We are excited to announce the HashiCorp Vault Helm chart has been updated with RedHat OpenShift 4.X support. We have extended the existing Helm chart to support installing and running Vault Enterprise on OpenShift. Using the Helm chart, you will be able to use annotations to inject secrets, via sidecar injection, into applications with no native HashiCorp Vault logic built-in to leverage static and dynamic secrets sourced from Vault.
The recommended OpenShift installation method is through the latest Vault Helm chart. We will cover the high level details here, but for more information on running Vault on OpenShift, please see our detailed documentation, and a hands on Learn Guide.
To use the Helm chart, add the Hashicorp helm repository and check that you have access to the chart:
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
$ helm search repo hashicorp/vault
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart
Use helm install
to install the latest release of the Vault Helm chart. The helm install command accepts parameters to override default configuration values inline or defined in a file. For all OpenShift deployments, global.openshift
should be set to true.
$ helm install vault hashicorp/vault \
--set "global.openshift=true" \
--set "server.dev.enabled=true"
Or, you can use a YAML file to override specific parts of the configuration, such as in the following example:
$ cat override-values.yml
global:
openshift: true
server:
ha:
enabled: true
replicas: 5
Then, run helm install
again referencing your override file.
$ helm install vault hashicorp/vault \
--values override-values.yml
The Helm chart supports running on OpenShift in Dev mode, Highly Available Raft Mode, and External mode. In External mode, no Vault server exists on your OpenShift cluster, and your applications rely on a network addressable Vault server to exist (secret injection only use-case).
We have made significant progress in supporting Kubernetes this past year. If you are just getting started with Vault and OpenShift, we wanted to give a quick summary of existing resources to help you get started quickly.
To see a video demo of Vault secrets being injected into Kubernetes pods using init and sidecar containers please watch the video below.
With each release of HashiCorp Vault we are continuing to add new features and make improvements. We’re not done yet.
For more information on running Vault on OpenShift, please see our detailed documentation, and a hands on Learn Guide.
Also, if you enjoy playing around with this type of stuff, maybe you’d be interested in working at HashiCorp too since we’re hiring!
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.
A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.
Learn how to sync secrets from HCP Vault Secrets to Kubernetes with Vault Secrets Operator.