HashiCorp Vault Add-on for AWS EKS

Deploy HashiCorp Vault to AWS EKS Clusters with this add-on.

Table of Contents

Usage

If you would like to override any defaults with the chart, you can do so by passing the helm_config variable.

For a more extensive example, see blueprints/getting-started.

Unsealing Vault

Once the add-on has been deployed, you can unseal the Vault server using the following commands.

You will need to be in the vault (Kubernetes) namespace while running these commands, by default

First, initialize the Vault server. This will return unseal keys and root token. Store this in a safe place since you will use them to unseal the Vault server.

kubectl exec -it vault-0 -n vault -- vault operator init

Next, unseal the Vault server by providing at least 3 of these keys to unseal Vault before servicing requests.

kubectl exec -it vault-0 -n vault -- vault operator unseal <key 1>
kubectl exec -it vault-0 -n vault -- vault operator unseal <key 2>
kubectl exec -it vault-0 -n vault -- vault operator unseal <key 3>

Confirm that the Vault server is unsealed by checking the status of the Vault server.

kubectl get pods -n vault | grep vault

This command will return a similar output to the following.

NAME                 | READY | STATUS  | RESTARTS | AGE
---------------------|-------|---------|----------|-----
vault-0              |  1/1  | Running | 0        | 28m
vault-agent-injector |  1/1  | Running | 0        | 1m

At this point, you can use Vault to store, access and deploy secrets to your application workloads.

Refer to this guide for a detailed overview on how to get started.

Inputs

Name Description Type Default Required
addon_context Input configuration for the addon.
object({
aws_caller_identity_account_id = string
aws_caller_identity_arn = string
aws_eks_cluster_endpoint = string
aws_partition_id = string
aws_region_name = string
eks_cluster_id = string
eks_oidc_issuer_url = string
eks_oidc_provider_arn = string
tags = map(string)
})
n/a yes
helm_config HashiCorp Vault Helm chart configuration. any {} no
manage_via_gitops Determines if the add-on should be managed via GitOps. bool false no
vault_namespace Kubernetes Namespace to deploy HashiCorp Vault in string "vault" no

Outputs

Name Description
argocd_gitops_config Configuration used for managing the add-on with ArgoCD
merged_helm_config (merged) Helm Config for HashiCorp Vault

Author Information

This repository is maintained by the contributors listed on GitHub.

License

Licensed under the Apache License, Version 2.0 (the "License").

You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" basis, without WARRANTIES or conditions of any kind, either express or implied.

See the License for the specific language governing permissions and limitations under the License.