Deploying HashiCorp Vault in a validated pattern
Table of contents
- Deploying HashiCorp Vault in a validated pattern
- Prerequisites
- Setting up HashiCorp Vault
- Unseal
- What’s next?
Prerequisites
You have deployed/installed a validated pattern using the instructions provided for that pattern. This should include setting having logged into the cluster using oc login
or setting you KUBECONFIG
environment variable and running a make install
.
Setting up HashiCorp Vault
Any validated pattern that uses HashiCorp Vault already has deployed Vault as part of the make install
. To verify that Vault is installed you can first see that the vault
project exists and then select the Workloads/Pods:
In order to setup HashiCorp Vault there are a number of different steps. Fist you must unseal the vault and then you must create the secrets assets needed. Fortunately the validated patterns effort has automated this for you by providing a script.
From the shell you ran make install
run:
make vault-init
The Makefile
includes a call out to the script to do the unseal and setup the secrets.
You can check the secrets were set up by examining the Vault user interface. But in order to do so you will need to get some data from the common/pattern-vault.init
file generated from the make vault-init
command.
~/g/multicloud-gitops on main ◦ cat common/pattern-vault.init
Unseal Key 1: jJvLf7Pv+BDo0d39ofvBu58srGpUrhVZbnzXXXXXXXXX
Unseal Key 2: XMQtBDB3WGdBnWFt3jIb8IZ8wyr4RxPM2oB7XXXXXXXX
Unseal Key 3: sStLSI0ejUAt4kno2ArPTN3kzwzqiBmYnhrXXXXXXXXX
Unseal Key 4: VdVkgdtuXKEqF4oNFg8dh2MkzXbs3ZJ68NzRXXXXXXXX
Unseal Key 5: gZ5afnmJu+24Ty+H6EP3gf257D9ZefrgJrYXXXXXXXXX
Initial Root Token: s.R3NG5LHipbabbleDummyhyKHq
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 keys to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Copy the Initial Root Token
. Above it is s.R3NG5LHipbabbleDummyhyKHq
.
In the OpenShift console under the project vault
navigate to Networking/Routes and click on the URL for vault
.
On the Vault page paste the copied token from the pattern-vault-init
file.
After signing in you will see the secrets that have been created.
Unseal
If you don’t see the sign in page but instead see an unseal page, something may have happened the cluster and you need to unseal it again. Instead of using make vault-init
you should run make vault-unseal
.
What’s next?
Check with the validated pattern instructions to see if there are further steps you need to perform. Sometimes this might be deploying a pattern on an edge cluster and checking to see if the correct Vault handshaking and updating occurs.