Reputation: 30895
How to connect vault CLI to Vault Cluster installed on k8s?
I have installed the vault cluster in k8s (AKS), now i try to connect to that cluster with vault CLI
the problem is i can't find any info or documentation .
i downloaded the vault.exe,
but where do I configure it to connect to the cluster?
Upvotes: 3
Views: 11557
Answers (2)
Reputation: 292
There are better ways to connect to vault.
- Assuming you deployed vault in the vault namespace you can start shell.
Using kubectl:
kubectl exec -n vault -it vault-0 -- /bin/sh
After which you can login using root token:
vault login $VAULT_ROOT_KEY
Note: you get root token when you do init (assuming the you followed the official guide to init and unseal vault):
kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > keys.json VAULT_UNSEAL_KEY=$(cat keys.json | jq -r ".unseal_keys_b64[]") echo $VAULT_UNSEAL_KEY VAULT_ROOT_KEY=$(cat keys.json | jq -r ".root_token") echo $VAULT_ROOT_KEYNote 2: The default root token account has a specific root role and is not allowed manipulating secrets unless you allow it explicitly.
- Using UI. Depending on how you deploy vault there are multiple ways to enable it.
Using config.hcl file value:
ui = true
You can provide config file directly with CLI:
vault server -config vault-server.hcl
or in K8s case providing it as a ConfigMap and a StatefulSet:
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-config
namespace: default
data:
extraconfig-from-values.hcl: |-
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
and apply the configmap:
kubectl apply -f configmap.yaml
In the StatefulSet set manifest you use this configmap and mount it as volume and then copy to the proper place to start with it:
part of the manifest
volumes:
- name: config
configMap:
name: vault-config
- name: home
emptyDir: {}
containers:
- name: vault
image: hashicorp/vault:1.8.0
imagePullPolicy: IfNotPresent
command:
- "/bin/sh"
- "-ec"
args:
- |
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
Finally if you use helm charts for deployment you just need to set values to enable UI:
ui:
# True if you want to create a Service entry for the Vault UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
enabled: true
publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: false
serviceType: "NodePort"
serviceNodePort: 31000
externalPort: 8200
targetPort: 8200
With this you expose you UI service on the IP of your node with Nodeport 31000 (e.g. http://192.168.10.100:31000). If you have load-balancer controller installed then you can use serviceType: "LoadBalancer"
Upvotes: 0
Reputation: 13466
You need to export some env to use the vault CLI:
// Your vault server address
$ export VAULT_ADDR=https://127.0.0.1:8200
// vault token
$ export VAULT_TOKEN= "****"
// If your server is secured with TLS
$ export VAULT_CACERT=ca.crt
$ export VAULT_CLIENT_CERT=tls.crt
$ export VAULT_CLIENT_KEY=tls.key
Now, you ready to use the vault CLI.
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
... ... ...
Upvotes: 10
Related Questions
- Hashicorp Vault cli return 403 when trying to use kv
- Reading secrets from Vault CLI
- Injecting Vault secrets into a few Kubernetes Clusters
- How do I declaratively configure hashicorp vault with Kubernetes/minikube?
- How to inject vault and consume hashicorp vault secrets?
- Cannot launch Vault from Helm on kubernetes
- How to inject secrets from vault to Kubernetes pods
- How to access vault secrets from another kubernetes cluster when vault is deployed on a dedicated cluster?
- Kubernetes to Vault Authentication Failure
- vault for kubernetes (vault-operator)