Add HashiCorp to your Helm repositories.
helm repo add hashicorp https://helm.releases.hashicorp.com
Modify and run the following command:
helm install vault hashicorp/vault --set ui.enabled=true -n vault --create-namespace
Create a VirtualService in your Vault namespace.
# virtual-service.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vault
namespace: vault
spec:
gateways:
- gateway/istio-ingressgateway
hosts:
- localhost
- host.docker.internal
http:
- match:
- uri:
prefix: /vault/
name: http
rewrite:
uri: /
route:
- destination:
host: vault-ui.vault.svc.cluster.local
port:
number: 8200
subset: http
weight: 100
Apply VirtualService
kubectl apply -f virtual-service.yaml
Create a DestinationRule in your Vault namespace.
# destination-rule.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: vault
namespace: vault
spec:
host: vault-ui.vault.svc.cluster.local
subsets:
- labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
component: server
name: http
trafficPolicy:
tls:
mode: DISABLE
Apply DestinationRule
kubectl apply -f destination-rule.yaml
Modify and run the following command:
helm install vault hashicorp/vault --set ui.enabled=true,server.ingress.enabled=true,server.ingress.annotations.kubernetes\.io/ingress\.class=istio,server.ingress.hosts[0].host=host.docker.internal,server.ingress.hosts[0].paths={/vault/} -n vault --create-namespace
Modify and run the following command:
helm install vault hashicorp/vault --set ui.enabled=true,server.ingress.enabled=true,server.ingress.ingressClassName=istio,server.ingress.hosts[0].host=host.docker.internal,server.ingress.hosts[0].paths={/vault/} -n vault --create-namespace
(Optional) If you have TLS enabled and your Ingress resource exists in a different namespace, modify and use the following command. Note: This command uses Cert Manager.
helm install vault hashicorp/vault --set ui.enabled=true,server.ingress.enabled=true,server.ingress.ingressClassName=istio,server.ingress.annotations.cert-manager\.io/cluster-issuer=letsencrypt-prod,server.ingress.tls[0].secretName=istio-ingressgateway-staging,server.ingress.tls[0].hosts={host.docker.internal},server.ingress.hosts[0].host=host.docker.internal,server.ingress.hosts[0].paths={/vault/} -n vault --create-namespace
Create a IngressClass resource in your Vault namespace:
# ingress-class.yaml
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: istio
spec:
controller: istio.io/ingress-controller
Apply Ingress Class
kubectl apply -f ingress-class.yaml