HashiCorp Vault
In this blog post we'll dive into HashiCorp Vault. Vault is an extensive API for securely accessing & managing secrets.
I'll show you how to easily self-host your own vault instance. I'll also detail several integrations I've done with vault in the past.
If you're looking for a managed solution, you can use HashiCorp's Vault Cloud or other cloud providers like AWS, Azure, or GCP.
Setup
I'll be using the official container image. I will show you how to run it with:
Configuration
A full list of configuration options can be found in the official documentation.
I will share a minimal example below that should work with our example setups. Feel free to modify it to your needs.
ui = true
api_addr = "http://127.0.0.1:8200"
disable_mlock = true
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true # Disable TLS for local testing
}Initialize, Unseal & Access Vault
Once the vault instance is running you'll want to initialize, unseal & access the vault. You may use the following commands to do so:
sudo docker exec -it vault vault operator initkubectl exec -it vault -n vault -- vault operator initIMPORTANT
This will generate unseal keys and a root token. Save these keys safely.
Run the following three times with the different generated keys:
sudo docker exec -it vault vault operator unseal <your-unseal-key>kubectl exec -it vault -n vault -- vault operator unseal <your-unseal-key>We can now use the root token to login:
sudo docker exec -it vault vault login <your-root-token>kubectl exec -it vault -n vault -- vault login <your-root-token>TODO
- figure out storage options
- multi instance vault deployment: Check if this can be useful for HA.
Reference
- Official Documentation
- 3rd Party Step By Step Guide - Good for understanding the concepts.
Integration with External Secrets Operator
TODO: only the kv provider is supported. This is enough for us. Create docs of our implementation