HashiCorp Vault is a secrets management tools that provides a secure, centralized way to store, access, and manage sensitive information like API keys, passwords, tokens, and encryption keys. Vault is designed to help organizations minimize the risk of data breaches and simplify the process of managing secrets across distributed systems and applications.
You can either choose HashiCorp Consul or PostgreSQL as a storage backend for HashiCorp Vault.
-
Initialize
vault-0with one key share and one key thresholdkubectl -n vault exec vault-0 -- vault operator init \ -key-shares=1 \ -key-threshold=1 \ -format=json > vault-keys.json
NOTE: A single key share and a single key threshold are not recommended in Vault production.
-
Create a variable of vault unseal key
VAULT_UNSEAL_KEY=$(jq -r ".unseal_keys_b64[]" vault-keys.json) -
Unseal Vault
kubectl -n vault exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY kubectl -n vault exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY kubectl -n vault exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
-
Install Vault
brew install vault
-
Set a variable of vault url
export VAULT_ADDR=https://$(kubectl get ingress -n vault -o=jsonpath='{.items[0].spec.rules[0].host}')
-
Set a variable of vault root token
export VAULT_TOKEN=$(cat vault-keys.json | jq -r ".root_token")
-
Check vault cluster status
vault status
- Enable a
KV secrets engineversion2 at the pathsecrets/. Thekvsecrets engine is used to store arbitrary secrets within the configured physical storage for Vault.vault secrets enable -path=secrets -version=2 kv - Verify secrets engine
vault secrets list
- List secrets
vault kv list secret
- Set a secret name variable
VAUL_SECRET_NAME=mySecret
- Create or update secret
vault kv put -mount=secrets ${VAUL_SECRET_NAME} username=foo password=bar - Fetch secret
vault kv get secret/${VAUL_SECRET_NAME}