DaspawnW/vault-crd

Vault Setup info

Closed this issue · 2 comments

linuxbsdfreak commented

Hi @DaspawnW ,

I found this link https://koudingspawn.de/how-vault-crd-can-help/ quite informative. I am using sealed-secrets for doing all the secrets management via GitOps process, which works quite good. I had only few questions.

  1. How is the Vault setup in K8s? (Helm install or a Vault operator is setup)? Could you elaborate on how the vault server is setup on K8s via your blog.
  2. How is the persistence of secrets managed in Vault? Are you using a storage backend mentioned here https://www.vaultproject.io/docs/configuration/storage/ ?

Kevin

DaspawnW commented

Hi @linuxbsdfreak,

For installation of Vault itself you can use for example the official Vault Helm chart provided by HashiCorp: https://www.hashicorp.com/blog/announcing-the-vault-helm-chart/
HashiCorp did not recommend in the past to run Vault itself in the Kubernetes cluster and not in Docker, but it seems this changed with the new announcement now.

For me I've never tried to run HashiCorp Vault in the cluster, because I also try to perform the authentication to Kubernetes via Vaults PKI secret engine. And if you then deploy Vault also in Kubernetes you'll run into a chicken egg problem (https://koudingspawn.de/secure-kubernetes-with-vault/ , https://koudingspawn.de/combine-vault-with-kubeadm/)

As persistence for HashiCorp Vault I typically use File-based for local workloads like DEV, but for everything else I use consul. This is also the recommended way and if you are interested in enterprise version I've heard that this is also a requirement.
One of the key features of consul is, that it is very easy to backup and restore. Only one command is required and you have a backup and can store it in some save location like s3. Same for the restore process, so you can very easily build an automation around it.
If you are starting as a "new" user I would also recommend to have a look at the new internal Backend via the Raft protocol. This one is not production ready yet, but looks very promising. (https://www.vaultproject.io/docs/configuration/storage/raft.html)

Björn

DaspawnW commented

Hi @linuxbsdfreak,

please reopen if you still have questions.

BR,
Björn