Getting started
Bank-Vaults is a swiss-army knife with multiple manifestations, so the first steps depend on what you want to achieve.
Deploy with Helm
We have some fully fledged, production-ready Helm charts for deploying:
- Vault using
bank-vaults
, - the Vault Operator, and also
- the Vault Secrets Webhook.
With the help of these charts you can run a HA Vault instance with automatic initialization, unsealing, and external configuration which would otherwise be a tedious manual operation. Also secrets from Vault can be injected into your Pods directly as environment variables (without using Kubernetes Secrets). These charts can be used easily for development purposes as well.
Note: Starting with Bank-Vaults version 1.6.0, only Helm 3 is supported.
Deploy a local Vault operator
This is the simplest scenario: you install the Vault operator on a simple cluster. The following commands install a single-node Vault instance that stores unseal and root tokens in Kubernetes secrets. If you want to customize the Helm chart, see the list of vault-operator
Helm chart values.
-
Install the Bank-Vaults operator:
Expected output:
-
Create a Vault instance using the Vault custom resources. This will create a Kubernetes
CustomResource
calledvault
and a PersistentVolumeClaim for it:Expected output:
Expected output:
Note: If needed, you can install the latest CustomResource from the main branch, but that’s usually under development and might not be stable.
-
Wait a few seconds, then check the operator and the vault pods:
Expected output:
-
Configure your Vault client to access the Vault instance running in the vault-0 pod.
-
Port-forward into the pod:
-
Set the address of the Vault instance.
-
Import the CA certificate of the Vault instance by running the following commands (otherwise, you’ll get x509: certificate signed by unknown authority errors):
Alternatively, you can instruct the Vault client to skip verifying the certificate of Vault by running:
export VAULT_SKIP_VERIFY=true
-
If you already have the Vault CLI installed, check that you can access the Vault:
Expected output:
-
To authenticate to Vault, you can access its root token by running:
Note: Using the root token is recommended only in test environments. In production environment, create dedicated, time-limited tokens.
-
Now you can interact with Vault. For example, add a secret by running
vault kv put secret/demosecret/aws AWS_SECRET_ACCESS_KEY=s3cr3t
If you want to access the Vault web interface, open https://127.0.0.1:8200 in your browser using the root token (to reveal the token, runecho $VAULT_TOKEN
).
-
For other configuration examples of the Vault CustomResource, see the YAML files in the deploy/examples and test/deploy directories of the vault-operator repository. After you are done experimenting with Bank-Vaults and you want to delete the operator, you can delete the related CRs:
Deploy the mutating webhook
You can deploy the Vault Secrets Webhook using Helm. Note that:
- The Helm chart of the vault-secrets-webhook contains the templates of the required permissions as well.
- The deployed RBAC objects contain the necessary permissions fo running the webhook.
Prerequisites
- The user you use for deploying the chart to the Kubernetes cluster must have cluster-admin privileges.
- The chart requires Helm 3.
- To interact with Vault (for example, for testing), the Vault command line client must be installed on your computer.
- You have deployed Vault with the operator and configured your Vault client to access it, as described in Deploy a local Vault operator.
Deploy the webhook
-
Create a namespace for the webhook and add a label to the namespace, for example, vault-infra:
-
Deploy the vault-secrets-webhook chart. If you want to customize the Helm chart, see the list of
vault-secrets-webhook
Helm chart values.Expected output:
For further details, see the webhook’s Helm chart repository.
-
Check that the pods are running:
Expected output:
-
If you already have the Vault CLI installed, write a secret into Vault:
Expected output:
-
Apply the following deployment to your cluster. The webhook will mutate this deployment because it has an environment variable having a value which is a reference to a path in Vault:
Expected output:
-
Check the mutated deployment.
The output should look similar to the following:
As you can see, the original environment variables in the definition are unchanged, and the sensitive value of the AWS_SECRET_ACCESS_KEY variable is only visible within the alpine container.
Install the CLI tool
You can download the bank-vaults
CLI from the Bank-Vaults releases page. Select the binary for your platform from the Assets section for the version you want to use.
Alternatively, fetch the source code and compile it using go get:
Docker images
If you want to build upon our Docker images, you can find them on Docker Hub: