docs/doc/source/security/kubernetes/install-vault.rst


.. ngo1596216203295
.. _install-vault:

=============
Install Vault
=============

Vault is packaged as a system application and is managed using
:command:`system application`, and :command:`system helm-override` commands.

.. rubric:: |context|

.. note::
    Vault requires a storage backend with PVC enabled (for example, Ceph).

To install Vault, use the following procedure:

.. rubric:: |proc|

#.  Locate the Vault tarball in ``/usr/local/share/applications/helm``.

    For example, ``/usr/local/share/applications/helm/vault-<version>.tgz``.

#.  Upload Vault, using the following command:

    .. code-block:: none

        $ system application-upload ``/usr/local/share/applications/helm/vault-<version>.tgz``

    Replace the <version> with appropriate version number.

#.  Verify the Vault tarball has been uploaded.

    .. code-block:: none

        $ system application-list

#.  Apply the Vault application.

    .. code-block:: none

        $ system application-apply vault

#.  Monitor the status.

    .. code-block:: none

        $ watch -n 5 system application-list

    or

    .. code-block:: none

        $ watch kubectl get pods -n vault

    It takes a few minutes for all the pods to start and for Vault-manager
    to initialize the cluster.

    The default configuration for the installed Vault application is:

    **Vault-manager**
        Runs as a statefulset, replica count of 1

    **Vault-agent-injector**
        Runs as a deployment, replica count of 1

    **Vault**
        Runs as statefulset, replica count is 1 on systems with fewer
        than 3 nodes, replica count is 3 on systems with 3 or more nodes


For more information, see :ref:`Configure Vault <configure-vault>`.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. ngo1596216203295`
			`.. _install-vault:`

			`=============`
			`Install Vault`
			`=============`

Armada Deprecation and Replacement First pass - generic updates only. (command input/output to be done) Address patchset 1 review comments. Replace examples using openstack with metrics server Remove DS app from application-list output Additional migration to FluxCD (snmp, auditd) Minor textual change. Fix merge conflict. Revert install r5 change. Story: 2009138 Task: 45238 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Ia40ff45f12ec7b7ffa859e0d8bb5535303870d83 2022-05-30 14:49:14 -04:00			`Vault is packaged as a system application and is managed using`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			:command:`system application`, and :command:`system helm-override` commands.

			`.. rubric:: \|context\|`

			`.. note::`
Remove spurious escapes (r8,dsR8) This change addresses a long-standing issue in rST documentation imported from XML. That import process added backslash escapes in front of various characters. The three most common being '(', ')', and '_'. These instances are removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e 2023-02-28 14:02:05 +00:00			`Vault requires a storage backend with PVC enabled (for example, Ceph).`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`To install Vault, use the following procedure:`

			`.. rubric:: \|proc\|`

Armada Deprecation and Replacement First pass - generic updates only. (command input/output to be done) Address patchset 1 review comments. Replace examples using openstack with metrics server Remove DS app from application-list output Additional migration to FluxCD (snmp, auditd) Minor textual change. Fix merge conflict. Revert install r5 change. Story: 2009138 Task: 45238 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Ia40ff45f12ec7b7ffa859e0d8bb5535303870d83 2022-05-30 14:49:14 -04:00			#. Locate the Vault tarball in ``/usr/local/share/applications/helm``.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
vault chart version. Actual changes are already merged. This review is opened for a small fix. For additional information for review approvals, see https://review.opendev.org/c/starlingx/docs/+/903150. Change-Id: I2e0a6e1a5aa577fa9b2411ee3a21514f870ab23d Signed-off-by: Dinesh Neelapu <dinesh.neelapu@windriver.com> 2023-12-11 03:13:30 +00:00			For example, ``/usr/local/share/applications/helm/vault-<version>.tgz``.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`#. Upload Vault, using the following command:`

			`.. code-block:: none`

vault chart version. (r8, dsr8) Updated the vault chart version. Change-Id: I0f01f1071ee146d317a40d8c6e87d5b100ef9d64 Signed-off-by: Dinesh Neelapu <dinesh.neelapu@windriver.com> 2023-12-04 04:22:45 +00:00			$ system application-upload ``/usr/local/share/applications/helm/vault-<version>.tgz``

			`Replace the <version> with appropriate version number.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`#. Verify the Vault tarball has been uploaded.`

			`.. code-block:: none`

			`$ system application-list`

			`#. Apply the Vault application.`

			`.. code-block:: none`

			`$ system application-apply vault`

			`#. Monitor the status.`

			`.. code-block:: none`

			`$ watch -n 5 system application-list`

			`or`

			`.. code-block:: none`

			`$ watch kubectl get pods -n vault`

			`It takes a few minutes for all the pods to start and for Vault-manager`
			`to initialize the cluster.`

			`The default configuration for the installed Vault application is:`

			`Vault-manager`
			`Runs as a statefulset, replica count of 1`

			`Vault-agent-injector`
			`Runs as a deployment, replica count of 1`

			`Vault`
			`Runs as statefulset, replica count is 1 on systems with fewer`
			`than 3 nodes, replica count is 3 on systems with 3 or more nodes`


			For more information, see :ref:`Configure Vault <configure-vault>`.