Installing HashiCorp Vault

This section provides a step-by-step guide to installing HashiCorp Vault.

HashiCorp Vault, a powerful tool secures secrets management and key management services (KMS). HashiCorp Vault ensures robust encryption, secure access to sensitive data, and centralized management of secrets across your applications and infrastructure. The page covers the installation process, initial configuration, and integration with your deployment environment to enhance security and compliance.

Prerequisite:

Make sure to assign required privileges in the security context (scc) to the below service accounts on the namespace, where the vault will be deployed.

  • vault-cluster-agent-injector
  • vault-cluster

In case of anyuid scc, add the below sections under user:

oc edit scc anyuid
- system:serviceaccount:vault-cluster-agent-injector:vault-server
- system:serviceaccount:vault-cluster:vault-serve

Installing HashiCorp Vault

To install HashiCorp Vault, follow the steps below:

  1. As a first step in installation, add the HashiCorp value repository using the below helm command.

    helm repo add HashiCorp https://helm.releases.hashicorp.com
    helm repo update
  2. Create a vault-values-override.yaml file to deploy the vault in HA mode and vault data persistence mode. A sample yaml file along with configuration is shown below.
    # Vault Helm Chart Value Overrides
    global:
      enabled: true
      tlsDisable: true
      resources:
        requests:
          memory: 256Mi
          cpu: 250m
        limits:
          memory: 256Mi
          cpu: 250m
    
    server:
      # Use the Enterprise Image
      # image:
        # repository: "hashicorp/vault-enterprise"
        # tag: "1.16.1-ent"
    
      # These Resource Limits are in line with node requirements in the
      # Vault Reference Architecture for a Small Cluster
      resources:
        requests:
          memory: 8Gi
          cpu: 2000m
        limits:
          memory: 16Gi
          cpu: 2000m
    
      # For HA configuration and because we need to manually init the vault,
      # we need to define custom readiness/liveness Probe settings
      readinessProbe:
        enabled: true
        path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
      livenessProbe:
        enabled: true
        path: "/v1/sys/health?standbyok=true"
        initialDelaySeconds: 60
    
      # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
      # used to include variables required for auto-unseal.
      extraEnvironmentVars:
        # VAULT_CACERT: /vault/userconfig/tls-ca/ca.crt
    
      # extraVolumes is a list of extra volumes to mount. These will be exposed
      # to Vault in the path `/vault/userconfig/<name>/`.
      extraVolumes:
        # - type: secret
          # name: tls-server
        # - type: secret
          # name: tls-ca
        # - type: secret
          # name: kms-creds
    
      # This configures the Vault Statefulset to create a PVC for audit logs.
      # See https://www.vaultproject.io/docs/audit/index.html to know more
      auditStorage:
        enabled: true
    
      standalone:
        enabled: false
    
      # Run Vault in "HA" mode.
      ha:
        enabled: true
        replicas: 2
        raft:
          enabled: true
          setNodeId: true
    
          config: |
            ui = true
            cluster_name = "vault-cluster-with-integrated-storage"
            listener "tcp" {
              tls_disable = 1
              address = "[::]:8200"
              cluster_address = "[::]:8201"
            }
    
            storage "raft" {
              path = "/vault/data"
              retry_join {
                leader_api_addr = "http://vault-cluster-0.vault-test-internal:8200"
              }
              retry_join {
                leader_api_addr = "http://vault-cluster-1.vault-test-internal:8200"
              }          
              autopilot {
                server_stabilization_time = "100s"
                last_contact_threshold = "10s"
                min_quorum = 5
                cleanup_dead_servers = false
                dead_server_last_contact_threshold = "10m"
                max_trailing_logs = 1000
                disable_upgrade_migration = false
              }
            }
    
    # Vault UI
    ui:
      enabled: true
      serviceType: "LoadBalancer"
      serviceNodePort: null
      externalPort: 8200 
    
    In case, if there are more that 2 vaults replica, you can adjust and update the below properties, accordingly:
    • retry_join
    • replicas
  3. After configuring the yaml file, you can install the Vault using Helm chart as shown below.
    helm upgrade --install vault hashicorp/vault --namespace vault --set
    "global.openshift=true" --set 
    "server.image.repository=docker.io/hashicorp/vault" --set "injector.image.repository=docker.io/hashicorp/vault-k8s" -f /<path-to-your-vault-override-values-file>/vault-override-values.yaml --debug
  4. On successful installation of the vault, you can verify the installation using the below command.
    oc get pods --namespace vault
    Note: After installation, make sure to unseal the vault as shown below. Otherwise, the pods will keep restart.