Skip to main content

Configure Vault Cluster

Step 1: Initialize and unseal one Vault pod

To start, Vault needs to be initialized and unsealed. Follow these steps:

  1. Initialize Vault with one key share and one key threshold:
kubectl exec -n secrets vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
  1. Display the unseal key found in cluster-keys.json:
cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
  1. Create a variable named VAULT_UNSEAL_KEY to capture the Vault unseal key:
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
  1. Unseal Vault running on the vault-0 pod:
kubectl exec -n secrets vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY

Step 2: Join the other Vaults to the Vault cluster

To create a Vault HA cluster, you need to join the other Vaults to the cluster. Here's how:

  1. Display the root token found in cluster-keys.json:
cat cluster-keys.json | jq -r ".root_token"
  1. Create a variable named CLUSTER_ROOT_TOKEN to capture the Vault root token:
CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token")
  1. Login with the root token on the vault-0 pod:
kubectl exec -n secrets vault-0 -- vault login $CLUSTER_ROOT_TOKEN
  1. List all the nodes within the Vault cluster for the vault-0 pod:
kubectl exec -n secrets vault-0 -- vault operator raft list-peers
  1. Join the Vault server on vault-1 to the Vault cluster:
kubectl exec -n secrets vault-1 -- vault operator raft join http://vault-0.vault-internal:8200
  1. Unseal the Vault server on vault-1 with the unseal key:
kubectl exec -n secrets vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
  1. Join the Vault server on vault-2 to the Vault cluster:
kubectl exec -n secrets vault-2 -- vault operator raft join http://vault-0.vault-internal:8200
  1. Unseal the Vault server on vault-2 with the unseal key:
kubectl exec -n secrets vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
  1. List all the nodes within the Vault cluster for the vault-0 pod:
kubectl exec -n secrets vault-0 -- vault operator raft list-peers

Verify Cluster Status

To ensure the Vault cluster is properly set up, follow these steps:

  1. Get all the pods within the default namespace:
kubectl get pods -n secrets
  1. Check that the vault-0, vault-1, and vault-2 pods are running and ready (1/1).