...
Code Block |
---|
|
# Clone the chart repo
$ git clone https://github.com/hashicorp/vault-helm.git
$ cd vault-helm
# Checkout a tagged version
$ git checkout v0.1.2
# Run Helm
$ helm install --name vault --namespace kube-system .
... |
NOTE: You can pass the --dry-run
flag to helm install
to simply print our the resources that will be created, instead of actually triggering their creation.
...
Code Block |
---|
|
$ kubectl logs -f vault-0 -n kube-system
==> Vault server configuration:
Api Address: http://10.37.0.7:8200
Cgo: disabled
Cluster Address: https://10.37.0.7:8201
Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: true
Storage: file
Version: Vault v1.2.2
==> Vault server started! Log data will stream in below:
2019-11-05T19:42:37.448Z [INFO] core: seal configuration missing, not initialized
2019-11-05T19:42:40.439Z [INFO] core: seal configuration missing, not initialized
2019-11-05T19:42:43.369Z [INFO] core: seal configuration missing, not initialized
2019-11-05T19:42:46.420Z [INFO] core: seal configuration missing, not initialized
2019-11-05T19:42:49.215Z [INFO] core: seal configuration missing, not initialized
... ... ... ... ... ... ... ... ... ... ... |
...
Code Block |
---|
|
$ kubectl exec -it -n kube-system vault-0 -- vault status |
NOTE: For larger Vault cluster, configuring Vault to be exposed via a Kubernetes Service may be preferential.
...
Code Block |
---|
|
$ kubectl exec -it vault-0 -n kube-system -- vault operator init
Unseal Key 1: qGDqGX13Sy/G6E+ZuQZ9DvhoFV7PDYfpPDO7uv1ox1qI
Unseal Key 2: EFfPzYkeowIZRqVoV2Dg9SeQmfj0Hi33CBjAy2Zq1T/9
Unseal Key 3: j13UH+mdrOE+3bwBVOdv/YUKjTyrSNRDUaZykx7aFQRv
Unseal Key 4: mwA47fXNmdv8u2nXL8s2poi1oqjfGNPNMc6aGG5j1S2m
Unseal Key 5: 0TQ42RgTH+xiKguZiIsg5ttrGuZ5gy3xAqY7G6QjRns4
Initial Root Token: s.JyaDk0IiYveqHiXJAmhdJ9Es
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information. |
...
Code Block |
---|
|
$ kubectl exec -it vault-0 -n kube-system -- vault operator unseal
Unseal Key (will be hidden): <paste-from-above>
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true <---- Sealed
Total Shares 5
Threshold 3
Unseal Progress 1/3 <----
Unseal Nonce 0ed7cb42-66ad-63b2-fb42-36410f93b6b1
Version 1.2.2
HA Enabled false
$ kubectl exec -it vault-0 -n kube-system -- vault operator unseal
Unseal Key (will be hidden): <paste-from-above>
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true <---- Sealed
Total Shares 5
Threshold 3
Unseal Progress 2/3 <----
Unseal Nonce 0ed7cb42-66ad-63b2-fb42-36410f93b6b1
Version 1.2.2
HA Enabled false
$ kubectl exec -it vault-0 -n kube-system -- vault operator unseal
Unseal Key (will be hidden): <paste-from-above>
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false <---- Unsealed
Total Shares 5
Threshold 3
Version 1.2.2
Cluster Name vault-cluster-0959e8a7
Cluster ID 60657f4c-55fb-0bb5-d511-9dc9e32f5eb6
HA Enabled false
|
...