Hello,
I’m here in order to have some help about how to enable the https for the vault UI with openshift and helm3 with a self signed certificate.
To do that, I use helm3 and a free OpenShift 4 cluster with a Red Hat CodeReady Containers.
Currently, this is what I have done :
Add hashicorp repo :
helm repo add hashicorp https://helm.releases.hashicorp.com
Install the latest version of vault :
[tim@Host-002 crc-linux-1.22.0-amd64]$ helm install vault hashicorp/vault \
> --namespace vault \
> --set "global.openshift=true" \
> --set "server.dev.enabled=true"
Then I run oc get pods
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc get pods
NAME READY STATUS RESTARTS AGE
vault-0 0/1 ContainerCreating 0 20s
vault-agent-injector-7bfb9cffc5-4tl6s 0/1 ContainerCreating 0 21s
I run an interactive shell session with the vault-0 pod :
oc rsh vault-0
Then I initialize Vault :
/ $ vault operator init --tls-skip-verify -key-shares=1 -key-threshold=1
Unseal Key 1: iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=
Initial Root Token: s.xVb0DvIMQRYam7oS2C0ZsHBC
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 1 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Export the token :
export VAULT_TOKEN=s.xVb0DvIMQRYam7oS2C0ZsHBC
Unseal Vault :
/ $ vault operator unseal --tls-skip-verify iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.6.2
Storage Type file
Cluster Name vault-cluster-21448fb0
Cluster ID e4d4649f-2187-4682-fbcb-4fc175d20a6b
HA Enabled false
I check the pods :
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc get pods
NAME READY STATUS RESTARTS AGE
vault-0 1/1 Running 0 35m
vault-agent-injector-7f5bc979b6-p5bw6 1/1 Running 0 35m
I’m able to get the UI without https :
In the OpenShift console, I switch to the Administrator mode and this is what I’ve done :
- Networking part
- Routes > Create routes - Name : vault-route
- Hostname : 192.168.130.11
- Path :
- Service : vault
- Target Port : 8200 → 8200 (TCP)
Now, if I check the URL : http://192.168.130.11/ui :
The UI is available.
What I’ve done for the https access :
I’ve created the directory /vault/certs in my /home and :
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 365000 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
For the informations requested I used :
Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:XXX
Locality Name (eg, city) []:XXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX
Organizational Unit Name (eg, section) []:XXX
Common Name (e.g. server FQDN or YOUR name) []:192.168.130.11
And :
[tim@localhost certs]$ openssl verify -CAfile ca.pem server-cert.pem
server-cert.pem: OK
To configure https :
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc create secret tls vault-cert --cert=/home/vault/certs/server-cert.pem --key=/home/vault/certs/server-key.pem -n vault
secret/vault-cert created
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc create secret generic pki-int-cert --form-file=ca.pem=/home/vault/certs/ca.pem -n vault
secret/pki-int-cert created
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc edit statefulset.apps/vault
And I’ve updated the volumeMounts section like that :
volumeMounts:
- mountPath: /vault/data
name: data
- mountPath: /vault/config
name: config
- mountPath: /home/vault
name: home
- mountPath: /vault/certs
name: certs
readOnly: true
And the volumes section like that :
volumes:
- configMap:
defaultMode: 420
name: vault-config
name: config
- emptyDir: {}
name: home
- name: certs
projected:
defaultMode: 420
sources:
- secret:
name: pki-int-cert
- secret:
name: vault-cert
I kill the vault-0 pod to take into account the changes and I check if my pod has access to my different secrets :
[tim@localhost certs]$ oc rsh vault-0
/ $ ls
bin etc lib mnt proc run srv tmp var
dev home media opt root sbin sys usr vault
/ $ cd vault/
/vault $ ls
certs config data file logs
/vault $ cd certs/
/vault/certs $ ls
ca.pem tls.crt tls.key
Then I’ve edited the vault-config file like that :
[tim@Host-002 crc-linux-1.22.0-amd64]$ oc edit cm vault-config
apiVersion: v1
data:
extraconfig-from-values.hcl: |-
disable_mlock = true
ui = true
listener "tcp" {
tls_cert_file = "/vault/certs/tls.crt"
tls_key_file = "/vault/certs/tls.key"
tls_client_ca_file = "/vaut/certs/ca.pem"
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
And I rekill my pod.
After that, if I try to use the first route created, I’ve this error :
So I’ve deleted the first route and I recreate it with https :
- Networking part > Routes > Create routes
- Name : vault-route
- Hostname : 192.168.130.11
- Path :
- Service : vault
- Target Port : 8200 → 8200 (TCP)
- Secure route enabled
- TLS Termination : Passthrough
And if I try the url https://192.168.130.11/ui :
I’ve this error… I think I missed something but I don’t know what…
Someone to help me ?
Thanks a lot !