search string side menu

BRIX On-Premises > BRIX On-Premises Enterprise > Install add-on components for BRIX / Install HashiCorp Vault

Install HashiCorp Vault

HashiCorp Vault is an open-source tool that provides secure storage and encryption of confidential data, as well as access to data based on identity through customizable policies.

The installation of HashiCorp Vault consists of the following steps:

  1. Download the Helm chart and Vault configuration file.
  2. Fill out the Vault configuration file.
  3. Install Vault using Helm in a Kubernetes cluster.
  4. Configure Vault.

Step 1: Download the Helm chart and Vault configuration file

To install via the internet, obtain the configuration file values-vault.yaml by running the command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/vault > values-vault.yaml

Obtaining the configuration file for installation in an isolated environment without internet access

  1. On a computer with internet access, download the BRIX images and upload them to the local image registry by running the following command.:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm pull elma365/vault

To learn more, see Download BRIX imagaes.

  1. Copy the downloaded archive of the chart vault-X.Y.Z.tgz to the server where the installation will take place.
  2. Unpack the chart and copy the default configuration file values.yaml to values-vault.yaml:

tar -xf vault-X.Y.Z.tgz
cp vault/values.yaml values-vault.yaml

Step 2: Fill out the Vault configuration file

Fill out the configuration file values-vault.yaml to install the Vault service.

// Vault settings
vault:
  global:
// if not defined, StorageClass is used by default
    storageClass: ""
...

Filling in the connection parameters for a private registry for installation in an isolated environment without internet access involves the following steps:

To connect to a private registry, you need to follow these steps:

  1. Download the BRIX images and upload them to your local image registry. For more details, refer to the article Download BRIX images.
  2. Specify the address and path in the parameters server.image.registry, server.image.repository, injector.image.registry and injector.image.repository.
  3. Specify the name of the secret with access rights to the private registry in the imagePullSecrets parameter. The secret must be manually created and encrypted in Base64.

// Vault settings
vault:
...
  server:
// Parameters for connecting to the private registry
    image:
// address and path for the private registry
      registry: hub.elma365.tech
      repository: docker/addons/bitnami/vault
      tag: 1.17.5-debian-12-r0
// The secret with access permissions to the private registry must be manually created and encrypted in Base64
/      pullSecrets:
/        - name: "myRegistryKeySecretName"
  injector:
// Parameters for connecting to the private registry
    image:
// address and path for the private registry
      registry: hub.elma365.tech
      repository: docker/addons/bitnami/vault-k8s
      tag: 1.4.2-debian-12-r5
// The secret with access permissions to the private registry must be manually created and encrypted in Base64
/      pullSecrets:
/        - name: "myRegistryKeySecretName"

Where:

  • registry format is: address hub.elma365.tech;
  • repository format is: path docker/addons/bitnami/vault, docker/addons/bitnami/vault-k8s.

Step 3: Install Vault using Helm in a Kubernetes cluster

Perform the installation of the Vault service in a separate namespace, for example, vault. Namespace will be created during installation if it hasn't been created earlier.

For installation with internet access, run the following command:

helm upgrade --install vault elma365/vault -f values-vault.yaml -n vault --create-namespace

For offline installation (without internet access), navigate to the directory with the downloaded service and run the following command:

helm upgrade --install vault ./vault -f values-vault.yaml -n vault --create-namespace

Step 4: Configure Vault

  1. Make sure that the satus of vault-server-0 is Running:

kubectl get pods -n vault 

2. Initialize Vault:

kubectl exec -ti vault-server-0 -n vault -- vault operator init

3. After initialization, retrieve the list of  keys (Unseal Key X:) and the root token (Initial Root Token). Use three keys to unlock the Vault service:

kubectl exec vault-server-0 -n vault -- vault operator unseal <Unseal Key 1>
kubectl exec vault-server-0 -n vault -- vault operator unseal <Unseal Key 2>
kubectl exec vault-server-0 -n vault -- vault operator unseal <Unseal Key 3> 

Начало внимание

If the Vault service restarts, it will need to be unsealed again using the keys.

Конец внимание

4. After initialization and unsealing, connect to vault-server-0 and authenticate in Vault using the root key (Initial Root Token):

kubectl exec -ti vault-server-0 -n vault -- /bin/sh
vault login

5. Check the service state:

vault status   

6. Enable the secrets mechanism kv-v2 on the path of secret:

vault secrets enable -path=secret kv-v2  

7. Create a secret at the path secret/elma365/db. For the secret, use the actual connection strings for the database (сonnection strings) and parameters for connecting to the S3 file storage, following the pattern in values-elma365.yaml: PSQL_URL, RO_POSTGRES_URL, MONGO_URL, VAHTER_MONGO_URL, REDIS_URL, AMQP_URL, S3_BACKEND_ADDRESS, S3_REGION, S3_KEY, S3_SECRET, S3_BUCKET, S3_SSL_ENABLED, S3_UPLOAD_METHOD, S3_DUMP_URL, S3_VIRTUAL_HOSTED_STYLE_ENABLED.

If a parameter, for example RO_POSTGRES_URL or S3_DUMP_URL is not used, create it with an empty value:

vault kv put secret/elma365/db \
PSQL_URL="postgresql://postgres:pgpassword@postgres.default.svc.cluster.local:5432/elma365?sslmode=disable" \
RO_POSTGRES_URL="" \
MONGO_URL="mongodb://elma365:mongopassword@mongo.default.svc.cluster.local:27017/elma365?ssl=false&replicaSet=rs0&readPreference=secondaryPreferred" \
VAHTER_MONGO_URL="mongodb://elma365:mongopassword@mongo.default.svc.cluster.local:27017/elma365?ssl=false&replicaSet=rs0&readPreference=secondaryPreferred" \
REDIS_URL="redis://redis.default.svc.cluster.local:6379/0" \
AMQP_URL="amqp://elma365:rmqpassword@rabbitmq.default.svc.cluster.local:5672/elma365" \
S3_BACKEND_ADDRESS="example.com" \
S3_REGION="us-east-1" \
S3_KEY="PZSF73JG72Ksd955JKU1HIA" \
S3_SECRET="aFDkj28Jbs2JKbnvJH678MNwiz88zKjsuNBHHs" \
S3_BUCKET="s3elma365" \
S3_SSL_ENABLED="false" \
S3_UPLOAD_METHOD="PUT" \
S3_DUMP_URL="" \
S3_VIRTUAL_HOSTED_STYLE_ENABLED="false"  

8. Make sure the secret is created at the path secret/elma365/db:

vault kv get secret/elma365/db  

9. Enable the Kubernetes authentication method:

vault auth enable kubernetes    

10. Configure the Kubernetes authentication method to use the Kubernetes API location:

vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"

11. Create a policy for reading secrets at the address secret/data/elma365/db:

vault policy write read-secret-elma365 - <<EOF
path "secret/data/elma365/db" {
  capabilities = ["read"]
}
EOF

12. Create a role named read-secret-elma365, which links the read-secret-elma365 policy to the vault-auth service account in the namespace where BRIX is installed (e.g., elma365). The service account is created with the following command:

vault write auth/kubernetes/role/read-secret-elma365 \
bound_service_account_names=vault-auth \
bound_service_account_namespaces=elma365 \
policies=read-secret-elma365 \
ttl=24h

13. Exit Vault

exit

14. Create the vault-auth service account in the namespace where BRIX is installed (e.g., elma365):

kubectl create serviceaccount vault-auth -n elma365

Secrets in the Kubernetes cluster can be synchronized using HashiCorp Vault with the External Secrets Operator. Read more in Install External Secrets Operator.

Remove Vault using Helm in the Kubernetes cluster

To uninstall the Vault service in the vault namespace, execute the command:

helm uninstall vault -n vault

install-longhorn.html install-external-secrets-operator.html