NavigationContentFooter
Jump toSuggest an edit

Deploy HashiCorp Vault on Scaleway Kubernetes clusters using Easy Deploy

Reviewed on 13 June 2024Published on 13 June 2024
  • hashicorp
  • vault
  • kubernetes
  • k8s
  • easy
  • deploy

HashiCorp Vault is an identity-based secrets and encryption management system. It provides encryption services that are gated by authentication and authorization methods to ensure secure, auditable and restricted access to secrets. Vault is used to secure, store and protect secrets and other sensitive data using a UI, CLI, or HTTP API.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • A valid API key
  • Created a Scaleway Kubernetes Kapsule or Kosmos cluster

Deploying the Vault application using Easy Deploy

  1. In the Scaleway console, navigate to the Kubernetes section under Containers.
  2. Click the name of the cluster where you wish to deploy Grafana. The Cluster Information tab will display.
  3. Click the Easy Deploy tab. The application dashboard displays.
  4. Click Deploy Application. The application deployment wizard displays.
  5. Choose Application Library to see the list of available applications.
  6. Select the Vault application.
    Tip

    If you cannot find Vault on the first page, use the search bar or navigate through the library.

  7. Optionally, customize the default configuration for Vault using Helm Charts. If you do not need any customized configuration you can skip this step.
  8. Enter a name and a Kubernetes namespace for your application. If no name is entered, Grafana will be installed in the default namespace of the cluster.
  9. Click Deploy Application to deploy Grafana on your Kubernetes cluster.

Initializing and unsealing Vault

  1. Check the status of your Vault using the kubectl command.

    kubectl get pods -l app.kubernetes.io/name=vault
    Tip

    If you choose another name for your Vault application ensure to replace the application name with the corresponding value.

  2. Initialize Vault. Replace vault-0 with the name of your application. If your application is called vault-application the value will be vault-application-0.

    kubectl exec -it vault-0 -- vault operator init
    Important

    Save the unseal keys and the initial root token provided by the command.

  3. Unseal Vault using three unseal keys retrieved in the previous step:

    kubectl exec -it vault-0 -- vault operator unseal <unseal-key-1>
    kubectl exec -it vault-0 -- vault operator unseal <unseal-key-2>
    kubectl exec -it vault-0 -- vault operator unseal <unseal-key-3>
  4. Login to Vault using the initial root token generated in step two:

    kubectl exec -it vault-0 -- vault login <initial-root-token>
  5. Enable the KV secrets engine at secret/:

    kubectl exec -it vault-0 -- vault secrets enable -path=secret kv-v2

Configure Vault for Kubernetes authentication

  1. Enable Kubernetes authentication:

    kubectl exec -it vault-0 -- vault auth enable kubernetes
  2. Enter the Vault shell:

    kubectl exec -it vault-0 -- sh
  3. Paste the following configuration to configure Vault with the Kubernetes API:

    vault write auth/kubernetes/config \
    kubernetes_host="https://<KUBERNETES_PORT_443_TCP_ADDR>:443" \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_ca_cert="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
    exit

    Replace <KUBERNETES_PORT_443_TCP_ADDR> with the IP address of your Vault pod. You can retrieve it using the kubectl get svc command. The pod name corresponds to your application name (e.g. if your application is called vault-application, the pod name will be application-vault).

  4. Enter the Vault shell:

    kubectl exec -it vault-0 -- sh
  5. Paste the following configuration to create a policy:

    vault policy write myapp-kv-ro -<<EOF
    path "secret/data/myapp/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
    }
    EOF
    exit
  6. Enter the Vault shell:

    kubectl exec -it vault-0 -- sh
  7. Paste the following configuration to create a role:

    vault write auth/kubernetes/role/myapp \
    bound_service_account_names=myapp-sa \
    bound_service_account_namespaces=default \
    policies=myapp-kv-ro \
    ttl=24h
    exit

Storing and retrieving secrets

  1. Enter the Vault shell:

    kubectl exec -it vault-0 -- sh
  2. Store a secret in Vault:

    vault kv put secret/myapp/config username='myuser' password='mypassword'
    exit
  3. Deploy an application with a service account that has access to the secrets stored in Vault.

    • Create a service account:

      kubectl create serviceaccount myapp-sa
    • Deploy your application:

      apiVersion: apps/v1
      kind: Deployment
      metadata:
      name: myapp
      spec:
      replicas: 1
      selector:
      matchLabels:
      app: myapp
      template:
      metadata:
      labels:
      app: myapp
      spec:
      serviceAccountName: myapp-sa
      containers:
      - name: myapp
      image: your-application-image
      env:
      - name: VAULT_ADDR
      value: "http://vault.default.svc.cluster.local:8200"
      - name: VAULT_TOKEN
      valueFrom:
      secretKeyRef:
      name: myapp-sa-token
      key: token
  4. Use a Vault client to retrieve the secrets within your application:

    import hvac
    client = hvac.Client(url='http://vault.default.svc.cluster.local:8200')
    client.token = os.getenv('VAULT_TOKEN')
    secret = client.secrets.kv.v2.read_secret_version(path='myapp/config')
    username = secret['data']['data']['username']
    password = secret['data']['data']['password']

By following these steps, you have been able to set up Vault on Kubernetes in a Private Network, store secret information, and securely retrieve it in your applications. For more information, refer to the official Vault documentation

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway