https://buildrunrepeat.com/tags/vault/Recent content in Vault on Build. Run. Repeat.HugoenWed, 01 Jan 2025 09:00:00 -0400https://buildrunrepeat.com/posts/hashicorp-vault-enterprise-performance-replication-on-k8s/Wed, 01 Jan 2025 09:00:00 -0400https://buildrunrepeat.com/posts/hashicorp-vault-enterprise-performance-replication-on-k8s/<p>This blog post dives into the technical implementation of Vault Enterprise replication within a Kubernetes environment. We’ll explore how to set up performance and disaster recovery replication, overcome common challenges, and ensure smooth synchronization between clusters. Whether you’re aiming for redundancy or better data locality, this guide will equip you with the insights and tools needed to leverage Vault’s enterprise-grade features in Kubernetes effectively.</p> <h2 id="architecture">Architecture</h2> <p> <a href="https://buildrunrepeat.com/posts/hashicorp-vault-enterprise-performance-replication-on-k8s/images/001.png" data-dimbox data-dimbox-caption="Screenshot"> <img alt="Screenshot" src="https://buildrunrepeat.com/posts/hashicorp-vault-enterprise-performance-replication-on-k8s/images/001.png"/> </a> </p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>2 Kubernetes clusters. *Note: for simulation purposes, you can also use a single Kubernetes cluster with multiple namespaces to host both Vault clusters.</li> <li>Helm installed</li> <li>kubectl installed</li> <li>Vault CLI installed</li> <li>jq installed</li> <li>Vault Enterprise license</li> </ul> <p>Note: for this implementation LoadBalancer services are used on Kubernetes to expose the Vault services (the API/UI and the cluster address for replication). It is highly recommended to use a LoadBalancer rather than ingress to expose the cluster address for replication. Vault itself performs the TLS termination as the TLS certificates are mounted to the Vault pods from Kubernetes. Additionally, note that when enabling the replication, the primary cluster points to the secondary cluster address (port 8201) and not the API/UI address (port 8200). When the secondary cluster applies the replication token, however, it points to the API/UI address (port 8200) to unwrap it and compelete the setup of the replication. We will see this in more detail in the implementation section.</p>https://buildrunrepeat.com/posts/hashicorp-vault-intermediate-ca-setup-with-cert-manager-and-ms-root-ca/Mon, 01 Jan 2024 09:00:00 -0400https://buildrunrepeat.com/posts/hashicorp-vault-intermediate-ca-setup-with-cert-manager-and-ms-root-ca/<p>In this post, we&rsquo;ll explore how to set up HashiCorp Vault as an Intermediate Certificate Authority (CA) on a Kubernetes cluster, using a Microsoft CA as the Root CA. We&rsquo;ll then integrate this setup with cert-manager, a powerful Kubernetes add-on for automating the management and issuance of TLS certificates.</p> <p>The following is an architecture diagram for the use case I&rsquo;ve built.</p> <p> <a href="https://buildrunrepeat.com/posts/hashicorp-vault-intermediate-ca-setup-with-cert-manager-and-ms-root-ca/images/019.png" data-dimbox data-dimbox-caption="Screenshot"> <img alt="Screenshot" src="https://buildrunrepeat.com/posts/hashicorp-vault-intermediate-ca-setup-with-cert-manager-and-ms-root-ca/images/019.png"/> </a> </p> <ul> <li>A Microsoft Windows server is used as the Root CA of the environment.</li> <li>A Kubernetes cluster hosting shared/common services, including HashiCorp Vault. This is a cluster that can serve many other purposes/solutions, consumed by other clusters. The Vault server is deployed on this cluster and serves as an intermediate CA server, under the Microsoft Root CA server.</li> <li>A second Kubernetes cluster hosting the application(s). Cert-Manager is deployed on this cluster, integrated with Vault, and handles the management and issuance of TLS certificates against Vault using the ClusterIssuer resource. A web application, exposed via ingress, is running on this cluster. The ingress resource consumes its TLS certificate from Vault.</li> </ul> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Atleast one running Kubernetes cluster. To follow along, you will need two Kubernetes clusters, one serving as the shared services cluster and the other as the workload/application cluster.</li> <li>Access to a Microsoft Root Certificate Authority (CA).</li> <li>The Helm CLI installed.</li> <li>Clone my <a href="https://github.com/itaytalmi/k8s-vault-int-ca.git">GitHub repository</a>. This repository contains all involved manifests, files and configurations needed.</li> </ul> <h2 id="setting-up-hashicorp-vault-as-intermediate-ca">Setting Up HashiCorp Vault as Intermediate CA</h2> <h3 id="deploy-initialize-and-configure-vault">Deploy Initialize and Configure Vault</h3> <p>Install the Vault CLI. In the following example, Linux Ubuntu is used. If you are using a different operating system, refer to <a href="https://developer.hashicorp.com/vault/install">these instructions</a>.</p>https://buildrunrepeat.com/posts/tap-using-hashicorp-vault-as-ingress-tls-certificate-issuer/Mon, 01 Jan 2024 09:00:00 -0400https://buildrunrepeat.com/posts/tap-using-hashicorp-vault-as-ingress-tls-certificate-issuer/<h1 id="using-hashicorp-vault-as-ingress-tls-certificate-issuer-in-tap">Using HashiCorp Vault as Ingress TLS Certificate Issuer in TAP</h1> <p>Tanzu Application Platform (TAP) uses Contour HTTPProxy resources to expose several web components externally via ingress. Some of these components include the API Auto Registration, API Portal, Application Live View, Metadata Store, and TAP GUI. Web workloads deployed through TAP also leverage the same method for their ingress resources. For example:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>$ kubectl get httpproxy -A </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAMESPACE NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION </span></span><span style="display:flex;"><span>api-auto-registration api-auto-registration-controller api-auto-registration.tap.cloudnativeapps.cloud api-auto-registration-cert valid Valid HTTPProxy </span></span><span style="display:flex;"><span>api-portal api-portal api-portal.tap.cloudnativeapps.cloud api-portal-tls-cert valid Valid HTTPProxy </span></span><span style="display:flex;"><span>app-live-view appliveview appliveview.tap.cloudnativeapps.cloud appliveview-cert valid Valid HTTPProxy </span></span><span style="display:flex;"><span>metadata-store amr-cloudevent-handler-ingress amr-cloudevent-handler.tap.cloudnativeapps.cloud amr-cloudevent-handler-ingress-cert valid Valid HTTPProxy </span></span><span style="display:flex;"><span>metadata-store amr-graphql-ingress amr-graphql.tap.cloudnativeapps.cloud amr-ingress-cert valid Valid HTTPProxy </span></span><span style="display:flex;"><span>metadata-store metadata-store-ingress metadata-store.tap.cloudnativeapps.cloud ingress-cert valid Valid HTTPProxy </span></span><span style="display:flex;"><span>tap-demo-01 spring-petclinic-contour-76691bbb1936a7b010ca900ce58a3f57spring spring-petclinic.tap-demo-01.svc.cluster.local valid Valid HTTPProxy </span></span><span style="display:flex;"><span>tap-demo-01 spring-petclinic-contour-88f827fbdc09abbb4ee2b887bba100edspring spring-petclinic.tap-demo-01.tap.cloudnativeapps.cloud tap-demo-01/route-a4b7b2c7-0a56-48b9-ad26-6b0e06ca1925 valid Valid HTTPProxy </span></span><span style="display:flex;"><span>tap-demo-01 spring-petclinic-contour-spring-petclinic.tap-demo-01 spring-petclinic.tap-demo-01 valid Valid HTTPProxy </span></span><span style="display:flex;"><span>tap-demo-01 spring-petclinic-contour-spring-petclinic.tap-demo-01.svc spring-petclinic.tap-demo-01.svc valid Valid HTTPProxy </span></span><span style="display:flex;"><span>tap-gui tap-gui tap-gui.tap.cloudnativeapps.cloud tap-gui-cert valid Valid HTTPProxy </span></span></code></pre></div><p>TAP uses a shared ingress issuer as a centralized certificate authority representation, providing a method to set up TLS for the entire platform. All participating components get their ingress certificates issued by it. This is the recommended best practice for issuing ingress certificates on the platform.</p>https://buildrunrepeat.com/posts/kubernetes-data-protection-getting-started-with-kasten/Mon, 01 Aug 2022 09:00:00 -0400https://buildrunrepeat.com/posts/kubernetes-data-protection-getting-started-with-kasten/<p>In a recent Kubernetes project I was involved in, our team had to conduct an in-depth proof of concept for several Kubernetes data protection solutions. The main highlights of the PoC covered data protection for stateful applications and databases, disaster recovery, and application mobility, including relocating applications across Kubernetes clusters and even different types of Kubernetes clusters (for example, from TKG on-premise to AWS EKS, etc.).</p> <p>One of the solutions we evaluated was Kasten (K10), a data management platform for Kubernetes, which is now a part of Veeam. The implementation of Kasten was one of the smoothest we have ever experienced in terms of ease of use, stability, and general clarity around getting things done, as everything is very well documented, which certainly cannot be taken for granted these days. :)</p>