36 lines
1.1 KiB
Markdown
36 lines
1.1 KiB
Markdown
|
### 1) HashiCorp Vault
|
||
|
|
Not currently in use (using bitnami sealed-secrets instead); left for reference
|
||
|
|
|
||
|
|
##### 1.1) Create `persistentVolume` and `ingressRoute`
|
||
|
|
*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
|
||
|
|
```shell
|
||
|
|
kubectl create namespace vault
|
||
|
|
kubectl apply -f services/Vault/persistentVolume-Vault.yml
|
||
|
|
kubectl apply -f services/Vault/ingressRoute-Vault.yml
|
||
|
|
```
|
||
|
|
##### 1.2) Install Helm Chart
|
||
|
|
*REMOVED; left for reference*
|
||
|
|
See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
|
||
|
|
```shell
|
||
|
|
helm repo add hashicorp https://helm.releases.hashicorp.com
|
||
|
|
helm repo update
|
||
|
|
helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
|
||
|
|
```
|
||
|
|
Configure Vault for use;
|
||
|
|
- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~- Store basic access policy template
|
||
|
|
- Enable `kv`-engine
|
||
|
|
```
|
||
|
|
# kubectl exec -n vault -it vault-0 -- sh
|
||
|
|
|
||
|
|
# It might be necessary to first login with an existing token:
|
||
|
|
# vault login
|
||
|
|
|
||
|
|
cat <<EOF > /home/vault/app-policy.hcl
|
||
|
|
path "secret*" {
|
||
|
|
capabilities = ["read"]
|
||
|
|
}
|
||
|
|
EOF
|
||
|
|
|
||
|
|
vault secrets enable -path=secret -version=2 kv
|
||
|
|
```
|