- Deploying HashiCorp Vault in a validated pattern
- Setting up HashiCorp Vault
- What’s next?
You have deployed/installed a validated pattern using the instructions provided for that pattern. This should include setting having logged into the cluster using
oc login or setting you
KUBECONFIG environment variable and running a
Any validated pattern that uses HashiCorp Vault already has deployed Vault as part of the
make install. To verify that Vault is installed you can first see that the
vault project exists and then select the Workloads/Pods:
In order to setup HashiCorp Vault there are a number of different steps. Fist you must unseal the vault and then you must create the secrets assets needed. Fortunately the validated patterns effort has automated this for you by providing a script.
From the shell you ran
make install run:
Makefile includes a call out to the script to do the unseal and setup the secrets.
You can check the secrets were set up by examining the Vault user interface. But in order to do so you will need to get some data from the
common/pattern-vault.init file generated from the
make vault-init command.
~/g/multicloud-gitops on main ◦ cat common/pattern-vault.init Unseal Key 1: jJvLf7Pv+BDo0d39ofvBu58srGpUrhVZbnzXXXXXXXXX Unseal Key 2: XMQtBDB3WGdBnWFt3jIb8IZ8wyr4RxPM2oB7XXXXXXXX Unseal Key 3: sStLSI0ejUAt4kno2ArPTN3kzwzqiBmYnhrXXXXXXXXX Unseal Key 4: VdVkgdtuXKEqF4oNFg8dh2MkzXbs3ZJ68NzRXXXXXXXX Unseal Key 5: gZ5afnmJu+24Ty+H6EP3gf257D9ZefrgJrYXXXXXXXXX Initial Root Token: s.R3NG5LHipbabbleDummyhyKHq Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 keys to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
Initial Root Token. Above it is
In the OpenShift console under the project
vault navigate to Networking/Routes and click on the URL for
On the Vault page paste the copied token from the
After signing in you will see the secrets that have been created.
If you don’t see the sign in page but instead see an unseal page, something may have happened the cluster and you need to unseal it again. Instead of using
make vault-init you should run
Check with the validated pattern instructions to see if there are further steps you need to perform. Sometimes this might be deploying a pattern on an edge cluster and checking to see if the correct Vault handshaking and updating occurs.