Set up Ingress for Vault Service

This guide shows how to make the Vault service accessible from outside a Kubernetes cluster by setting up an Ingress resource. For more information about Ingress see the Tectonic Ingress docs.

Assumptions

• Before beginning, create the example Vault cluster that is initialized and unsealed.

• The Ingress hostname used to access the Vault service will be vault.ingress.staging.core-os.net.

• The Tectonic cluster is on AWS.

Modify the example as needed for your use case.

Generate custom TLS assets for the Ingress host

The Ingress host can be configured with TLS assets for secure access.

Use the tls-gen script to generate the required TLS assets as secrets in the namespace of the Vault cluster:

KUBE_NS=default \
SERVER_SECRET=vault-server-ingress-tls \
CLIENT_SECRET=vault-client-ingress-tls \
SAN_HOSTS="vault.ingress.staging.core-os.net" \
SERVER_CERT=tls.crt \
SERVER_KEY=tls.key \
hack/tls-gen.sh

• vault-server-ingress-tls: secret that contains the Ingress server certificate tls.crt and key tls.key
• vault-client-ingress-tls: secret that contains the CA certificate vault-client-ca.crt used to verify the Ingress host

Create the Ingress resource

Create the following Ingress resource:

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: vault
  namespace: default
  annotations:
    ingress.kubernetes.io/secure-backends: 'true'
    kubernetes.io/ingress.class: tectonic
spec:
  tls:
    - hosts:
        - vault.ingress.staging.core-os.net
      secretName: vault-server-ingress-tls
  rules:
    - host: vault.ingress.staging.core-os.net
      http:
        paths:
          - path: /
            backend:
              serviceName: example
              servicePort: 8200

Create DNS record for the Ingress host

The traffic on the Ingress host vault.ingress.staging.core-os.net must reach the Ingress controller in the Tectonic cluster.

To enable this, create a DNS alias record for vault.ingress.staging.core-os.net which redirects traffic to the ELB of the Tectonic cluster.

1. Find the DNS name of your Tectonic ELB from the AWS console. The ELB should be named <tectonic-cluster-name>-con.

2. Create a record set in the hosted zone for the Ingress host. This example creates the record set named vault.ingress.k8s.staging.core-os.net in the hosted zone staging.core-os.net. Choose type: A and select Alias: Yes. Set the Alias Target to the DNS name of the ELB from the previous step.

Access the Vault service through the Ingress host

The Vault CLI should now be able to successfully interact with the Vault service through the Ingress host.

Set the following environment variables to access the Vault service:

VAULT_TLS_SERVER_NAME=vault.ingress.staging.core-os.net
VAULT_ADDR=https://vault.ingress.staging.core-os.net
VAULT_TOKEN=<root token>
VAULT_SKIP_VERIFY=true

To verify the Ingress server certificate, get the CA cert file vault-client-ca.crt from the vault-client-ingress-tls secret and base64 decode it into a local file. Then set the following envs:

VAULT_CACERT=<path-to-ca-cert>
VAULT_SKIP_VERIFY=false