These steps are now compiled into Python and shell scripts in the tools directory.
-
Generate TLS certificates and keys. The following files should be in
charts/vault/tls.ca-key.pem(with private key)ca.pem(with cert)vault-key.pem(with private key)vault.pem(with cert) For the sake of convenience of testing and debugging, sample files with certificates were already pushed to the repository. These certificates are not used anywhere else.
-
Deploy Vault
helm install vault vault --values prod-values.yaml- Initialize and unseal Vault, run a script to create basic policies
kubectl -n vault exec -it vault-0 -- sh
vault operator init -n 1 -t 1 // will create two tokens: unseal and root
vault operator unseal <unseal token goes here>
vault login <root token goes here>
sh /home/create-policies.sh- Deploy MongoDB
helm install mongo mongo --namespace=vault --values prod-values.yaml- Create policies for MondoDB credentials rotation
kubectl -n vault exec -it vault-0 -- sh
vault login <root token goes here>
sh /home/create-mongo-policies.sh- Create application secrets in Vault
vault kv put secret/path/is/in/vault/values apiKey=***- Deploy the application
helm install app manual-chart --namespace=vault --values prod-values.yamlWait 10-15 seconds after this step.
- Go to the application service and query its endpoint:
kubectl -n vault port-forward svc/manual-service 32343:3000
-
...
