DevSecOps - Kubernetes DevOps & Security
HashiCorp Vault Kubernetes
Demo Vault Helm Installation
In this tutorial, you’ll learn what HashiCorp Vault is, explore various installation methods, and perform a hands-on deployment of Vault in a Kubernetes cluster using the official Helm chart.
What Is Vault?
Vault is a centralized secrets management tool designed for securely storing and accessing sensitive data such as:
- Credentials for authenticating users or services
- Encryption keys for data encryption and decryption
- API tokens, TLS certificates, and other secret types
Vault offers:
- A unified REST API for secret management
- Fine-grained access control with policies
- Detailed audit logging of all operations
For more, visit the HashiCorp Vault Documentation.
Installation Methods
You can install Vault using one of the following approaches:
Method | Description | Example Command |
---|---|---|
Linux Package Manager | Install via APT or Yum on supported distros | sudo apt-get install vault |
Precompiled Binary | Download and place in your PATH | wget https://releases.hashicorp.com/vault |
Build from Source | Clone the repo and compile yourself | go build github.com/hashicorp/vault |
Warning
For production, run Vault in a highly available configuration across multiple hosts. Use a durable storage backend like Consul or AWS S3.
Installing via APT (Ubuntu/Debian)
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install vault
Deploying Vault with Helm
We’ll deploy Vault into Kubernetes using the official Helm chart. Ensure you have:
- Kubernetes ≥1.14
- Helm 3.x installed
kubectl
configured to access your cluster
1. Add the HashiCorp Helm Repository
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
2. Review the Vault Helm Chart
Check the chart’s prerequisites and usage on GitHub:
3. Inspect Default Configuration
View the excerpt from values.yaml
:
# values.yaml (excerpt)
ui:
enabled: false
serviceType: ClusterIP
serviceNodePort: null
server:
dataStorage:
enabled: true
size: 10Gi
In this demo, we’ll:
- Enable the Vault UI
- Expose the UI via
NodePort
- Disable persistent storage (for demo purposes)
Prerequisites Check
# Verify Kubernetes
kubectl version --short
# Verify Helm
helm version --short
Step by Step: Deploying to a Dedicated Namespace
Create and switch to the
demo
namespace:kubectl create namespace demo kubectl config set-context --current --namespace=demo
Install the Vault chart with custom settings:
helm install vault hashicorp/vault --version 0.16.1 \ --set ui.enabled=true \ --set ui.serviceType=NodePort \ --set server.dataStorage.enabled=false
Verify Kubernetes resources:
kubectl get all
Wait until the
vault-0
pod and related components are in theRunning
state:kubectl get pods
Checking Vault Status
Once the pods are running, access the Vault pod and check its seal status:
kubectl exec -it vault-0 -- vault status
You should see output similar to:
Key Value
--- -----
Seal Type shamir
Sealed true
Version 1.8.3
Cluster Name vault-cluster
Note
Vault is sealed by default. You must initialize and unseal it using key shares and a threshold. These steps can be done via CLI or the UI.
Accessing the Vault UI
The Vault UI is exposed on a NodePort (e.g., 31272). Open your browser to:
http://<your-node-ip>:31272
You will be prompted to set up master keys and a root token:
References
Watch Video
Watch video content