Skip to main content

Vault

Palette Dev Engine (PDE) users can deploy Vault onto their virtual cluster using the out-of-the-box Vault offering. Vault deployed through PDE is using Banzai Cloud Bank-Vaults. Bank-Vaults is a wrapper for the official Vault client. Vault is a tool that helps you securely manage and protect sensitive information, like passwords, API keys, and encryption keys. The Bank-Vaults client enhances the official Vault client by adding automatic token renewal, built-in Kubernetes support, and a dynamic database credential provider.

Vault keeps these secrets safe by locking them in a virtual "vault" and only allows authorized users to access them. Vault also tracks who has accessed which secrets and when, making it easier to maintain security. You can use Vault to govern access to secrets, automate application delivery, and consume secrets programmatically.

Vault is deployed behind the scenes through the use of the Bank-Vaults Vault Operator Helm Chart.


info

Vault is deployed as a single container in the virtual cluster, and the container is not tied to any particular node.

Deploy Vault

Use the following steps to learn how to deploy Vault to your virtual cluster.

Prerequisites

  • A Virtual Cluster with at least the following minimum resources.
    • 4 CPU
    • 6 GB Memory
    • 6 GB Storage
  • Kubernetes 1.6.x or greater.

Enablement

  1. Log in to Palette.
  1. Click on the User Menu at top right, and select Switch to App Mode.
  1. Navigate to the left Main Menu and click on App Profiles to create a new app profile. Provide the following basic information and click Next.
ParameterDescription
Application Profile NameA custom name for the app profile.
Version (optional)The default value is 1.0.0. You can create multiple versions of an app profile using the format major.minor.patch.
Description (optional)Description of the app profile.
Tag (optional)Assign tags to the app profile.
  1. Select the Vault service and start the configuration.
  1. Provide the following information to the wizard:
  • Name: The application name.
  • PersistentVolumeClaim Size (GiB): Select the volume as per the storage volume available in the cluster group and virtual clusters. Ensure you do not exceed the maximum storage size for your virtual cluster.
  1. Save your changes.
  1. Deploy the app profile to a Palette Virtual Cluster. Use the Deploy a Virtual Cluster guide for additional guidance or check out the Deploy an Application using Palette Dev Engine tutorial.

Validate

You can validate the Vault instance deployed successfully by using the following steps.

  1. Log in to Palette and switch to App Mode.
  1. Navigate to the left Main Menu and select Apps.
  1. Select your application that contains Vault to view its details page.
  1. Ensure the Status is Deployed and that the Vault service has a green dot next to it.
  1. Next, click on the Virtual Cluster link in the App details page.
  1. Click the URL to download the kubeconfig.
  1. Set up your local kubectl environment to use the kubeconfig file you downloaded. Review the Access Cluster with CLI guide for additional guidance.
  1. Export the following environment variables to prepare your environment to interact with Vault.


    export VAULT_ADDR=https://127.0.0.1:8200 

    export VAULT_SKIP_VERIFY=true
  2. Configure port forwarding between your local workstation and the pod hosting Vault. Use the following commands to configure the port forward.


    VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \
    kubectl port-forward $(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.name}') 8200:8200 --namespace $VAULT_NAMESPACE

    kubectl port-forward $(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.name}') 8200:8200 --namespace $VAULT_NAMESPACE
  3. Open your browser and visit https://localhost:8200/ui to access the Vault UI. You will receive a warning due to the usage of a self-signed certificate but you can ignore this warning.

To acquire the Vault root token, review the Vault Credentials section.

Output Variables

The exposed output variables. Use these variables when connecting higher-level services with Vault:

ParameterOutput VariableDescription
Vault Root Token{{.spectro.app.$appDeploymentName.<service-name>.VAULT_ROOT_TOKEN}}The root token of the Vault instance.
Service Hostname{{.spectro.app.$appDeploymentName.<service-name>.VAULTMSTR_SVC}}The Kubernetes service hostname for the Vault service.
Service Port{{.spectro.app.$appDeploymentName.<service-name>.VAULTMSTR_SVC_PORT}}The exposed port for the Vault service.
Namespace{{.spectro.app.$appDeploymentName.<service-name>.VAULTMSTR_SVC_NAMESPACE}}The Kubernetes namespace the Vault instance is deployed to.

Vault Credentials

The Vault root token and the unseal keys are stored as a Kubernetes secret inside the virtual cluster. You can retrieve the Vault root token by following these steps.

  1. Log in to Palette and switch to App Mode.
  1. Navigate to the left Main Menu and select Clusters.
  1. Select the cluster that has Vault installed to view its details page.
  1. Download the cluster kubeconfig file.
  1. Set up your local kubectl environment to use the kubeconfig file you downloaded. Review the Access Cluster with CLI guide for additional guidance.
  1. You need to get the Vault namespace and application name. Issue the following command to get the unique values.


    VAULT_NAMESPACE=$(kubectl get pods --selector app.kubernetes.io/name=vault --all-namespaces --output jsonpath='{.items[0].metadata.namespace}') && \
    APP_NAME=$(echo "$VAULT_NAMESPACE" | sed 's/-ns$//')
  2. Next, issue the command below to retrieve the Vault root token.


    kubectl get secret $APP_NAME-unseal-keys --output jsonpath='{.data.vault-root}' --namespace $VAULT_NAMESPACE | base64 --decode
  3. To acquire all five unseal keys, use the following command.


    kubectl get secret $APP_NAME-unseal-keys --namespace $VAULT_NAMESPACE --output  json \
    | jq -r '.data | to_entries | .[] | select(.key | startswith("vault-unseal-")) | .value | @base64d + "\n"'

Next Steps

You can add Vault to your application profile and start integrating Vault with your applications. To learn more about integrating Vault with your applications, check out the Vault App Integrations tutorials from HashiCorp.

Resources