Tutorial: Getting started with Vault-K8s

charm
1

Getting Started

In this tutorial, we will deploy Vault on Kubernetes and use it to store a very important secret.

Pre-requisites

A Ubuntu 22.04 machine with the following requirements:

  • A x86_64 CPU
  • 8GB of RAM
  • 20GB of free disk space

1. Install MicroK8s

sudo snap install microk8s --channel=1.29-strict/stable

Enable the storage and dns add-ons:

sudo microk8s enable hostpath-storage
sudo microk8s enable dns

2. Bootstrap a Juju controller

From your terminal, install Juju:

sudo snap install juju --channel=3.4/stable

Bootstrap a Juju controller:

juju bootstrap microk8s

3. Deploy Vault

Create a Juju model named demo:

juju add-model demo

Deploy the Vault K8s operator:

juju deploy vault-k8s vault --channel=1.16/edge

Deploying Vault will take several minutes, wait for the unit to be in the blocked/idle state, awaiting initialisation.

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.0    unsupported  12:31:45-04:00

App    Version  Status   Scale  Charm      Channel    Rev  Address         Exposed  Message
vault                    waiting      1  vault-k8s  1.15/beta  198  10.152.183.204  no       installing agent

Unit      Workload  Agent  Address      Ports  Message
vault/0*  blocked   idle   10.1.182.56         Please initialize Vault

4. Set up the Vault CLI

To communicate with Vault via CLI, we need to install the Vault CLI client and set the following environment variables:

  • VAULT_ADDR
  • VAULT_TOKEN
  • VAULT_CAPATH

Install the Vault client and yq:

sudo snap install vault
sudo snap install yq

Set the VAULT_ADDR environment variable:

export VAULT_ADDR=https://$(juju status vault/leader --format=yaml | yq '.applications.vault.address'):8200; echo $VAULT_ADDR

Extract and store Vault’s CA certificate to a vault.pem file:

cert_juju_secret_id=$(juju secrets --format=yaml | yq 'to_entries | .[] | select(.value.label == "self-signed-vault-ca-certificate") | .key'); echo $cert_juju_secret_id
juju show-secret ${cert_juju_secret_id} --reveal --format=yaml | yq '.[].content.certificate' > vault.pem

This will put the CA certificate in a file called vault.pem. Now, you can point the vault client to this file by setting the VAULT_CAPATH variable.

export VAULT_CAPATH=$(pwd)/vault.pem; echo $VAULT_CAPATH

Validate that Vault is accessible and up and running:

vault status

You should expect the following output.

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.15.6
Build Date         n/a
Storage Type       raft
HA Enabled         true

5. Initialise and unseal Vault

Initialise Vault:

$ vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=

Initial Root Token: hvs.0d26h3eSnlZzpUoVu49Sj64V

Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 1 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Set the VAULT_TOKEN variable using the root token:

export VAULT_TOKEN=hvs.0d26h3eSnlZzpUoVu49Sj64V

Unseal Vault using the unseal key:

vault operator unseal NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=

6. Authorise the Vault charm

Create a token:

$vault token create -ttl=10m
Key                  Value
---                  -----
token                hvs.M9vfjsKfv1zOgU6QTuFJblwP
token_accessor       ctfCqC3MX8vGH9G7Z3URgWsR
token_duration       10m
token_renewable      true
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Add the token as a juju user secret

juju add-secret one-time-token token=hvs.0d26h3eSnlZzpUoVu49Sj64V

Grant this secret to the charm

juju grant-secret one-time-token vault

Authorise the charm to interact with Vault using the token value from the secret:

juju run vault/leader authorize-charm secret-id="cq3rldnmp25c7bvnhim0"

You may now remove the secret

juju remove-secret one-time-token

7. Create a key-value type secret

Enable the kv secret engine:

vault secrets enable -version=2 kv

Create a secret under the kv/mypasswords path with these attributes:

  • key: bob
  • value: 1jioaf123901jdeja
vault kv put kv/mypasswords bob=1jioaf123901jdeja

Good job, you created your first secret!

You can now retrieve it:

vault kv get kv/mypasswords

And delete it:

vault kv delete kv/mypasswords

8. Destroy the environment

Destroy the Juju controller and its models:

juju kill-controller microk8s-localhost

Uninstall all the installed packages:

sudo snap remove juju --purge
sudo snap remove yq --purge
sudo snap remove vault --purge