Getting Started
In this tutorial, we will deploy Vault on an LXD cloud.
Pre-requisites
A Ubuntu 22.04 machine with the following requirements:
- A
x86_64
CPU - 8GB of RAM
- 20GB of free disk space
1. Install LXD
sudo snap install lxd
2. Bootstrap a Juju controller
Bootstrap a LXD Juju controller:
juju bootstrap localhost localhost
3. Deploy Vault
Create a Juju model named demo
:
juju add-model demo
Deploy the Vault operator:
juju deploy vault --channel=1.15/beta
Deploying Vault will take several minutes, wait for the unit to be in the blocked/idle
state, awaiting initialisation.
$ juju status
Model Controller Cloud/Region Version SLA Timestamp
demo localhost-localhost localhost/localhost 3.4.0 unsupported 11:41:15-04:00
App Version Status Scale Charm Channel Rev Exposed Message
vault blocked 1 vault 1.15/beta 257 no Waiting for Vault to be initialized
Unit Workload Agent Machine Public address Ports Message
vault/0* blocked idle 0 10.191.126.116 Waiting for Vault to be initialized
Machine State Address Inst id Base AZ Message
0 started 10.191.126.116 juju-b8368f-0 ubuntu@22.04 Running
4. Set up the Vault CLI
To communicate with Vault via CLI, we need to install the Vault CLI client and set the following environment variables:
- VAULT_ADDR
- VAULT_TOKEN
- VAULT_CAPATH
Install the Vault client and yq:
sudo snap install vault
sudo snap install yq
Set the VAULT_ADDR
environment variable:
export VAULT_ADDR=https://$(juju status vault/leader --format=yaml | awk '/public-address/ { print $2 }'):8200; echo $VAULT_ADDR
Extract and store Vault’s CA certificate to a vault.pem
file:
cert_juju_secret_id=$(juju secrets --format=yaml | yq 'to_entries | .[] | select(.value.label == "self-signed-vault-ca-certificate") | .key'); echo $cert_juju_secret_id
juju show-secret ${cert_juju_secret_id} --reveal --format=yaml | yq '.[].content.certificate' > vault.pem
This will put the CA certificate in a file called vault.pem
. Now, you can point the vault
client to this file by setting the VAULT_CAPATH
variable.
export VAULT_CAPATH=$(pwd)/vault.pem; echo $VAULT_CAPATH
Validate that Vault is accessible and up and running:
vault status
You should expect the following output.
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.15.4
Build Date n/a
Storage Type raft
HA Enabled true
5. Initialise and unseal Vault
Initialise Vault:
$ vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=
Initial Root Token: hvs.0d26h3eSnlZzpUoVu49Sj64V
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 1 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Set the VAULT_TOKEN
variable using the root token:
export VAULT_TOKEN=hvs.0d26h3eSnlZzpUoVu49Sj64V
Unseal Vault using the unseal key:
vault operator unseal NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=
6. Authorise the Vault charm
Create a token:
$vault token create -ttl=10m
Key Value
--- -----
token hvs.M9vfjsKfv1zOgU6QTuFJblwP
token_accessor ctfCqC3MX8vGH9G7Z3URgWsR
token_duration 10m
token_renewable true
token_policies ["root"]
identity_policies []
policies ["root"]
Add the token as a juju user secret
juju add-secret one-time-token token=hvs.M9vfjsKfv1zOgU6QTuFJblwP
Grant this secret to the charm
juju grant-secret one-time-token vault
Authorise the charm to interact with Vault using the token value from the secret:
juju run vault/leader authorize-charm secret-id="cq3rldnmp25c7bvnhim0"
You may now remove the secret
juju remove-secret secret:cq3rldnmp25c7bvnhim0
7. Create a key-value type secret
Enable the kv
secret engine:
vault secrets enable -version=2 kv
Create a secret under the kv/mypasswords
path with these attributes:
- key: bob
- value: 1jioaf123901jdeja
vault kv put kv/mypasswords bob=1jioaf123901jdeja
Good job, you created your first secret!
You can now retrieve it:
vault kv get kv/mypasswords
And delete it:
vault kv delete kv/mypasswords
8. Destroy the environment
Destroy the Juju controller and its models:
juju kill-controller localhost-localhost
Uninstall all the installed packages:
sudo snap remove juju --purge
sudo snap remove yq --purge
sudo snap remove vault --purge