Vault on OpenShift - tips and tricks?

Howdy. I’m currently tasked with installing Vault on OpenShift. I’m taking the vault-helm path to do so. However, I’m having problems. My installation pattern does work on a more vanilla K8s, but not on OpenShift.

Does anyone have any tips, tricks, or hacks to get a working and maintainable Vault on OpenShift? Any and all pointers are welcome. :slight_smile:

Just some notes:

Here’s an example of the output from Helm on an OpenShift installation:

kubectl kustomize --enable-helm=true | kubectl apply -f -
namespace/vault-ns created
serviceaccount/test-vault created
serviceaccount/test-vault-agent-injector created
clusterrole.rbac.authorization.k8s.io/test-vault-agent-injector-clusterrole created
clusterrolebinding.rbac.authorization.k8s.io/test-vault-agent-injector-binding created
clusterrolebinding.rbac.authorization.k8s.io/test-vault-server-binding created
service/test-vault created
service/test-vault-agent-injector-svc created
service/test-vault-internal created
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sidecar-injector" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sidecar-injector" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sidecar-injector" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sidecar-injector" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/test-vault-agent-injector created
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "vault" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "vault" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "vault" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "vault" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
statefulset.apps/test-vault created
networkpolicy.networking.k8s.io/test-vault-agent-injector created
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "test-server-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "test-server-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "test-server-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "test-server-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
pod/test-server-test created
mutatingwebhookconfiguration.admissionregistration.k8s.io/test-vault-agent-injector-cfg created

And here’s the Helm values (part of Kustomize):

  - name: vault
    repo: https://helm.releases.hashicorp.com
    version: 0.23.0
    releaseName: test
    namespace: vault-ns
    valuesInLine:
      global:
        openshift: true
      server:
        dev:
          enabled: true
        extraLabels:
          app: vault-server
      serverTelemetry:
        prometheusOperator: true
        injector:
          metrics:
            enabled: true
      ingress:
        enabled: true
        labels:
          traffic: external
        annotations: |
          kubernetes.io/ingress.class: nginx
          kubernetes.io/tls-acme: false

Cheers! :slight_smile:

UPDATE: I almost forgot - I did try the HashiCorp Tutorial here: Vault Installation to Red Hat OpenShift via Helm | Vault | HashiCorp Developer , and I’m logged in as kubeadmin within the cluster project. I note that that tutorial hasn’t been validated since 2020:

“This tutorial was last tested 14 Jul 2020 on a macOS 10.15.5 using this configuration.”