Use Vault behind an Ingress
It is recommended to run Vault behind an ingress. In this guide we will list the necessary steps to achieve this using the Traefik-K8s operator.
Pre-requisites
- Vault-K8s deployed on a Juju model
Steps
Deploy Traefik
juju deploy traefik-k8s --channel edge --trust
Deploy Self Signed Certificates Operator
juju deploy self-signed-certificates --channel beta
Integrate Traefik with Self-Signed-Certificates Operator
juju integrate self-signed-certificates:certificates traefik-k8s:certificates
Integrate Vault with Traefik
juju integrate vault-k8s:send-ca-cert traefik-k8s:receive-ca-cert
juju integrate vault-k8s:ingress traefik-k8s:ingress
Get the Vault URL
Run the show-proxied-endpoints action on Traefik.
juju run traefik-k8s/0 show-proxied-endpoints
# Sample Action Output
Running operation 1 with 1 task
- task 2 on unit-traefik-k8s-0
Waiting for task 2...
proxied-endpoints: '{"vault-k8s": {"url": "https://10.0.0.5/vault-vault-k8s"}}'
You should now be able to access Vault using the URL in the action output.
Retrieve the Juju secrets list:
user@ubuntu:~$ juju secrets --format=yaml
ck0i0h3q457c7bgte4kg:
revision: 1
owner: vault-k8s
label: vault-ca-certificate
created: 2023-09-13T02:36:57Z
updated: 2023-09-13T02:36:57Z
ck0i0krq457c7bgte4l0:
revision: 1
owner: vault-k8s
label: vault-initialization
created: 2023-09-13T02:37:10Z
updated: 2023-09-13T02:37:10Z
cks0s1c24l7c77v23p80:
revision: 1
expires: 2024-09-13T02:36:10Z
owner: self-signed-certificates
label: ca-certificates
created: 2023-09-13T02:36:57Z
updated: 2023-09-13T02:36:57Z
Read the vault-initialization secret content:
user@ubuntu:~$ juju show-secret ck0i0krq457c7bgte4l0 --reveal
ck0i0krq457c7bgte4l0:
revision: 1
owner: vault-k8s
created: 2023-08-28T13:33:54Z
updated: 2023-08-28T13:33:54Z
content:
roottoken: hvs.Z3CuzSQno3XMuUgUcm1CmjQK
unsealkeys: '["11bd448ccfec24db29ed5c14fdfe3d169589f5c5c6b57870e31d738aec623856"]'
Set the vault token for use in the client:
export VAULT_TOKEN=hvs.Z3CuzSQno3XMuUgUcm1CmjQK
Read the Self Signed Certificates operator’s ca-certificates secret content:
user@ubuntu:~$ juju show-secret cks0s1c24l7c77v23p80 --reveal
cks0s1c24l7c77v23p80:
revision: 1
owner: self-signed-certificates
label: ca-certificates
created: 2023-09-13T02:36:57Z
updated: 2023-09-13T02:36:57Z
content:
ca-certificate: |
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIUGLlWWWj9My3coKtn/EAgequ4rlswDQYJKoZIhvcNAQEL
BQAwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAMMFFZhdWx0IHNlbGYgc2lnbmVkIENB
MB4XDTIzMDkxMzAyMzY1MloXDTI0MDkxMjAyMzY1MlowLDELMAkGA1UEBhMCVVMx
HTAbBgNVBAMMFFZhdWx0IHNlbGYgc2lnbmVkIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3zg2cmScuUV+EFKh4gOE6xxeaur6QEvfb1vFKLjTYRst
iBbM5/BZE6noYwOIeyir2LgLeoLNr1tCc9EYhDJRNdCYPWUXVDZR4vD7kfZG7CUH
8yXiQ18Q/7tYnJ63Ic3tE2VLf36Rwj6Wr9b9YrZzeqm2zQDvKUelZzsNh/UOCqzi
Nd6PEZUQq6d7ucTqbEeOxO3UISTZjyQzx6kPsh3w0AQ4cT2kEtxT6Pg7c3bnbzwd
TN3MOt0pVyY+2Mb6+Ep6cbB6qrluuOLfXNMBarQersddrJmhGfxq72dxIJ70uE8P
RiyHH9+HqIoFSk5/e5Cc+VUlKnoNNbocYKh90oVcpQIDAQABo1cwVTAfBgNVHQ4E
GAQWBBQ1EOm+fKnVxnNF1FztMjlS8LNUPDAhBgNVHSMEGjAYgBYEFDUQ6b58qdXG
c0XUXO0yOVLws1Q8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHKZ3PM1Ipxz5rb2ktOZ5G+AShA6dcGnGIWRW/HrH3BgvBABhBKu++IhBu4Hrp/P
3Xg6hqZklmr30ZKLO6NgyrTOgTv+/IhauIYOzOyEs68kEnkFHmYuV5GSpPZyE9f9
XshdCENJSi4JdJuYTboWc/yCsAbmlAPhEjxNA7oHKkgoI/eA3uMK3y01LXk0xcOh
uCFzIGyvfR323czAfD3/4ZyjE9FCiU/0P10re5mVFUiOnnZIc4zP9/9jTS3BYyXE
lzhpYn0LdcL8ci8LxCv1OjcgCNeC6kRgzgUhbrUmVHAQmC2+c4tmUq/HQnXA0LWI
cgSs46l4xpaiLnDeBytVdWo=
-----END CERTIFICATE-----
privatekey: |
[...]
Copy the CA certificate content into a file and set the VAULT_CAPATH environment variable to reference this file:
export VAULT_CAPATH=/path/to/vault_ca.pem
Identify the vault address by setting the VAULT_ADDR environment variable using the Vault URL which is retrieved through show-proxied-endpoints action. In our example, the vault address is “https://10.0.0.5/vault-vault-k8s”:
export VAULT_ADDR="https://10.0.0.5/vault-vault-k8s"
You can now run vault commands against the vault unit.
vault status
vault operator raft list-peers