HashiCorp Vault Enterprise - Performance Replication on Kubernetes

This blog post dives into the technical implementation of Vault Enterprise replication within a Kubernetes environment. We’ll explore how to set up performance and disaster recovery replication, overcome common challenges, and ensure smooth synchronization between clusters. Whether you’re aiming for redundancy or better data locality, this guide will equip you with the insights and tools needed to leverage Vault’s enterprise-grade features in Kubernetes effectively.

Architecture

Prerequisites

• 2 Kubernetes clusters. *Note: for simulation purposes, you can also use a single Kubernetes cluster with multiple namespaces to host both Vault clusters.
• Helm installed
• kubectl installed
• Vault CLI installed
• jq installed
• Vault Enterprise license

Note: for this implementation LoadBalancer services are used on Kubernetes to expose the Vault services (the API/UI and the cluster address for replication). It is highly recommended to use a LoadBalancer rather than ingress to expose the cluster address for replication. Vault itself performs the TLS termination as the TLS certificates are mounted to the Vault pods from Kubernetes. Additionally, note that when enabling the replication, the primary cluster points to the secondary cluster address (port 8201) and not the API/UI address (port 8200). When the secondary cluster applies the replication token, however, it points to the API/UI address (port 8200) to unwrap it and compelete the setup of the replication. We will see this in more detail in the implementation section.

MinIO on vSphere - Automated Deployment and Onboarding

In the world of Kubernetes, reliable S3-compliant object storage is essential for tasks like storing backups. However, not everyone has access to a native S3-compatible solution, and setting one up can feel like a daunting task. MinIO, an open-source object storage solution, is a popular choice to fill this gap. Its lightweight, high-performance architecture makes it an excellent option for Kubernetes users seeking quick and reliable storage.

MinIO is also one of the most widely adopted open-source object storage solutions, thanks to its simplicity and S3 compatibility. It’s perfect for Kubernetes environments that need a reliable and scalable storage layer for backups, logs, or other data.

TKG: Updating Pinniped Configuration and Addressing Common Issues

Most of the TKG engagements I’ve been involved in included Pinniped for Kubernetes authentication. On many occasions, I have seen issues where the configuration provided to Pinniped was incorrect or partially incorrect. For example, common issues may be related to the LDAPS integration. Many environments I have seen utilize Active Directory as the authentication source, and Pinniped requires the LDAPS certificate, username, and password, which are often specified incorrectly. Since this configuration is not validated during the deployment, you end up with an invalid state of Pinniped on your management cluster.

Kubernetes Data Protection: Getting Started with Kasten (K10)

In a recent Kubernetes project I was involved in, our team had to conduct an in-depth proof of concept for several Kubernetes data protection solutions. The main highlights of the PoC covered data protection for stateful applications and databases, disaster recovery, and application mobility, including relocating applications across Kubernetes clusters and even different types of Kubernetes clusters (for example, from TKG on-premise to AWS EKS, etc.).

One of the solutions we evaluated was Kasten (K10), a data management platform for Kubernetes, which is now a part of Veeam. The implementation of Kasten was one of the smoothest we have ever experienced in terms of ease of use, stability, and general clarity around getting things done, as everything is very well documented, which certainly cannot be taken for granted these days. :)

Production-Grade Multi-Cluster TAP Installation Guide

• Introduction
• Prerequisites
• Prepare your Workstation
• Relocate TAP Images to your Private Registry
• Install TAP
  • View Cluster
    • Set up the Installation Namespace
    • Issue a TLS Certificate for TAP GUI
    • Set up a Database for TAP GUI
    • Set up the TAP GUI Catalog Git Repository
    • Set up RBAC for the Metadata Store
    • Set up an Authentication Provider for TAP GUI
    • Set up RBAC for the Build, Run and Iterate Clusters
    • Set an Ingress Domain, TAP GUI Hostname and CA Certificate
    • Deploy the TAP Package
  • Build Cluster
    • Set up the Installation Namespace
    • Set up Metadata Store Authentication and CA Certificate
    • Prepare a Sample Source Code Git Repository
    • Update the TAP Values File
    • Deploy the TAP Package
    • Deploy the TBS Full Dependencies Package
    • Set up the Developer Namespace and Deploy a Workload
  • Run Cluster
    • Set up the Installation Namespace
    • Update the TAP Values File
    • Deploy the TAP Package
    • Set up the Developer Namespace and Deploy a Workload
  • Iterate Cluster
    • Set up the Installation Namespace
    • Update the TAP Values File
    • Deploy the TAP Package
    • Deploy the TBS Full Dependencies Package
    • Set up the Developer Namespace and Deploy a Workload
    • Iterate on your Application
• Wrap Up

Introduction

Since my previous posts on TAP Overview and Backstage, I have been diving deeper into TAP, trying to establish the practices around it.