### Based on https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-minikube-tls

In [86]:
# minikube delete -p dc1

In [87]:
%%bash
# Initialize docker first
#sleep 30
# minikube start -p dc1

In [88]:
%%bash
minikube status -p dc1

dc1
type: Control Plane
host: Running
kubelet: Running
apiserver: Running
kubeconfig: Configured



In [89]:
%%bash
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update

"hashicorp" already exists with the same configuration, skipping
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jaegertracing" chart repository
...Successfully got an update from the "hashicorp" chart repository
...Successfully got an update from the "secrets-store-csi-driver" chart repository
...Successfully got an update from the "jaeger-all-in-one" chart repository
...Successfully got an update from the "datadog" chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "signoz" chart repository
...Successfully got an update from the "external-secrets" chart repository
...Successfully got an update from the "gitlab" chart repository
...Successfully got an update from the "bitnami" chart repository
Update Complete. ⎈Happy Helming!⎈


In [90]:
%%bash
rm -rf /tmp/vault
mkdir /tmp/vault

In [91]:
%%bash
export VAULT_K8S_NAMESPACE="vault" \
export VAULT_HELM_RELEASE_NAME="vault" \
export VAULT_SERVICE_NAME="vault-internal" \
export K8S_CLUSTER_NAME="cluster.local" \
export WORKDIR=/tmp/vault
openssl genrsa -out ${WORKDIR}/vault.key 2048
cat > ${WORKDIR}/vault-csr.conf <<EOF
[req]
default_bits = 2048
prompt = no
encrypt_key = yes
default_md = sha256
distinguished_name = kubelet_serving
req_extensions = v3_req
[ kubelet_serving ]
O = system:nodes
CN = system:node:*.${VAULT_HELM_RELEASE_NAME}.svc.${K8S_CLUSTER_NAME}
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.${VAULT_SERVICE_NAME}
DNS.2 = *.${VAULT_SERVICE_NAME}.${VAULT_HELM_RELEASE_NAME}.svc.${K8S_CLUSTER_NAME}
DNS.3 = *.${VAULT_HELM_RELEASE_NAME}
DNS.4 = *.${VAULT_HELM_RELEASE_NAME}.svc.${K8S_CLUSTER_NAME}
IP.1 = 127.0.0.1
EOF

openssl req -new -key ${WORKDIR}/vault.key -out ${WORKDIR}/vault.csr -config ${WORKDIR}/vault-csr.conf


cat > ${WORKDIR}/csr.yaml <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
   name: vault.svc
spec:
   signerName: kubernetes.io/kubelet-serving
   expirationSeconds: 8640000
   request: $(cat ${WORKDIR}/vault.csr|base64|tr -d '\n')
   usages:
   - digital signature
   - key encipherment
   - server auth
EOF

kubectl create -f ${WORKDIR}/csr.yaml


Generating RSA private key, 2048 bit long modulus


........................................................+++++
..+++++
e is 65537 (0x10001)


certificatesigningrequest.certificates.k8s.io/vault.svc created


In [92]:
%%bash
kubectl certificate approve vault.svc

certificatesigningrequest.certificates.k8s.io/vault.svc approved


In [93]:
%%bash
kubectl get csr vault.svc

NAME        AGE   SIGNERNAME                      REQUESTOR       REQUESTEDDURATION   CONDITION
vault.svc   0s    kubernetes.io/kubelet-serving   minikube-user   100d                Approved,Issued


In [94]:
%env  WORKDIR=/tmp/vault
%env VAULT_K8S_NAMESPACE=vault
%env VAULT_HELM_RELEASE_NAME=vault
%env VAULT_SERVICE_NAME=vault-internal 
%env K8S_CLUSTER_NAME=cluster.local 

env: WORKDIR=/tmp/vault
env: VAULT_K8S_NAMESPACE=vault
env: VAULT_HELM_RELEASE_NAME=vault
env: VAULT_SERVICE_NAME=vault-internal
env: K8S_CLUSTER_NAME=cluster.local


In [95]:
%%bash
kubectl get csr vault.svc -o jsonpath='{.status.certificate}' | openssl base64 -d -A -out ${WORKDIR}/vault.crt

In [96]:
%%bash
kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${WORKDIR}/vault.ca

In [97]:
%%bash
kubectl get csr vault.svc -o jsonpath='{.status.certificate}' | openssl base64 -d -A -out ${WORKDIR}/vault.crt
kubectl config view \
--raw \
--minify \
--flatten \
-o jsonpath='{.clusters[].cluster.certificate-authority-data}' \
| base64 -d > ${WORKDIR}/vault.ca

kubectl create namespace $VAULT_K8S_NAMESPACE

kubectl create secret generic vault-ha-tls \
   -n $VAULT_K8S_NAMESPACE \
   --from-file=vault.key=${WORKDIR}/vault.key \
   --from-file=vault.crt=${WORKDIR}/vault.crt \
   --from-file=vault.ca=${WORKDIR}/vault.ca

namespace/vault created
secret/vault-ha-tls created


### Adding enterprise license based on https://developer.hashicorp.com/vault/docs/platform/k8s/helm/enterprise

In [98]:
%%bash 
secret=$(cat /Users/jose/Demo/Vault_ADP/ADP_PlayGround/vault.hclic)
kubectl create secret generic vault-ent-license --from-literal="license=${secret}" -n $VAULT_K8S_NAMESPACE


secret/vault-ent-license created


In [99]:
%%bash
cat > ${WORKDIR}/overrides.yaml <<EOF
global:
   enabled: true
   tlsDisable: false # Disabling TLS to avoid issues when connecting to Vault via port forwarding
injector:
   enabled: true
server:
# config.yaml
   image:
      repository: hashicorp/vault-enterprise
      tag: 1.14.1-ent
   enterpriseLicense:
      secretName: vault-ent-license
   extraEnvironmentVars:
      VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca
      VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt
      VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key
   volumes:
      - name: userconfig-vault-ha-tls
        secret:
         defaultMode: 420
         secretName: vault-ha-tls
   volumeMounts:
      - mountPath: /vault/userconfig/vault-ha-tls
        name: userconfig-vault-ha-tls
        readOnly: true
   standalone:
      enabled: false
   affinity: ""
   logLevel: "trace"
   ha:
      enabled: true
      replicas: 3
      raft:
         enabled: true
         setNodeId: true
         config: |
            ui = true
            cluster_name = "vault-primary"
            listener "tcp" {
               tls_disable = 0 # Disabling TLS to avoid issues when connecting to Vault via port forwarding
               address = "[::]:8200"
               cluster_address = "[::]:8201"
               tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
               tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
               tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
            }
            storage "raft" {
               path = "/vault/data"
            
               retry_join {
                  auto_join             = "provider=k8s namespace=vault label_selector=\"component=server,app.kubernetes.io/name=vault\""
                  auto_join_scheme      = "https"
                  leader_ca_cert_file   = "/vault/userconfig/vault-ha-tls/vault.ca"
                  leader_tls_servername = "vault-0.vault-internal" #Tiene que matchear una SAN del certificado
               }
            
            }

            disable_mlock = true
            service_registration "kubernetes" {}
EOF


In [100]:
%%bash
helm install -n $VAULT_K8S_NAMESPACE $VAULT_HELM_RELEASE_NAME hashicorp/vault -f ${WORKDIR}/overrides.yaml

NAME: vault
LAST DEPLOYED: Thu Sep 14 07:40:25 2023
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

https://www.vaultproject.io/docs/


Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault


In [101]:
%%bash
kubectl -n $VAULT_K8S_NAMESPACE get pods

NAME                                    READY   STATUS              RESTARTS   AGE
vault-0                                 0/1     Pending             0          0s
vault-1                                 0/1     Pending             0          0s
vault-2                                 0/1     Pending             0          0s
vault-agent-injector-6fdf6cd4d6-2j8gs   0/1     ContainerCreating   0          0s


In [102]:
%%bash
kubectl get events -n vault

LAST SEEN   TYPE      REASON                  OBJECT                                       MESSAGE
0s          Normal    Provisioning            persistentvolumeclaim/data-vault-0           External provisioner is provisioning volume for claim "vault/data-vault-0"
0s          Normal    ExternalProvisioning    persistentvolumeclaim/data-vault-0           waiting for a volume to be created, either by external provisioner "k8s.io/minikube-hostpath" or manually created by system administrator
0s          Normal    ProvisioningSucceeded   persistentvolumeclaim/data-vault-0           Successfully provisioned volume pvc-bf3bbca6-72fa-4cfa-bbda-cdf727e316f3
0s          Normal    ExternalProvisioning    persistentvolumeclaim/data-vault-1           waiting for a volume to be created, either by external provisioner "k8s.io/minikube-hostpath" or manually created by system administrator
0s          Normal    Provisioning            persistentvolumeclaim/data-vault-1           External provisioner i

In [103]:
%%bash
sleep 15
kubectl exec -n $VAULT_K8S_NAMESPACE vault-0 -- vault operator init \
    -key-shares=1 \
    -key-threshold=1 \
    -format=json > ${WORKDIR}/cluster-keys.json


In [104]:
%%bash
jq -r ".unseal_keys_b64[]" ${WORKDIR}/cluster-keys.json
VAULT_UNSEAL_KEY=$(jq -r ".unseal_keys_b64[]" ${WORKDIR}/cluster-keys.json)

jYGqiFoPuk7EQoYQW3YiSC0fYXTX4nPj99CQz1ZzCEw=


In [105]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE vault-0 -- vault operator unseal $(jq -r ".unseal_keys_b64[]" ${WORKDIR}/cluster-keys.json)

Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.14.1+ent
Build Date              2023-07-21T23:04:42Z
Storage Type            raft
Cluster Name            vault-primary
Cluster ID              05bbde01-1126-e523-c9c1-87fa4b229ced
HA Enabled              true
HA Cluster              https://vault-0.vault-internal:8201
HA Mode                 active
Active Since            2023-09-14T05:40:47.712795846Z
Raft Committed Index    78
Raft Applied Index      78
Last WAL                32


In [107]:
%%bash
sleep 5
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-1 -- vault operator unseal $(jq -r ".unseal_keys_b64[]" ${WORKDIR}/cluster-keys.json)

Unable to use a TTY - input is not a terminal or the right kind of file


Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       1
Threshold          1
Unseal Progress    0/1
Unseal Nonce       n/a
Version            1.14.1+ent
Build Date         2023-07-21T23:04:42Z
Storage Type       raft
HA Enabled         true


In [108]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-2 -- vault operator unseal $(jq -r ".unseal_keys_b64[]" ${WORKDIR}/cluster-keys.json)

Unable to use a TTY - input is not a terminal or the right kind of file


Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       1
Threshold          1
Unseal Progress    0/1
Unseal Nonce       n/a
Version            1.14.1+ent
Build Date         2023-07-21T23:04:42Z
Storage Type       raft
HA Enabled         true


In [109]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-0 -- vault status

Unable to use a TTY - input is not a terminal or the right kind of file


Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.14.1+ent
Build Date              2023-07-21T23:04:42Z
Storage Type            raft
Cluster Name            vault-primary
Cluster ID              05bbde01-1126-e523-c9c1-87fa4b229ced
HA Enabled              true
HA Cluster              https://vault-0.vault-internal:8201
HA Mode                 active
Active Since            2023-09-14T05:40:47.712795846Z
Raft Committed Index    110
Raft Applied Index      110
Last WAL                35


In [110]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-0 --  vault license inspect

Unable to use a TTY - input is not a terminal or the right kind of file


Source: /vault/license/license (path from the VAULT_LICENSE_PATH environment variable)
Product: vault
License ID: 152295e1-3784-2641-bd01-bfdbc0a37c35
Customer ID: d9a6d7e8-e947-ea92-ec07-82c6901283c1
Installation ID: *
Issue Time: 2022-12-19 08:50:24.624461496 +0000 UTC
Start Time: 2022-12-19 00:00:00 +0000 UTC
Expiration Time: 2023-12-19 23:59:59.999 +0000 UTC
Termination Time: 2023-12-19 23:59:59.999 +0000 UTC
{"license_id":"152295e1-3784-2641-bd01-bfdbc0a37c35","customer_id":"d9a6d7e8-e947-ea92-ec07-82c6901283c1","installation_id":"*","issue_time":"2022-12-19T08:50:24.624461496Z","start_time":"2022-12-19T00:00:00Z","expiration_time":"2023-12-19T23:59:59.999Z","termination_time":"2023-12-19T23:59:59.999Z","flags":{"modules":["multi-dc-scale","governance-policy","advanced-data-protection-transform","advanced-data-protection-key-management"]},"features":["HSM","Performance Replication","DR Replication","MFA","Sentinel","Seal Wrapping","Control Groups","Performance Standby","Namespaces

In [111]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-1 -- vault status

Unable to use a TTY - input is not a terminal or the right kind of file


Key                                    Value
---                                    -----
Seal Type                              shamir
Initialized                            true
Sealed                                 false
Total Shares                           1
Threshold                              1
Version                                1.14.1+ent
Build Date                             2023-07-21T23:04:42Z
Storage Type                           raft
Cluster Name                           vault-primary
Cluster ID                             05bbde01-1126-e523-c9c1-87fa4b229ced
HA Enabled                             true
HA Cluster                             https://vault-0.vault-internal:8201
HA Mode                                standby
Active Node Address                    https://10.244.0.33:8200
Performance Standby Node               true
Performance Standby Last Remote WAL    35
Raft Committed Index                   112
Raft Applied Index                     112


In [112]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-1 --  vault license inspect

Unable to use a TTY - input is not a terminal or the right kind of file


Source: /vault/license/license (path from the VAULT_LICENSE_PATH environment variable)
Product: vault
License ID: 152295e1-3784-2641-bd01-bfdbc0a37c35
Customer ID: d9a6d7e8-e947-ea92-ec07-82c6901283c1
Installation ID: *
Issue Time: 2022-12-19 08:50:24.624461496 +0000 UTC
Start Time: 2022-12-19 00:00:00 +0000 UTC
Expiration Time: 2023-12-19 23:59:59.999 +0000 UTC
Termination Time: 2023-12-19 23:59:59.999 +0000 UTC
{"license_id":"152295e1-3784-2641-bd01-bfdbc0a37c35","customer_id":"d9a6d7e8-e947-ea92-ec07-82c6901283c1","installation_id":"*","issue_time":"2022-12-19T08:50:24.624461496Z","start_time":"2022-12-19T00:00:00Z","expiration_time":"2023-12-19T23:59:59.999Z","termination_time":"2023-12-19T23:59:59.999Z","flags":{"modules":["multi-dc-scale","governance-policy","advanced-data-protection-transform","advanced-data-protection-key-management"]},"features":["HSM","Performance Replication","DR Replication","MFA","Sentinel","Seal Wrapping","Control Groups","Performance Standby","Namespaces

In [113]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-2 -- vault status

Unable to use a TTY - input is not a terminal or the right kind of file


Key                                    Value
---                                    -----
Seal Type                              shamir
Initialized                            true
Sealed                                 false
Total Shares                           1
Threshold                              1
Version                                1.14.1+ent
Build Date                             2023-07-21T23:04:42Z
Storage Type                           raft
Cluster Name                           vault-primary
Cluster ID                             05bbde01-1126-e523-c9c1-87fa4b229ced
HA Enabled                             true
HA Cluster                             https://vault-0.vault-internal:8201
HA Mode                                standby
Active Node Address                    https://10.244.0.33:8200
Performance Standby Node               true
Performance Standby Last Remote WAL    35
Raft Committed Index                   114
Raft Applied Index                     114


In [114]:
%%bash
kubectl exec -n $VAULT_K8S_NAMESPACE -ti vault-2 --  vault license inspect

Unable to use a TTY - input is not a terminal or the right kind of file


Source: /vault/license/license (path from the VAULT_LICENSE_PATH environment variable)
Product: vault
License ID: 152295e1-3784-2641-bd01-bfdbc0a37c35
Customer ID: d9a6d7e8-e947-ea92-ec07-82c6901283c1
Installation ID: *
Issue Time: 2022-12-19 08:50:24.624461496 +0000 UTC
Start Time: 2022-12-19 00:00:00 +0000 UTC
Expiration Time: 2023-12-19 23:59:59.999 +0000 UTC
Termination Time: 2023-12-19 23:59:59.999 +0000 UTC
{"license_id":"152295e1-3784-2641-bd01-bfdbc0a37c35","customer_id":"d9a6d7e8-e947-ea92-ec07-82c6901283c1","installation_id":"*","issue_time":"2022-12-19T08:50:24.624461496Z","start_time":"2022-12-19T00:00:00Z","expiration_time":"2023-12-19T23:59:59.999Z","termination_time":"2023-12-19T23:59:59.999Z","flags":{"modules":["multi-dc-scale","governance-policy","advanced-data-protection-transform","advanced-data-protection-key-management"]},"features":["HSM","Performance Replication","DR Replication","MFA","Sentinel","Seal Wrapping","Control Groups","Performance Standby","Namespaces

## Get Root Token and port forward to Vault on port 8200

In [115]:
%%bash
cat ${WORKDIR}/cluster-keys.json | jq -r ".root_token"

hvs.GCphLytwg7w3Knw3P69mSRu6


In [116]:
%%bash
#kubectl -n $VAULT_K8S_NAMESPACE get service vault
kubectl -n vault port-forward service/vault 8200:8200

Forwarding from 127.0.0.1:8200 -> 8200
Forwarding from [::1]:8200 -> 8200
Handling connection for 8200
Handling connection for 8200
Handling connection for 8200
Handling connection for 8200
Handling connection for 8200
Handling connection for 8200
Handling connection for 8200
Handling connection for 8200


## if port already open
### sudo lsof -i :8200
### sudo kill -9  PID

In [None]:
%%bash
minikube delete -p dc1