Deploy Vault server in infrastructure cluster
vault-server
is not part of Universe. This mode is supported for development and testing only
This step is a replacement for Install Vault agent step for infrastructure cluster.
Built-in Vault server requires a PersistentVolume to store data.
Follow steps from use local PersistentVolume document if your cluster doesn’t have an available CSI provider.
Commands in this section should run from the root directory of the universe-vault chart.
cd ~/universe-helm-charts/universe-vault
Check universe-vault Chart documentation for all available options.
cat << 'EOF' | tee values-builtin.yaml
vault:
enabled: true
injector:
enabled: true
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/master
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/control-plane
server:
enabled: true
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/master
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/control-plane
dataStorage:
storageClass: local-storage # use StorageClass provided by your CSI provider, or "local-storage" for local PV
service:
type: NodePort
nodePort: 30002 # static node port, vault will be available on <icp_master_ip>:30002
EOF
This command will deploy both: Vault server and Vault agent to the infrastructure cluster.
helm install -n vault --create-namespace -f values-builtin.yaml vault .
It is expected that vault-0 Pod will be in unready state after this step
Examples in this section contain use of the jq
tool to read specific field from a JSON document.
This tool is not installed in most linux distributions by default but available in official repositories.
Check jq download page for installation instruction.
Initialize Vault server
kubectl exec -n vault vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
Unseal Vault server
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
vault-0 POD should be in ready state after the unseal operation completes
save cluster-keys.json file, you will need it again to unseal Vault server POD if it restarts
cat cluster-keys.json | jq -r ".root_token"
Use root token from the previous step
kubectl exec -ti -n vault vault-0 -- /bin/sh
vault login <token>