Running Vault and Consul on Kubernetes

Related/Useful links: post, Nginx ingress.

Prerequisites

Install:

Installing Go
Install CloudFlare's SSL ToolKit (cfssl and cfssljson)
Consul
Vault
Pre-installed k8s, by default will be used vault namespace
Pre-configured AWS KMS key and access (Role/Policy)

TLS Certificates

Create a Certificate Authority:

$ cfssl gencert -initca certs/config/ca-csr.json | cfssljson -bare certs/ca

Create the private keys and TLS certificates:

$ cfssl gencert \
    -ca=certs/ca.pem \
    -ca-key=certs/ca-key.pem \
    -config=certs/config/ca-config.json \
    -profile=default \
    certs/config/consul-csr.json | cfssljson -bare certs/consul

$ cfssl gencert \
    -ca=certs/ca.pem \
    -ca-key=certs/ca-key.pem \
    -config=certs/config/ca-config.json \
    -profile=default \
    certs/config/vault-csr.json | cfssljson -bare certs/vault

Vault and Consul

Spin up Vault and Consul on Kubernetes:

$ sh create.sh

Environment Variables

In a new terminal window, navigate to the project directory and set the following environment variables:

$ export VAULT_ADDR=https://127.0.0.1:8200
$ export VAULT_TOKEN=your_token

If having problem with x509, without a proper cert is first way with cert the second one:

$ export VAULT_SKIP_VERIFY=true
$ export VAULT_CACERT="certs/ca.pem"

Verify

$ kubectl get pods
$ vault status

Under development:

- AWS KMS integration (for auto-unsealing, and encryption of `root-token`, `unseal keys`);

- AWS DynamoDB as a backend-storage of vault;

- Consider to add affinity for consul/vault nodes.

...

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
certs/config		certs/config
consul		consul
vault		vault
.gitignore		.gitignore
README.md		README.md
init_certs.sh		init_certs.sh
init_vault.sh		init_vault.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Running Vault and Consul on Kubernetes

Prerequisites

Install:

TLS Certificates

Vault and Consul

Environment Variables

Verify

Under development:

- AWS KMS integration (for auto-unsealing, and encryption of `root-token`, `unseal keys`);

- AWS DynamoDB as a backend-storage of vault;

- Consider to add affinity for consul/vault nodes.

About

Releases

Packages

Languages

aradyuk/vault_in_k8s

Folders and files

Latest commit

History

Repository files navigation

Running Vault and Consul on Kubernetes

Prerequisites

Install:

TLS Certificates

Vault and Consul

Environment Variables

Verify

Under development:

- AWS KMS integration (for auto-unsealing, and encryption of root-token, unseal keys);

- AWS DynamoDB as a backend-storage of vault;

- Consider to add affinity for consul/vault nodes.

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

- AWS KMS integration (for auto-unsealing, and encryption of `root-token`, `unseal keys`);

Packages