Vault security, stores, and tight control access to tokens, passwords, certificates, API keys, and other secrets are critical in modern computing. Hashicorp Vault allows you to overcome the challenges of safely storing all your app secrets so you don’t have to worry anymore about how to access, share, and use them.
In this article, we examine how to install Vault on a running Kubernetes cluster as well as save and read secrets in our application. We will be using Vault v1.1.1 and dynamic secrets, meaning that each pod will have a different secret and that each secret will expire once the pod is killed.
Prerequisites for Working with Hashicorp Vault and Kubernetes
Before you start, you will need:
- Hashicorp Consul
- Hashicorp Vault client binaries
- Minikube or any running cluster
You can find the files used in the article here in this repo.
Preparing the Cluster
Let’s start minikube and validate that we can reach our cluster with
minikube start and then with
kubectl get nodes. The dashboard comes in handy when you invoke it like this,
Creating Certificates for Hashicorp Consul and Vault
Hashicorp Vault needs a backend to store data. This backend can be Hashicorp Consul, etcd, PostgresSQL, or many others. So, the first thing we are going to do is create a certificate for Consul and Vault so they can speak to each other securely.
The next step is to create an encryption key for the Hashicorp Consul cluster and to create all the Kubernetes resources associated with it.
Once we have Hashicorp Consul running, starting Vault should be straight forward. We need to create all kubernetes resources associated with it and then initialize and unseal the vault.
As you can see it takes a while to configure a Vault server but I really like the pattern it renders for the apps using it. In the next post, we will examine how to unlock Vault automatically with Kubernetes and mount secrets automatically to our pods so that our applications can use them. This post was heavily inspired by this one and this one, and was originally posted here.
The next article in this series is Using Hashicorp Vault on Kubernetes. Check it out here.
If you spot any error or have any suggestions, please send us a message so it gets fixed.
Also, you can check the source code and changes in the generated code and the sources here.
Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.