We are excited to announce the HashiCorp Vault Helm chart has been updated with RedHat OpenShift 4.X support. We have extended the existing Helm chart to support installing and running Vault Enterprise on OpenShift. Using the Helm chart, you will be able to use annotations to inject secrets, via sidecar injection, into applications with no native HashiCorp Vault logic built-in to leverage static and dynamic secrets sourced from Vault.

»How it works

The recommended OpenShift installation method is through the latest Vault Helm chart. We will cover the high level details here, but for more information on running Vault on OpenShift, please see our detailed documentation, and a hands on Learn Guide.

To use the Helm chart, add the Hashicorp helm repository and check that you have access to the chart:

$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm search repo hashicorp/vault
NAME                CHART VERSION   APP VERSION DESCRIPTION
hashicorp/vault     0.6.0           1.4.2       Official HashiCorp Vault Chart

Use helm install to install the latest release of the Vault Helm chart. The helm install command accepts parameters to override default configuration values inline or defined in a file. For all OpenShift deployments, global.openshift should be set to true.

$ helm install vault hashicorp/vault \
    --set "global.openshift=true" \
    --set "server.dev.enabled=true"

Or, you can use a YAML file to override specific parts of the configuration, such as in the following example:

$ cat override-values.yml
global:
  openshift: true

server:
  ha:
    enabled: true
    replicas: 5

Then, run helm install again referencing your override file.

$ helm install vault hashicorp/vault \
    --values override-values.yml

The Helm chart supports running on OpenShift in Dev mode, Highly Available Raft Mode, and External mode. In External mode, no Vault server exists on your OpenShift cluster, and your applications rely on a network addressable Vault server to exist (secret injection only use-case).

»What's Next for Kubernetes

We have made significant progress in supporting Kubernetes this past year. If you are just getting started with Vault and OpenShift, we wanted to give a quick summary of existing resources to help you get started quickly.

• Learn Guides on Kubernetes: We have many Learn Guides covering installation topics, a Reference Architecture, Secret Injection, connecting to an external Vault cluster, potential Security Considerations, etc. Well over 3+ hours of hands-on learning content.
• Kubernetes Auth Method (for Vault-aware workloads): The most secure way to interact with Vault is for an application to directly integrate with the Vault API via the Kubernetes Auth Method. This requires the application is written or rewritten to be Vault aware.
• Helm Chart (Open-Source & Enterprise): One of the biggest issues with running Vault on Kubernetes is the complexity involved in installing Vault. By using the Helm chart, you can greatly reduce the complexity of installing and running Vault on Kubernetes, and it gives you a repeatable deployment process in less time (vs rolling their own).
• Vault Agent Sidecar Injector for Kubernetes (for Vault-unaware workloads). For users with many legacy applications looking at migrating into Kubernetes, it is very hard, if not impossible, to rewrite that application to be Vault aware (ie. calling Vault APIs from within the application code). For these applications, Vault can inject secrets directly into the filesystem to be picked up by these applications without any knowledge of Vault.

To see a video demo of Vault secrets being injected into Kubernetes pods using init and sidecar containers please watch the video below.

With each release of HashiCorp Vault we are continuing to add new features and make improvements. We’re not done yet.

»Next Steps

For more information on running Vault on OpenShift, please see our detailed documentation, and a hands on Learn Guide.

Also, if you enjoy playing around with this type of stuff, maybe you’d be interested in working at HashiCorp too since we’re hiring!