Skip to main content

Announcing OpenShift Support Via the HashiCorp Vault Helm Chart

Jul 21 2020Justin Weissig

We are excited to announce the HashiCorp Vault Helm chart has been updated with RedHat OpenShift 4.X support. We have extended the existing Helm chart to support installing and running Vault Enterprise on OpenShift. Using the Helm chart, you will be able to use annotations to inject secrets, via sidecar injection, into applications with no native HashiCorp Vault logic built-in to leverage static and dynamic secrets sourced from Vault.

»How it works

The recommended OpenShift installation method is through the latest Vault Helm chart. We will cover the high level details here, but for more information on running Vault on OpenShift, please see our detailed documentation, and a hands on Learn Guide.

To use the Helm chart, add the Hashicorp helm repository and check that you have access to the chart:

$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm search repo hashicorp/vault
NAME                CHART VERSION   APP VERSION DESCRIPTION
hashicorp/vault     0.6.0           1.4.2       Official HashiCorp Vault Chart

Use helm install to install the latest release of the Vault Helm chart. The helm install command accepts parameters to override default configuration values inline or defined in a file. For all OpenShift deployments, global.openshift should be set to true.

$ helm install vault hashicorp/vault \
    --set "global.openshift=true" \
    --set "server.dev.enabled=true"

Or, you can use a YAML file to override specific parts of the configuration, such as in the following example:

$ cat override-values.yml
global:
  openshift: true

server:
  ha:
    enabled: true
    replicas: 5

Then, run helm install again referencing your override file.

$ helm install vault hashicorp/vault \
    --values override-values.yml

The Helm chart supports running on OpenShift in Dev mode, Highly Available Raft Mode, and External mode. In External mode, no Vault server exists on your OpenShift cluster, and your applications rely on a network addressable Vault server to exist (secret injection only use-case).

»What's Next for Kubernetes

We have made significant progress in supporting Kubernetes this past year. If you are just getting started with Vault and OpenShift, we wanted to give a quick summary of existing resources to help you get started quickly.

  • Learn Guides on Kubernetes: We have many Learn Guides covering installation topics, a Reference Architecture, Secret Injection, connecting to an external Vault cluster, potential Security Considerations, etc. Well over 3+ hours of hands-on learning content.
  • Kubernetes Auth Method (for Vault-aware workloads): The most secure way to interact with Vault is for an application to directly integrate with the Vault API via the Kubernetes Auth Method. This requires the application is written or rewritten to be Vault aware.
  • Helm Chart (Open-Source & Enterprise): One of the biggest issues with running Vault on Kubernetes is the complexity involved in installing Vault. By using the Helm chart, you can greatly reduce the complexity of installing and running Vault on Kubernetes, and it gives you a repeatable deployment process in less time (vs rolling their own).
  • Vault Agent Sidecar Injector for Kubernetes (for Vault-unaware workloads). For users with many legacy applications looking at migrating into Kubernetes, it is very hard, if not impossible, to rewrite that application to be Vault aware (ie. calling Vault APIs from within the application code). For these applications, Vault can inject secrets directly into the filesystem to be picked up by these applications without any knowledge of Vault.

To see a video demo of Vault secrets being injected into Kubernetes pods using init and sidecar containers please watch the video below.

With each release of HashiCorp Vault we are continuing to add new features and make improvements. We’re not done yet.

»Next Steps

For more information on running Vault on OpenShift, please see our detailed documentation, and a hands on Learn Guide.

Also, if you enjoy playing around with this type of stuff, maybe you’d be interested in working at HashiCorp too since we’re hiring!

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.

More blog posts like this one

HCP Vault Dedicated adds secrets sync, cross-region DR, EST PKI, and more
November 21 2024 | Products & Technology
HCP Vault Dedicated adds secrets sync, cross-region DR, EST PKI, and more

The newest HCP Vault Dedicated 1.18 upgrade includes a range of new features that include expanding DR region coverage, syncing secrets across providers, and adding PKI EST among other key features.

Fix the developers vs. security conflict by shifting further left
November 12 2024 | Strategy and Insights
Fix the developers vs. security conflict by shifting further left

Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.

HashiCorp at AWS re:Invent: Your blueprint to cloud success
November 07 2024 | Company
HashiCorp at AWS re:Invent: Your blueprint to cloud success

If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.