We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
This guide shows how to make the Vault service accessible from outside a Kubernetes cluster by setting up an Ingress resource. For more information about Ingress see the Tectonic Ingress docs.
Before beginning, create the example Vault cluster that is initialized and unsealed.
The Ingress hostname used to access the Vault service will be vault.ingress.staging.core-os.net
.
The Tectonic cluster is on AWS.
Modify the example as needed for your use case.
The Ingress host can be configured with TLS assets for secure access.
Use the tls-gen script to generate the required TLS assets as secrets in the namespace of the Vault cluster:
KUBE_NS=default \
SERVER_SECRET=vault-server-ingress-tls \
CLIENT_SECRET=vault-client-ingress-tls \
SAN_HOSTS="vault.ingress.staging.core-os.net" \
SERVER_CERT=tls.crt \
SERVER_KEY=tls.key \
hack/tls-gen.sh
vault-server-ingress-tls
: secret that contains the Ingress server certificate tls.crt
and key tls.key
vault-client-ingress-tls
: secret that contains the CA certificate vault-client-ca.crt
used to verify the Ingress hostCreate the following Ingress resource:
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: vault
namespace: default
annotations:
ingress.kubernetes.io/secure-backends: 'true'
kubernetes.io/ingress.class: tectonic
spec:
tls:
- hosts:
- vault.ingress.staging.core-os.net
secretName: vault-server-ingress-tls
rules:
- host: vault.ingress.staging.core-os.net
http:
paths:
- path: /
backend:
serviceName: example
servicePort: 8200
The traffic on the Ingress host vault.ingress.staging.core-os.net
must reach the Ingress controller in the Tectonic cluster.
To enable this, create a DNS alias record for vault.ingress.staging.core-os.net
which redirects traffic to the ELB of the Tectonic cluster.
Find the DNS name of your Tectonic ELB from the AWS console. The ELB should be named <tectonic-cluster-name>-con
.
Create a record set in the hosted zone for the Ingress host. This example creates the record set named vault.ingress.k8s.staging.core-os.net
in the hosted zone staging.core-os.net
. Choose type: A
and select Alias: Yes
. Set the Alias Target to the DNS name of the ELB from the previous step.
The Vault CLI should now be able to successfully interact with the Vault service through the Ingress host.
Set the following environment variables to access the Vault service:
VAULT_TLS_SERVER_NAME=vault.ingress.staging.core-os.net
VAULT_ADDR=https://vault.ingress.staging.core-os.net
VAULT_TOKEN=<root token>
VAULT_SKIP_VERIFY=true
To verify the Ingress server certificate, get the CA cert file vault-client-ca.crt
from the vault-client-ingress-tls
secret and base64 decode it into a local file. Then set the following envs:
VAULT_CACERT=<path-to-ca-cert>
VAULT_SKIP_VERIFY=false