Howdy. I’m currently tasked with installing Vault on OpenShift. I’m taking the vault-helm path to do so. However, I’m having problems. My installation pattern does work on a more vanilla K8s, but not on OpenShift.
Does anyone have any tips, tricks, or hacks to get a working and maintainable Vault on OpenShift? Any and all pointers are welcome.
Just some notes:
- I’m using the latest version of the Helm chart (GitHub - hashicorp/vault-helm: Helm chart to install Vault and other associated components.).
- I’m using version 4.12 of OpenShift (and I’m also playing with the same version of OKD locally as well)
- I’ve tried with and without “global: openshift: true” set. From what I can see, this just adds a pretty simple override file to the manifests? Are there other changes that flag makes?
Here’s an example of the output from Helm on an OpenShift installation:
kubectl kustomize --enable-helm=true | kubectl apply -f -
namespace/vault-ns created
serviceaccount/test-vault created
serviceaccount/test-vault-agent-injector created
clusterrole.rbac.authorization.k8s.io/test-vault-agent-injector-clusterrole created
clusterrolebinding.rbac.authorization.k8s.io/test-vault-agent-injector-binding created
clusterrolebinding.rbac.authorization.k8s.io/test-vault-server-binding created
service/test-vault created
service/test-vault-agent-injector-svc created
service/test-vault-internal created
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sidecar-injector" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sidecar-injector" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sidecar-injector" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sidecar-injector" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/test-vault-agent-injector created
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "vault" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "vault" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "vault" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "vault" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
statefulset.apps/test-vault created
networkpolicy.networking.k8s.io/test-vault-agent-injector created
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "test-server-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "test-server-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "test-server-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "test-server-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
pod/test-server-test created
mutatingwebhookconfiguration.admissionregistration.k8s.io/test-vault-agent-injector-cfg created
And here’s the Helm values (part of Kustomize):
- name: vault
repo: https://helm.releases.hashicorp.com
version: 0.23.0
releaseName: test
namespace: vault-ns
valuesInLine:
global:
openshift: true
server:
dev:
enabled: true
extraLabels:
app: vault-server
serverTelemetry:
prometheusOperator: true
injector:
metrics:
enabled: true
ingress:
enabled: true
labels:
traffic: external
annotations: |
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: false
Cheers!
UPDATE: I almost forgot - I did try the HashiCorp Tutorial here: Vault Installation to Red Hat OpenShift via Helm | Vault | HashiCorp Developer , and I’m logged in as kubeadmin within the cluster project. I note that that tutorial hasn’t been validated since 2020:
“This tutorial was last tested 14 Jul 2020 on a macOS 10.15.5 using this configuration.”