Vault in AWS EKS
Portworx can integrate with Vault to store your encryption keys, secrets, and credentials. This topic explains how to connect a Portworx cluster to a Vault development server endpoint and use it to store secrets that you can use for encrypting volumes.
Set up Vault
Set up and deploy Vault by following the instructions in the Install Vault section of the Vault documentation. This includes installation, setting up policies, and configuring secrets.
To run a dev server, use the vault server -dev
command. This will only run on 127.0.0.1:8200, and cannot be connected by the container. Ensure the server endpoint is securely exposed to the Portworx clusters.
Set up the Vault development environment
Once you've set up Vault, you're ready to set up your development environment.
Pure Storage does not recommend using this for production environments.
-
Create a
config.hcl
file, then start the Vault server:config.hcl
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
storage "file" {
path = "/tmp/vault-data"
}
disable_mlock = truemkdir -p /tmp/vault-data
vault server -config=config.hcl -
When Vault initializes, it will present the unseal keys and initial root token. Securely store and distribute the keys, as they will be used in later operations.
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator initUnseal Key 1: 4jYbl2CBIv6SpkKj6Hos9iD32k5RfGkLzlosrrq/JgOm
Unseal Key 2: B05G1DRtfYckFV5BbdBvXq0wkK5HFqB9g2jcDmNfTQiS
Unseal Key 3: Arig0N9rN9ezkTRo7qTB7gsIZDaonOcc53EHo83F5chA
Unseal Key 4: 0cZE0C/gEk3YHaKjIWxhyyfs8REhqkRW/CSXTnmTilv+
Unseal Key 5: fYhZOseRgzxmJCmIqUdxEm9C3jB5Q27AowER9w4FC2Ck
Initial Root Token: <your-root-token>
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated main key. Without at least 3 key to
reconstruct the main key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information. -
When you first start Vault, you must unseal it. Enter the following command to unseal the Vault server. Repeat it 3 times:
vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce xxxxxxxx-xxxx-xxxx-xxxx-e63ddb34b2a9
Version 1.7.0
Storage Type raft
HA Enabled true -
Log in to the Vault server using the root token you generated in step 2:
vault login <initial-root-token>
-
Verify the installation by entering the following vault command. Specify your own value for
<my-vault-secret>
:vault kv put secret/my-secret my-value=<my-vault-secret>
Key Value
--- -----
created_time 2019-06-19T17:20:22.985303Z
deletion_time n/a
destroyed false
version 1