HCP Vault Dedicated with Amazon Elastic Kubernetes Service
HashiCorp Cloud Platform (HCP) is a fully managed platform offering HashiCorp Products as a Service (HPaaS) to automate infrastructure on any cloud.
This tutorial will cover the process required to connect an Elastic Kubernetes Service (EKS) Cluster to HCP Vault Dedicated on AWS.
Prerequisites
The following prerequisites are required:
- An HCP HashiCorp Virtual Network (HVN)
- A public Vault Dedicated deployment
- AWS CLI
- kubectl
- helm
- jq
- git
- An EKS Cluster version 1.24 or higher deployed in the VPC associated with your HVN
For this tutorial, you will need to ensure that you have authenticated with the AWS CLI, and that the CLI is targeting the region where you have created your EKS cluster. Review the AWS documentation for instructions on how to configure the AWS CLI.
To ensure that communication between your Vault Dedicated cluster servers and the agent running in your EKS cluster is possible, you must complete the steps detailed in the manual deployment tutorial.
Your EKS cluster security group must allow traffic from the Vault Dedicated CIDR range. If your EKS cluster endpoint uses port 443, create a security group rule to allow ingress traffic from Vault Dedicated to the primary EKS cluster security group.
For this tutorial, you will configure Vault from your development host. As a result, the Vault Dedicated cluster needs to be publicly available. In production, you should configure Vault Dedicated over a bastion host.
Configure development host
Kubernetes stores cluster connection information in a special file called kubeconfig
.
You can retrieve the Kubernetes configuration settings for your EKS cluster and
merge them into your local kubeconfig
file.
Use the AWS CLI to retrieve the
kubeconfig
.You can use the HCP Portal to retrieve the client configuration information you need to connect the Vault agents in your EKS cluster to Vault Dedicated. Navigate to the Vault resource page in the HCP portal, and then select the Vault cluster.
Click "Generate Token". Copy the administrator token and set it in your terminal to an environment variable named
VAULT_TOKEN
.Click the clipboard next to "Public". This will copy the public Vault address to your clipboard. Set it as the
VAULT_ADDR
environment variable.Click the clipboard next to "Private". This will copy the private Vault address to your clipboard. Set the Vault private address as the
VAULT_PRIVATE_ADDR
environment variable. You will use this later in the tutorial to enable the EKS cluster to access Vault Dedicated over the HVN peering connection.Since Vault Dedicated uses namespaces, set the
VAULT_NAMESPACE
environment variable toadmin
.
Install Vault agents on EKS
This uses the official vault-helm chart to install the Vault agents to your EKS cluster.
Retrieve the Helm chart from the HashiCorp Helm repository.
Example output:
Create a
values.yaml
file that sets the external servers to Vault Dedicated. This will deploy a Vault agent injector into the EKS cluster.Validate that the values file is populated correctly.
Install the HashiCorp Vault Helm chart.
Once the
helm install
command completes, verify the Vault agent injector pod deploys by issuingkubectl get pods
.Example output:
Configure Kubernetes auth method on HCP Vault Dedicated
Your services need a Kubernetes service account token to authenticate to Vault.
Enable the Kubernetes auth method in Vault Dedicated using your terminal.
Output:
The chart configures a Kubernetes service account named
vault
that you can use to enable Vault communication with Kubernetes.View the available service accounts.
Create a token for the
vault
service account.Note
As of Kubernetes 1.24 service account tokens are not created automatically.
Example output:
Get the JSON Web Token (JWT) for the
vault
service account and set it to theTOKEN_REVIEW_JWT
environment variable.Get the Kubernetes certificate authority for the service account and set it to the
KUBE_CA_CERT
environment variable.Get the Kubernetes cluster endpoint and set it to the
KUBE_HOST
environment variable.Configure the Vault Kubernetes auth method to use the service account token.
Output:
Deploy an example workload
Now that the clients have been deployed, it is time to deploy an application workload. This tutorial will use the HashiCups demo application.
Issue the following command to clone the repository to the development host.
Change directory into the example repository.
Deploy a database to Kubernetes
Note
This tutorial deploys a database into Kubernetes and exposes
it to HCP Vault Dedicated using a public LoadBalancer
service type. In a production
configuration, you will want to deploy this as a private load balancer
restricting access to Vault Dedicated.
Deploy a PostgreSQL database. This contains data for various coffees related to a demo application, all hosted in the
products
database.Output:
Verify you've deployed the PostgreSQL database in your Kubernetes cluster.
Example output:
Add the database role to Vault
The product
API needs to read the database username and password from
Vault. Create the role for the product
service account to generate
database credentials.
Enable the database secrets engine.
Output:
Set the
POSTGRES_IP
environment variable to the load balancer DNS hostname.Create the database configuration that allows Vault Dedicated to configure Postgres.
Create a database role for
product
that allows Vault to issue database passwords.Output:
Request a new set of PostgreSQL database credentials for the
product
role.Example output:
Configure Vault policy for database credentials
Create a file called
product.hcl
that allows theproduct
service to read the database credentials specific toproduct
.Create a new
product
policy.Output:
Configure Vault to associate the
product
service with a Kubernetes service account. This allows theproduct
service account in Kubernetes to get a Vault token.Output:
Deploy the product API
Make sure that you include your Vault Dedicated namespace in the deployment that will access database credentials.
Output:
Deploy the product service.
Output:
The product deployment should initialize.
Example output:
Port forward the web service locally to port 9090.
Output:
Open another terminal and make a request to
localhost:9090/coffees
to check if the web service can pull coffee information from the database.Output:
When you are done, return to the terminal with the port-forward
command and
type Ctrl + C
to exit.
Clean up
Delete the
product
API.Delete the
product
role.Delete the
product
policy.Delete the
product
database role.Revoke all leases for database credentials.
Delete the PostgreSQL database.
Delete the database secrets engine configuration.
Delete the Helm installation for Vault Dedicated.
Disable the database secrets engine in Vault Dedicated.
Disable the Kubernetes auth method in Vault Dedicated.
Delete Vault Dedicated and the HVN.
Next steps
In this tutorial, you connected Vault clients on Amazon EKS to Vault Dedicated and retrieved PostgreSQL database credential dynamically. To learn more about the Vault features introduced in this tutorial, refer to the following tutorials.