You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/learn/vault.adoc
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,22 +14,24 @@ aliases: /secrets/vault/
14
14
[id="prerequisites"]
15
15
= Prerequisites
16
16
17
-
You have deployed/installed a validated pattern using the instructions provided for that pattern. This should include setting having logged into the cluster using `oc login` or setting you `KUBECONFIG` environment variable and running a `make install`.
17
+
You have deployed/installed a validated pattern using the instructions provided for that pattern. This should include setting having logged into the cluster using `oc login` or setting you `KUBECONFIG` environment variable and running a `./pattern.sh make install`.
18
18
19
19
[id="setting-up-hashicorp-vault"]
20
20
= Setting up HashiCorp Vault
21
21
22
-
Any validated pattern that uses HashiCorp Vault already has deployed Vault as part of the `make install`. To verify that Vault is installed you can first see that the `vault` project exists and then select the Workloads/Pods:
22
+
Any validated pattern that uses HashiCorp Vault already has deployed Vault as part of the `./pattern.sh make install`. To verify that Vault is installed you can first see that the `vault` project exists and then select the Workloads/Pods:
In order to setup HashiCorp Vault there are two different ways, both of which happen automatically as part of the `make install` command:
26
+
The setup for HashiCorp Vault happens automatically as part of the `./pattern.sh make install` command.
27
+
A cronjob will run every five minutes inside the `imperative` namespace and unseal, initialize and configure the vault. The vault's unseal keys and root token will be stored inside a secret called `vaultkeys` in the `imperative` namespace.
27
28
28
-
. Inside the cluster directly when the helm value `clusterGroup.insecureUnsealVaultInsideCluster` is set to `true`. With this method a cronjob will run every five minutes inside the `imperative` namespace and unseal, initialize and configure the vault. The vault's unseal keys and root token will be stored inside a secret called `vaultkeys` in the `imperative` namespace. *It is considered best practice* to copy the content of that secret offline, store it securely and then delete it.
29
-
. On the user's computer when the helm value `clusterGroup.insecureUnsealVaultInsideCluster` is set to `false`. This will store the json containing containing both vault root token and unseal keys inside a file called `common/pattern-vault.init`. It is recommended to encrypt this file or store it securely.
30
-
31
-
An example output is the following:
29
+
[NOTE]
30
+
====
31
+
It is recommended that you copy the contents of that secret offline, store it securely, and then delete it. It will not be recreated after the vault is unsealed.
32
+
====
32
33
34
+
An example output from running the `oc extract -n imperative secret/vaultkeys --to=- --keys=vault_data_json 2>/dev/null` command:
0 commit comments