root token from the previous step

Copy
Copied!
            

            
kubectl exec -ti -n vault  vault-0 -- /bin/sh
vault login <token>

Vault PKI configuration

Previous Manual GRPC API usage
Next Vault PKI configuration
© Copyright 2023, NVIDIA. Last updated on Feb 7, 2024.