Vault : Enable https with OpenShift4 and helm3


I’m here in order to have some help about how to enable the https for the vault UI with openshift and helm3 with a self signed certificate.

To do that, I use helm3 and a free OpenShift 4 cluster with a Red Hat CodeReady Containers.

Currently, this is what I have done :

Add hashicorp repo :

helm repo add hashicorp

Install the latest version of vault :

[tim@Host-002 crc-linux-1.22.0-amd64]$ helm install vault hashicorp/vault \
> --namespace vault \
> --set "global.openshift=true" \
> --set ""

Then I run oc get pods

[tim@Host-002 crc-linux-1.22.0-amd64]$ oc get pods

NAME                                    READY   STATUS              RESTARTS   AGE
vault-0                                 0/1     ContainerCreating   0          20s
vault-agent-injector-7bfb9cffc5-4tl6s   0/1     ContainerCreating   0          21s

I run an interactive shell session with the vault-0 pod :

oc rsh vault-0

Then I initialize Vault :

/ $ vault operator init --tls-skip-verify -key-shares=1 -key-threshold=1
Unseal Key 1: iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=

Initial Root Token: s.xVb0DvIMQRYam7oS2C0ZsHBC

Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 1 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Export the token :


Unseal Vault :

/ $ vault operator unseal --tls-skip-verify iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=

Key             Value
---             -----

Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.6.2
Storage Type    file
Cluster Name    vault-cluster-21448fb0
Cluster ID      e4d4649f-2187-4682-fbcb-4fc175d20a6b
HA Enabled      false

I check the pods :

[tim@Host-002 crc-linux-1.22.0-amd64]$ oc get pods
NAME                                    READY   STATUS    RESTARTS   AGE
vault-0                                 1/1     Running   0          35m
vault-agent-injector-7f5bc979b6-p5bw6   1/1     Running   0          35m

I’m able to get the UI without https :

In the OpenShift console, I switch to the Administrator mode and this is what I’ve done :

  • Networking part
    - Routes > Create routes
  • Name : vault-route
  • Hostname :
  • Path :
  • Service : vault
  • Target Port : 8200 → 8200 (TCP)

Now, if I check the URL : :

The UI is available.


What I’ve done for the https access :

I’ve created the directory /vault/certs in my /home and :

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 365000  -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

For the informations requested I used :

Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:XXX
Locality Name (eg, city) []:XXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX
Organizational Unit Name (eg, section) []:XXX
Common Name (e.g. server FQDN or YOUR name) []:

And :

[tim@localhost certs]$ openssl verify -CAfile ca.pem server-cert.pem
server-cert.pem: OK

To configure https :

[tim@Host-002 crc-linux-1.22.0-amd64]$ oc create secret tls vault-cert --cert=/home/vault/certs/server-cert.pem --key=/home/vault/certs/server-key.pem -n vault 
secret/vault-cert created
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc create secret generic pki-int-cert --form-file=ca.pem=/home/vault/certs/ca.pem -n vault 
secret/pki-int-cert created
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc edit statefulset.apps/vault

And I’ve updated the volumeMounts section like that :

        - mountPath: /vault/data
          name: data
        - mountPath: /vault/config
          name: config
        - mountPath: /home/vault
          name: home
        - mountPath: /vault/certs
          name: certs
          readOnly: true

And the volumes section like that :

      - configMap:
          defaultMode: 420
          name: vault-config
        name: config
      - emptyDir: {}
        name: home
      - name: certs
          defaultMode: 420
          - secret:
              name: pki-int-cert
          - secret:
              name: vault-cert

I kill the vault-0 pod to take into account the changes and I check if my pod has access to my different secrets :

[tim@localhost certs]$ oc rsh vault-0
/ $ ls
bin    etc    lib    mnt    proc   run    srv    tmp    var
dev    home   media  opt    root   sbin   sys    usr    vault
/ $ cd vault/
/vault $ ls
certs   config  data    file    logs
/vault $ cd certs/
/vault/certs $ ls
ca.pem   tls.crt  tls.key

Then I’ve edited the vault-config file like that :

[tim@Host-002 crc-linux-1.22.0-amd64]$ oc edit cm vault-config
apiVersion: v1
  extraconfig-from-values.hcl: |-
    disable_mlock = true
    ui = true

    listener "tcp" {
      tls_cert_file = "/vault/certs/tls.crt"
      tls_key_file = "/vault/certs/tls.key"
      tls_client_ca_file = "/vaut/certs/ca.pem"
      address = "[::]:8200"
      cluster_address = "[::]:8201"
    storage "file" {
      path = "/vault/data"

And I rekill my pod.

After that, if I try to use the first route created, I’ve this error :

So I’ve deleted the first route and I recreate it with https :

  • Networking part > Routes > Create routes
    - Name : vault-route
    - Hostname :
    - Path :
    - Service : vault
    - Target Port : 8200 → 8200 (TCP)
    - Secure route enabled
    - TLS Termination : Passthrough

And if I try the url :

I’ve this error… I think I missed something but I don’t know what…

Someone to help me ?

Thanks a lot !