Vault

Channel Revision Published Runs on
latest/edge 222 20 Jan 2024
Ubuntu 23.10
1.8/stable 209 05 Jan 2024
Ubuntu 22.04
1.8/edge 164 09 Aug 2023
Ubuntu 23.04
1.15/beta 276 18 Apr 2024
Ubuntu 22.04
1.15/edge 290 09 May 2024
Ubuntu 22.04
1.7/stable 210 10 Jan 2024
Ubuntu 22.04 Ubuntu 20.04
1.6/stable 289 05 May 2024
Ubuntu 20.04 Ubuntu 18.04
1.5/stable 268 11 Apr 2024
Ubuntu 20.04 Ubuntu 18.04
juju deploy vault --channel 1.15/beta
Show information

Learn to deploy on juju >

Platform:

Ubuntu
22.04

Relevant links

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion

Getting Started

In this tutorial, we will deploy Vault on an LXD cloud.

Pre-requisites

A Ubuntu 22.04 machine with the following requirements:

  • A x86_64 CPU
  • 8GB of RAM
  • 20GB of free disk space

1. Install LXD

sudo snap install lxd

2. Bootstrap a Juju controller

Bootstrap a LXD Juju controller:

juju bootstrap localhost localhost

3. Deploy Vault

Create a Juju model named demo:

juju add-model demo

Deploy the Vault operator:

juju deploy vault --channel=1.15/beta

Deploying Vault will take several minutes, wait for the unit to be in the blocked/idle state, awaiting initialisation.

$ juju status
Model  Controller           Cloud/Region         Version  SLA          Timestamp
demo   localhost-localhost  localhost/localhost  3.4.0    unsupported  11:41:15-04:00

App    Version  Status   Scale  Charm  Channel    Rev  Exposed  Message
vault           blocked      1  vault  1.15/beta  257  no       Waiting for Vault to be initialized

Unit      Workload  Agent  Machine  Public address  Ports  Message
vault/0*  blocked   idle   0        10.191.126.116         Waiting for Vault to be initialized

Machine  State    Address         Inst id        Base          AZ  Message
0        started  10.191.126.116  juju-b8368f-0  ubuntu@22.04      Running

4. Set up the Vault CLI

To communicate with Vault via CLI, we need to install the Vault CLI client and set the following environment variables:

  • VAULT_ADDR
  • VAULT_TOKEN
  • VAULT_CAPATH

Install the Vault client and yq:

sudo snap install vault
sudo snap install yq

Set the VAULT_ADDR environment variable:

export VAULT_ADDR=https://$(juju status vault/leader --format=yaml | awk '/public-address/ { print $2 }'):8200; echo $VAULT_ADDR

Extract and store Vault’s CA certificate to a vault.pem file:

cert_juju_secret_id=$(juju secrets --format=yaml | yq 'to_entries | .[] | select(.value.label == "self-signed-vault-ca-certificate") | .key'); echo $cert_juju_secret_id
juju show-secret ${cert_juju_secret_id} --reveal --format=yaml | yq '.[].content.certificate' > vault.pem

This will put the CA certificate in a file called vault.pem. Now, you can point the vault client to this file by setting the VAULT_CAPATH variable.

export VAULT_CAPATH=$(pwd)/vault.pem; echo $VAULT_CAPATH

Validate that Vault is accessible and up and running:

vault status

You should expect the following output.

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.15.4
Build Date         n/a
Storage Type       raft
HA Enabled         true

5. Initialise and unseal Vault

Initialise Vault:

$ vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=

Initial Root Token: hvs.0d26h3eSnlZzpUoVu49Sj64V

Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 1 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Set the VAULT_TOKEN variable using the root token:

export VAULT_TOKEN=hvs.0d26h3eSnlZzpUoVu49Sj64V

Unseal Vault using the unseal key:

vault operator unseal NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=

6. Authorise the Vault charm

Create a token:

$vault token create -ttl=10m
Key                  Value
---                  -----
token                hvs.M9vfjsKfv1zOgU6QTuFJblwP
token_accessor       ctfCqC3MX8vGH9G7Z3URgWsR
token_duration       10m
token_renewable      true
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Authorise the charm to interact with Vault using the token value:

juju run vault/leader authorize-charm token="hvs.M9vfjsKfv1zOgU6QTuFJblwP"

7. Create a key-value type secret

Enable the kv secret engine:

vault secrets enable -version=2 kv

Create a secret under the kv/mypasswords path with these attributes:

  • key: bob
  • value: 1jioaf123901jdeja
vault kv put kv/mypasswords bob=1jioaf123901jdeja

Good job, you created your first secret!

You can now retrieve it:

vault kv get kv/mypasswords

And delete it:

vault kv delete kv/mypasswords

8. Destroy the environment

Destroy the Juju controller and its models:

juju kill-controller localhost-localhost

Uninstall all the installed packages:

sudo snap remove juju --purge
sudo snap remove yq --purge
sudo snap remove vault --purge

Help improve this document in the forum (guidelines). Last updated a month ago.