Posted in Kubernetes

Deploy High Availability Vault pada Kubernetes dengan Consul Backend

Prerequisite:

  • Kubernetes cluster yang sudah terinstall helm

Deploy consul dan vault

Deploy consul menggunakan helm

helm install --name consul stable/consul --set Replicas=1

Install vault menggunakan helm

helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator
helm install --name vault incubator/vault --set vault.dev=false --set vault.config.storage.consul.address="consul-consul:8500",vault.config.storage.consul.path="vault"

Penjelasan:

vault.dev=false : Untuk menjalankan vault dalam mode non developer
vault.config.storage.consul.address="consul-consul:8500" : Untuk mengatur storage agar menggunakan consul, diisi juga url dari vault
vault.config.storage.consul.path="vault" : Storage path yang akan digunakan vault

Cek pod vault

[root@k8s-controller-95 ~]# kubectl get pods
NAME                                             READY     STATUS    RESTARTS   AGE
consul-consul-0                                  1/1       Running   0          3m
vault-vault-7bc8455989-nrbzx                     1/1       Running   0          1m
vault-vault-7bc8455989-rpfbs                     1/1       Running   0          1m
vault-vault-7bc8455989-wkz2f                     1/1       Running   0          1m

Sampai pada langkah ini, kita sudah berhasil melakukan deployment vault dengan backend storage consul

Initialize vault

Masuk ke salah satu vault pod

kubectl exec -it vault-vault-7bc8455989-nrbzx sh
/ # export VAULT_ADDR=http://127.0.0.1:8200
/ # vault operator init
Unseal Key 1: ODPdWU8EM2z4NA1M4TYF0dUnQQEic8UFs0lnu0ikU98p
Unseal Key 2: gtoFhiDcvkiG8f/DNc3oEF2FrUKW6gSlg3BuwbvKTYHm
Unseal Key 3: 3Ft5GEHl8W0CivnEzKgiGetkLbSCPld3qJT1lfxlGVKO
Unseal Key 4: /b0vZsrOpNSxR/8FEML220gsvX4ZAfj2kRYZxChqqVeF
Unseal Key 5: +8/QbWUZBuuVrFzVtXWD4RZj1E0O7VicAqXqTL7AYJ2j

Initial Root Token: eb946945-768f-2e08-2f92-c6ed4045767a

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault rekey" for more information.

Dari langkah ini, kita mendapatkan 5 buah unseal key yang dapat kita gunakan untuk unseal vault. Secara default, kita perlu menggunakan 3 dari 5 unseal key. Selain itu, kita juga mendapatkan 1 root token yang dapat kita gunakan untuk login. Lebih lanjut tentang initialize vault dapat dibaca di sini dan seal unseal dapat dibaca di sini

Cek kembali pods availability

[root@k8s-controller-95 ~]# kubectl get pods
NAME                                             READY     STATUS    RESTARTS   AGE
consul-consul-0                                  1/1       Running   0          9m
vault-vault-7bc8455989-nrbzx                     0/1       Running   0          7m
vault-vault-7bc8455989-rpfbs                     0/1       Running   0          7m
vault-vault-7bc8455989-wkz2f                     0/1       Running   0          7m

Kita dapat melihat bahwa semua pod vault memiliki status 0/1 . Hal ini dikarenakan vault dalam kondisi sealed.

Masuk kembali ke semua vault dan jalankan perintah berikut untuk melakukan unseal pada setiap vault pod

[root@k8s-controller-95 ~]# kubectl exec -it vault-vault-7bc8455989-nrbzx sh
/ # 
/ # export VAULT_ADDR=http://127.0.0.1:8200
/ # 
/ # vault operator unseal
Unseal Key (will be hidden): 
Key                Value
---                -----
Seal Type          shamir
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       471f1593-fab9-f8e5-0723-cf910cfc5d66
Version            0.10.1
HA Enabled         true
/ # vault operator unseal
Unseal Key (will be hidden): 
Key                Value
---                -----
Seal Type          shamir
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       471f1593-fab9-f8e5-0723-cf910cfc5d66
Version            0.10.1
HA Enabled         true
/ # vault operator unseal
Unseal Key (will be hidden): 
Key                    Value
---                    -----
Seal Type              shamir
Sealed                 false
Total Shares           5
Threshold              3
Version                0.10.1
Cluster Name           vault-cluster-c3de476a
Cluster ID             79106dc8-c11c-ac59-c4ee-599625a5cf2c
HA Enabled             true
HA Cluster             n/a
HA Mode                standby
Active Node Address    <none>
/ # vault status
Key             Value
---             -----
Seal Type       shamir
Sealed          false
Total Shares    5
Threshold       3
Version         0.10.1
Cluster Name    vault-cluster-c3de476a
Cluster ID      79106dc8-c11c-ac59-c4ee-599625a5cf2c
HA Enabled      true
HA Cluster      https://10.234.16.5:8201
HA Mode         active

Apabila berhasil dijalankan, ketika kita akan mengecek pods, maka semua pods akan berjalan pada state 1/1

[root@k8s-controller-95 ~]# kubectl get pods
NAME                                             READY     STATUS    RESTARTS   AGE
consul-consul-0                                  1/1       Running   0          32m
vault-vault-7bc8455989-nrbzx                     1/1       Running   0          31m
vault-vault-7bc8455989-rpfbs                     1/1       Running   0          31m
vault-vault-7bc8455989-wkz2f                     1/1       Running   0          31m

Referensi lebih lanjut

Dynamic secrets on Kubernetes pods using Vault

akhfa

Leave A Comment