Installing Vault on Kubernetes

This recipe will show you how to get a Vault service on Kubernetes. Let's perform the following steps to get Vault installed using Helm charts:

  1. Clone the chart repository:
$ git clone https://github.com/hashicorp/vault-helm.git
$ cd vault-helm
  1. Check out the latest stable release: 
$ git checkout v$(curl --silent "https://api.github.com/repos/hashicorp/vault-helm/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/')
  1. If you would like to install a highly available Vault, skip to Step 4; otherwise, install the standalone version using the Helm chart parameters shown here:
$ helm install --name vault --namespace vault ./
  1. To deploy a highly available version that uses an HA storage backend such as Consul, use the following Helm chart parameters. This will deploy Vault using a StatefulSet with three replicas:
$ helm install --name vault --namespace vault --set='server.ha.enabled=true' ./
  1. Verify the status of the pods. You will notice that the pods aren't ready since the readiness probe requires Vault to be initialized first:
$ $ kubectl get pods -nvault
NAME                                  READY STATUS  RESTARTS AGE
vault-0                               0/1   Running 0        83s
vault-agent-injector-5fb898d6cd-rct82 1/1   Running 0        84s
  1. Check the initialization status. It should be false:
$ kubectl exec -it vault-0 -nvault -- vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     false
Sealed          true
Total Shares    0
Threshold       0
Unseal Progress 0/0
Unseal Nonce    n/a
Version         n/a
HA Enabled      false
  1. Initialize the Vault instance. The following command will return an unseal key and root token:
$ kubectl exec -it vault-0 -nvault -- vault operator init -n 1 -t 1

Unseal Key 1: lhLeU6SRdUNQgfpWAqWknwSxns1tfWP57iZQbbYtFSE=
Initial Root Token: s.CzcefEkOYmCt70fGSbHgSZl4
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
  1. Unseal Vault using the unseal key from the output of the following command:
$ kubectl exec -it vault-0 -nvault -- vault operator unseal lhLeU6SRdUNQgfpWAqWknwSxns1tfWP57iZQbbYtFSE=
Key          Value
---          -----
Seal Type    shamir
Initialized  true
Sealed       false
Total Shares 1
Threshold    1
Version      1.3.1
Cluster Name vault-cluster-6970c528
Cluster ID   dd88cca8-20bb-326c-acb3-2d924bb1805c
HA Enabled   false
  1. Verify the pod's status. You will see that the readiness probe has been validated and that the pod is ready: 
$ kubectl get pods -nvault
NAME                                  READY STATUS  RESTARTS AGE
vault-0                               1/1   Running 0        6m29s
vault-agent-injector-5fb898d6cd-rct82 1/1   Running 0        6m30s

Vault is ready to be used after it is initialized. Now, you know how to get Vault running on Kubernetes.