GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jacobmammoliti → vault-terraform-demo

jacobmammoliti / vault-terraform-demo

Licence: MPL-2.0 license
Deploy HashiCorp Vault with Terraform in GKE.

Programming Languages

HCL
1544 projects

Labels

vaultterraformgkehashicorp

Projects that are alternatives of or similar to vault-terraform-demo

vault-load-testing
Automated load tests for Vault and Consul using the locust.io Python framework
Stars: ✭ 44 (-6.38%)
Mutual labels:  vault, hashicorp
vault-ctrl-tool
Simple tool for managing authentication, secrets, and leases for services.
Stars: ✭ 23 (-51.06%)
Mutual labels:  vault, hashicorp
hashicorp-labs
Deploy locally on VM an Hashicorp cluster formed by Vault, Consul and Nomad. Ready for deploying and testing your apps.
Stars: ✭ 32 (-31.91%)
Mutual labels:  vault, hashicorp
Hashi Helper
Disaster Recovery and Configuration Management for Consul and Vault
Stars: ✭ 155 (+229.79%)
Mutual labels:  vault, hashicorp
vaulter
No description or website provided.
Stars: ✭ 23 (-51.06%)
Mutual labels:  vault, hashicorp
Ansible Vault
🔑 Ansible role for Hashicorp Vault
Stars: ✭ 189 (+302.13%)
Mutual labels:  vault, hashicorp
teller
Cloud native secrets management for developers - never leave your command line for secrets.
Stars: ✭ 998 (+2023.4%)
Mutual labels:  vault, hashicorp
Vaultron
🤖 Vault clusters Terraformed onto Docker for great fun and learning!
Stars: ✭ 96 (+104.26%)
Mutual labels:  vault, hashicorp
hookpick
A tool to manage some operational concepts of Hashicorp Vault
Stars: ✭ 83 (+76.6%)
Mutual labels:  vault, hashicorp
vauth
VMware vSphere VM Identity Platform
Stars: ✭ 32 (-31.91%)
Mutual labels:  vault, hashicorp
kubernetes-vault
Run Hashicorp Vault on top of Kubernetes (GKE). Includes instructions for automated backups (GCS) and day-to-day usage.
Stars: ✭ 15 (-68.09%)
Mutual labels:  vault, gke
nomad-box
Nomad Box - Simple Terraform-powered setup to Azure of clustered Consul, Nomad and Traefik Load Balancer that runs Docker/GoLang/Java workloads. NOTE: Only suitable in dev environments at the moment until I learn more Terraform, Consul, Nomad, Vault :P
Stars: ✭ 18 (-61.7%)
Mutual labels:  vault, hashicorp
Kubernetes External Secrets
Integrate external secret management systems with Kubernetes
Stars: ✭ 2,412 (+5031.91%)
Mutual labels:  vault, hashicorp
vault-consul-kubernetes
vault + consul on kubernetes
Stars: ✭ 60 (+27.66%)
Mutual labels:  vault, hashicorp
Hashi Up
bootstrap HashiCorp Consul, Nomad, or Vault over SSH < 1 minute
Stars: ✭ 113 (+140.43%)
Mutual labels:  vault, hashicorp
vault-plugin-secrets-wireguard
Vault's plugin for managing server and dynamic client configurations
Stars: ✭ 41 (-12.77%)
Mutual labels:  vault, hashicorp
Vault.net
.NET API client for vault
Stars: ✭ 74 (+57.45%)
Mutual labels:  vault, hashicorp
Vault Ui
Vault-UI — A beautiful UI to manage your Vault, written in React
Stars: ✭ 1,296 (+2657.45%)
Mutual labels:  vault, hashicorp
vaultrs
An asynchronous Rust client library for the Hashicorp Vault API
Stars: ✭ 63 (+34.04%)
Mutual labels:  vault, hashicorp
vault-consul-docker
Vault + Consul + Docker
Stars: ✭ 75 (+59.57%)
Mutual labels:  vault, hashicorp
View All Similar Projects ➔

Vault Terraform Demo

Introduction

This demo will show you how to install Vault on a Kubernetes cluster using the official Helm Chart from HashiCorp and then manage Vault's configuration through Terraform with the Vault provider.

Standing up Kubernetes and Installing Vault

The Terraform code in the terraform-vault-deployment directory stands up a GKE cluster and deploys Vault with the official Helm chart.

Configure any needed variables in terraform.tfvars and then build the cluster:

terraform apply -var-file=terraform.tfvars

Initializing and Unsealing Vault

When a Vault cluster is provisioned, it first needs to be initalized and unsealed. Proceed with the following steps:

If a KMS is not leveraged, you can configure Vault to use the Shamir method to produce unseal keys:

# initalize Vault with one key share and one key threshold
$ kubectl exec -it vault-0 -n vault -- vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: PgfBDMjWLqc+FVVY6+mXFT9kPOy/RUu9WEYS742jktw=

Initial Root Token: s.UvA9TZl4BC3VSjz2hn9PJJUG

Vault initialized with 1 key shares and a key threshold of 1...

# unseal each instance of Vault
$ for i in 0 1 2; do
  kubectl exec -it vault-${i} -n vault -- vault operator unseal PgfBDMjWLqc+FVVY6+mXFT9kPOy/RUu9WEYS742jktw=
done

# verify all pods are running
$ kubectl get pods -n vault
NAME                                   READY   STATUS    RESTARTS   AGE
vault-0                                1/1     Running   0          2m51s
vault-1                                1/1     Running   0          2m51s
vault-2                                1/1     Running   0          2m51s
vault-agent-injector-98dc5c764-77gk9   1/1     Running   0          2m51s

If a KMS is leveraged, the above command looks very similar, however, you provide a recovery key share instead of unseal key.

Note: Recovery keys cannot decrypt the master key and therefore are not able to unseal Vault.

Below are the steps to initialize and unseal the vault.

# initalize Vault with one key share and one key threshold
$ kubectl exec -it vault-0 -n vault -- vault operator init -recovery-shares=1 -recovery-threshold=1
Recovery Key 1: h4lwnpw+W2d9oIMM09PPHj56r58Iw/jDL9IWQDpNFag=

Initial Root Token: s.UvA9TZl4BC3VSjz2hn9PJJUG

...

# verify all pods are running
$ kubectl get pods -n vault
NAME                                   READY   STATUS    RESTARTS   AGE
vault-0                                1/1     Running   0          2m51s
vault-1                                1/1     Running   0          2m51s
vault-2                                1/1     Running   0          2m51s
vault-agent-injector-98dc5c764-77gk9   1/1     Running   0          2m51s
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].