Note: This guide assumes the use of a Tectonic cluster that has an ingress controller already setup. More general instructions for setting up Ingress will be added soon.
This guide shows how to make the Vault service accessible from outside a Kubernetes cluster by setting up an Ingress resource. For more information about Ingress see the Tectonic Ingress docs.
Before beginning, create the example Vault cluster that is initialized and unsealed.
The Ingress hostname used to access the Vault service will be
The Tectonic cluster is on AWS.
Modify the example as needed for your use case.
The Ingress host can be configured with TLS assets for secure access.
Use the tls-gen script to generate the required TLS assets as secrets in the namespace of the Vault cluster:
KUBE_NS=default \ SERVER_SECRET=vault-server-ingress-tls \ CLIENT_SECRET=vault-client-ingress-tls \ SAN_HOSTS="vault.ingress.staging.core-os.net" \ SERVER_CERT=tls.crt \ SERVER_KEY=tls.key \ hack/tls-gen.sh
vault-server-ingress-tls: secret that contains the Ingress server certificate
vault-client-ingress-tls: secret that contains the CA certificate
vault-client-ca.crtused to verify the Ingress host
Create the following Ingress resource:
kind: Ingress apiVersion: extensions/v1beta1 metadata: name: vault namespace: default annotations: ingress.kubernetes.io/secure-backends: 'true' kubernetes.io/ingress.class: tectonic spec: tls: - hosts: - vault.ingress.staging.core-os.net secretName: vault-server-ingress-tls rules: - host: vault.ingress.staging.core-os.net http: paths: - path: / backend: serviceName: example servicePort: 8200
The traffic on the Ingress host
vault.ingress.staging.core-os.net must reach the Ingress controller in the Tectonic cluster.
To enable this, create a DNS alias record for
vault.ingress.staging.core-os.net which redirects traffic to the ELB of the Tectonic cluster.
Find the DNS name of your Tectonic ELB from the AWS console. The ELB should be named
Create a record set in the hosted zone for the Ingress host. This example creates the record set named
vault.ingress.k8s.staging.core-os.net in the hosted zone
staging.core-os.net. Choose type:
A and select Alias:
Yes. Set the Alias Target to the DNS name of the ELB from the previous step.
The Vault CLI should now be able to successfully interact with the Vault service through the Ingress host.
Set the following environment variables to access the Vault service:
VAULT_TLS_SERVER_NAME=vault.ingress.staging.core-os.net VAULT_ADDR=https://vault.ingress.staging.core-os.net VAULT_TOKEN=<root token> VAULT_SKIP_VERIFY=true
To verify the Ingress server certificate, get the CA cert file
vault-client-ca.crt from the
vault-client-ingress-tls secret and base64 decode it into a local file. Then set the following envs: