The following instructions have been tested using a KinD cluster and uses the Venafi Secrets Engine for HashiCorp Vault
install vault (dev mode)
helm repo add hashicorp https://helm.releases.hashicorp.com
helm -n vault install vault hashicorp/vault --create-namespace \
--set "server.dev.enabled=true" \
--set "server.extraArgs=-dev-plugin-dir=/vault/plugins/" \
--set "server.volumes[0].name=plugins" \
--set "server.volumeMounts[0].mountPath=/vault/plugins/" \
--set "server.volumeMounts[0].name=plugins"
how to start session on vault pod
kubectl -n vault exec -it vault-0 -- sh
# use "exit" to close
test vault
# CLI - !!! requires session on vault-0 !!!
vault status
vault secrets list
vault write cubbyhole/test foo=bar
vault list cubbyhole
vault read cubbyhole/test
# UI - after port-forward, navigate to http://localhost:8200 (in dev mode password is "root")
kubectl -n vault port-forward vault-0 8200:8200
prepare venafi secrets engine plugin
# !!! requires session on vault-0 !!!
apikey=<YOUR_TLSPC_API_KEY>
release=0.12.1
cd /tmp/
wget https://github.com/Venafi/vault-pki-backend-venafi/releases/download/v${release}/venafi-pki-backend_v${release}_linux.zip
unzip venafi-pki-backend_v${release}_linux.zip
sha256=$(sha256sum venafi-pki-backend| cut -d' ' -f1)
mv venafi-pki-backend /vault/plugins/
vault write sys/plugins/catalog/secret/venafi-pki-backend sha_256="${sha256}" command="venafi-pki-backend"
vault secrets enable -path=venafi-pki -plugin-name=venafi-pki-backend plugin
vault write venafi-pki/venafi/vaas apikey="${apikey}" zone="Built-In CA\\Built-In CA Template"
vault write venafi-pki/roles/vaas venafi_secret=vaas generate_lease=true store_by=serial store_pkey=true
configure cert-manager to use vault issuer
TBD
uninstall vault
helm -n vault uninstall vault
kubectl delete namespace vault