Source: medium.com
Set up a production-ready Vault cluster with Kubernetes and AzureCategory: Kubernetes, Hashicorp
Secret management is not optional, It must be done, and in a good and secure way because:One of the best secret management tools in the market is Vault, unlike other tools, It’s well designed for DevSecOps, security is managed as code, while other tools are driven by manual configurations, and in most cases, a vendor-specific consultant must be hired to maintain this Snowflake server.This blog post is not an introduction to Vault, it’s a practical guide to deploy a production-ready, high available Vault with ease using Kubernetes and some scripted operations. In this walkthrough, we are respecting the production hardening recommendations provided by Hashicorp, such as: End-to-End TLS, Single Tenancy, disable root token, Don’t Run as Root, Restrict Storage Access, Enable Auditing … At the end of this post, we’ll have the following architecture: Requirements: As indicated in the production hardening recommendations, communication between Vault and Consul must be encrypted, therefore we will set up certificates to be used by: For this purpose, We will use Cloudflare SSL tool kit (cfssl and cfssljson), so make sure to install it before proceeding to the next step.
Vault relies on an external storage backend for persistence, and this decoupling allows Vault to be managed immutably.
To be sure, delete all Vault pods: Wait for Vault pods to be in Running state, and go to Consul Web UI: http://127.0.0.1:8500, you should see all checks are green.
Vault relies on an external storage backend for persistence, and this decoupling allows Vault to be managed immutably.
To be sure, delete all Vault pods: Wait for Vault pods to be in Running state, and go to Consul Web UI: http://127.0.0.1:8500, you should see all checks are green.
Related Articles
Community Partners
DevOps Careers