#vault (2021-03)

vault Discussions related to Hashicorp Vault

2021-03-25

Juan avatar

Hi all, I’m setting up a vault cluster in AWS using this TF module https://github.com/hashicorp/terraform-aws-vault

I used one VPC to create an AMI with all the required binaries like described here: https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami Now I’ve deployed a 3 node cluster in a VPC that only has 3 private subnets, similar to https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-private It is using consul plus S3 as the storage backend, and the VPC has all the required VPC endpoints to privately connect to AWS services.

When initializing the cluster like described here https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#initializing-the-vault-cluster On the first node I can run vault operator init and get the root token and unseal keys correctly. I can unseal the cluster from that very same node https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#unsealing-the-vault-cluster

But on the other 2 nodes I cannot even run vault status: Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: connect: connection refused On the other 2 nodes I can copy the /opt/vault/config/default.hcl file from the init node, and after restarting the service vault status shows:

HA Enabled             true
HA Cluster             https://*.*.*.27:8201
HA Mode                standby
Active Node Address    https://*.*.*.27:8200

.27 is the node where I ran init. And the Consul UI shows that all vault nodes have IP .27

If anyone has ran into similar issues and/or has any clue to point out I’d really appreciate it, thanks!

2
Juan avatar
Juan
02:11:24 PM

the consul UI

2021-03-24

2021-03-23

contact871 avatar
contact871

Anyone used Vault Injector on k8s? I’m going with this solution https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example The challenge I face is: some secrets contain keys with . and - and bash doesn’t like export some.secret-key=secret . My preferred way would be to do this in the templating layer [vault.hashicorp.com/agent-inject-template-config](http://vault.hashicorp.com/agent-inject-template-config). Does anyone know if some string converting functions like uppercase and replace are available there?

Vault Agent Sidecar Injector Examples | Vault by HashiCorp attachment image

This section documents examples of using the Vault Agent Injector.

contact871 avatar
contact871

Since the Vault Injector uses Vault Agent in the InitContainer one can use all the goodies from the Consul templating section: https://github.com/hashicorp/consul-template/blob/master/docs/templating-language.md

hashicorp/consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data. - hashicorp/consul-template

contact871 avatar
contact871

In my case .foo | toUpper | replaceAll "." "_" | replaceAll "-" ""

Zachary Loeber avatar
Zachary Loeber

Have you created a helm chart for the annotations yet?

Zachary Loeber avatar
Zachary Loeber

My client is opting to wait for the CSI drivers for whatever reason, I believe the mutating webhook/injection/sidecar method works beautifully though

    keyboard_arrow_up