Helm/Vault
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update && helm repo list
kubectl config get-contexts
|
Helm » Context
|
Helm » Context | |
|---|---|
export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"
|
cat <<'EXE'| sudo bash
mkdir -p /var/minikube/pvc/vault/data-vault-0/
chown -R 100:1000 /var/minikube/pvc/vault/
EXE
|
Helm » Install
|
Helm » Install | |
|---|---|
helm show values hashicorp/vault --version=0.30.1|less
helm show values hashicorp/vault --version=0.31.0|less
| |
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl create ns vault || true
|
kubectl get ns|grep vault
kubectl delete ns vault || true
|
|
| |
cat <<'YML'| \
kubectl apply -f -
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: vault-data-vault-0
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: hostpath
hostPath:
path: /var/hostpath_pv/vault/data-vault-0
type: DirectoryOrCreate
YML
|
cat << YML | \
kubectl apply -f -
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: vault
name: data-vault-0
namespace: vault
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: hostpath
volumeName: vault-data-vault-0
YML
|
cat <<'YML' | \
helm -n=vault upgrade -i vault hashicorp/vault --version=0.31.0 -f -
---
global:
enabled: true
injector:
replicas: 1
image:
repository: hashicorp/vault-k8s
tag: 1.7.0
agentImage:
repository: hashicorp/vault
tag: 1.20.1
server:
image:
repository: hashicorp/vault
tag: 1.20.1
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 512Mi
cpu: 500m
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
ingressClassName: nginx
hosts:
- host: vault.shahed.biz.ops
dataStorage:
size: 10Gi
enabled: true
storageClass: standard
dev:
enabled: false
ui:
enabled: true
serviceType: ClusterIP
YML
|
|
kubectl -n vault exec -it svc/vault -- vault operator init
kubectl -n vault exec -it svc/vault -- vault status
kubectl -n vault exec -it svc/vault -- ash
:'
vault operator init
vault operator unseal
vault status
'
|
Unseal Key 1: 2CMJ+UxMNVo7OD9ovT9ZUQmGFCj1nNOaAttIow9TNybq Unseal Key 2: RGbEYaLbwElPYmNfSxvpGCJre+rQe0aJ/qjKilU80rQ0 Unseal Key 3: GMkN2PdMVFgwmyCPBC3hwd1NzNGba7HLr9mP2NCmz4eQ Unseal Key 4: QWn5JBPeptgKd19c7A22PSQ4RZsiNkPgngvBkgUoyC3d Unseal Key 5: expQJJ5HZ1tq30TvUO8dYsjzfYr+fj//hOO8RBhULgpC Initial Root Token: hvs.zv7QKjHDzNPFQOG7UMwTm72y |
helm -n=vault status vault
helm -n=vault get manifest vault
|
telnet vault.shahed.biz.ops 443
setsid open https://vault.shahed.biz.ops >/dev/null 2>&1 &
|
Helm » Ingress
|
Vault » Ingress | |
|---|---|
cat <<'YML' | \
kubectl -n vault apply -f -
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vault-cert
namespace: vault
spec:
secretName: vault-cert
commonName: vault.shahed.biz.ops
dnsNames:
- vault.shahed.biz.ops
duration: 8760h
renewBefore: 720h
privateKey:
size: 256
encoding: PKCS8
algorithm: ECDSA
rotationPolicy: Always
usages:
- digital signature
- key encipherment
- server auth
- client auth
subject:
countries: ["BD"]
provinces: ["Dhaka"]
postalCodes: ["1500"]
localities: ["Munshiganj"]
organizations: ["Shahed, Inc."]
organizationalUnits: ["vault.shahed.biz.ops"]
streetAddresses: ["256 Khal East, Passport Office"]
issuerRef:
name: shahed-ecc-sub-ca-2025-k8s
kind: ClusterIssuer
YML
|
Shahed_ECC_Root_CA_2025 » Firefox » Settings » Certificates » View Certificates » Import |
cat <<'YML' | \
kubectl -n vault patch ingress/vault --patch-file=/dev/stdin
---
metadata:
annotations:
cert-manager.io/cluster-issuer: shahed-ecc-sub-ca-2025-k8s
spec:
tls:
- hosts:
- vault.shahed.biz.ops
secretName: vault-cert
YML
|
cat <<'YML' | \
kubectl -n vault patch ingress/vault --patch-file=/dev/stdin
---
metadata:
annotations:
cert-manager.io/cluster-issuer: null
spec:
tls: null
YML
|
setsid open http://vault.shahed.biz.ops >/dev/null 2>&1 &
setsid open https://vault.shahed.biz.ops >/dev/null 2>&1 &
|
|
Helm » Config
|
Vault » Config |
Vault » Revert |
|---|---|
# horizontal scale down or shutdown
kubectl -n vault scale sts/vault --replicas=0
|
# horizontal scale up or startup
kubectl -n vault scale sts/vault --replicas=0
|
cat <<'YML' | \
kubectl -n vault patch sts/vault --patch-file=/dev/stdin
---
spec:
replicas: 0
YML
|
cat <<'YML' | \
kubectl -n vault patch sts/vault --patch-file=/dev/stdin
---
spec:
replicas: 1
YML
|
Helm » Debug
|
Helm » Debug |
|---|
kubectl -n vault exec -it $(kubectl -n vault get pod -l component=webhook -o name) -c sidecar-injector -- ash
kubectl -n vault exec -it $(kubectl -n vault get pod -l component=webhook -o name) -- ash
kubectl -n vault exec -it svc/vault -c vault -- ash
kubectl -n vault exec -it svc/vault -- ash
kubectl -n vault exec -it svc/vault -c vault -- cat /etc/resolv.conf
kubectl -n vault exec -it svc/vault -c vault -- cat /etc/hosts
kubectl -n vault logs -f -l component=webhook -c sidecar-injector
kubectl -n vault logs -f svc/vault -c vault
kubectl -n vault logs -f svc/vault
|
Helm » Rollout
|
Vault » Rollout | |
|---|---|
kubectl -n vault annotate sts/vault --overwrite \
kubernetes.io/change-cause="CKI-1| Initial Deployment"
|
kubectl -n vault rollout history sts/vault
kubectl -n vault scale sts/vault --replicas=0
|
|
Vault » Rollout |
Vault » Revert |
cat <<'YML' | \
kubectl -n vault patch sts/vault --patch-file=/dev/stdin
---
spec:
template:
spec:
containers:
- name: vault
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
cpu: 250m
YML
|
cat <<'YML' | \
kubectl -n vault patch sts/vault --patch-file=/dev/stdin
---
spec:
template:
spec:
containers:
- name: vault
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 512Mi
cpu: 500m
YML
|
kubectl -n vault annotate sts/vault --overwrite \
kubernetes.io/change-cause="CKI-2| Resources Updated"
|
kubectl -n vault scale sts/vault --replicas=1
kubectl -n vault rollout history sts/vault
|
kubectl -n vault rollout undo sts/vault --to-revision=1
kubectl -n vault rollout history sts/vault
|
kubectl -n vault annotate sts/vault --overwrite \
kubernetes.io/change-cause="CKI-3| Revert Back to CKI-1"
|
kubectl -n vault get sts/vault -o yaml \
| yq -P '.spec.template.spec.containers[]|select(.name == "vault")|.resources'
|
kubectl -n vault get sts/vault -o yaml \
-o jsonpath='{.spec.template.spec.containers[?(@.name=="vault")].resources}' | yq -P
|
Helm » Uninstall
|
Helm » Uninstall | |
|---|---|
helm -n vault status vault
helm -n vault get all vault
helm -n vault uninstall vault
|
kubectl -n vault delete pvc --all
kubectl delete ns vault
kubectl delete pv vault-data-vault-0
|
Vault » Install
|
Vault » Install | |
|---|---|
curl -fsSL https://apt.releases.hashicorp.com/gpg\
| sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
signed-by=/etc/apt/keyrings/hashicorp.asc]\
https://apt.releases.hashicorp.com ${DISTRIBUTION} main
SRC
|
cat <<'EXE' | sudo bash
apt-get update && apt-get install -y vault
systemctl disable --now vault.service
systemctl stop vault.service
systemctl mask vault.service
systemctl status vault.service
vault version
which vault
EXE
|
export VAULT_TOKEN='hvs.zv7QKjHDzNPFQOG7UMwTm72y'
export VAULT_ADDR='https://vault.shahed.biz.ops'
vault status
|
export VAULT_SKIP_VERIFY=true
export VAULT_FORMAT=yaml
vault login
|
Playground
|
Playground | |
|---|---|
helm -n vault install vault hashicorp/vault --version=0.30.1
helm -n vault upgrade -i vault hashicorp/vault --version=0.31.0
helm show values hashicorp/vault --version=0.31.0|less
| |
kubectl -n vault exec -it svc/vault -c vault -- bash
kubectl -n vault logs -f svc/vault -c vault
kubectl -n vault logs -f svc/vault
| |
kubectl config --kubeconfig=${HOME}/.kube/aws-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/dev-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/gcp-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/config view --flatten
| |
kubectl -n vault delete all --all
kubectl -n vault delete ing --all
kubectl -n vault delete sts --all
|
kubectl delete pv vault-data-vault-0
kubectl -n vault delete svc --all
kubectl -n vault delete pvc --all
|
kubectl -n vault rollout history sts/vault
kubectl -n vault rollout restart sts/vault
kubectl -n vault rollout status sts/vault
|
kubectl -n vault exec -it svc/vault -c vault -- ash
kubectl -n vault logs -f svc/vault -c vault
kubectl -n vault logs -f svc/vault
|
References
|
References | ||
|---|---|---|