Skip to content

Instantly share code, notes, and snippets.

@matiasah

matiasah/deploy-vault-with-istio.md

Last active July 3, 2023 03:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save matiasah/bcf70f7b0d762573f3c37c1f8e865f71 to your computer and use it in GitHub Desktop.
Save matiasah/bcf70f7b0d762573f3c37c1f8e865f71 to your computer and use it in GitHub Desktop.
Download ZIP
Deploy HashiCorp Vault with Istio Ingress enabled
Raw
deploy-vault-with-istio.md

Add Helm Repository

Add HashiCorp to your Helm repositories.

helm repo add hashicorp https://helm.releases.hashicorp.com

Deploy Vault

Option 1: Virtual Service (Preferred)

Modify and run the following command:

helm install vault hashicorp/vault --set ui.enabled=true -n vault --create-namespace

Create a VirtualService in your Vault namespace.

# virtual-service.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: vault
  namespace: vault
spec:
  gateways:
  - gateway/istio-ingressgateway
  hosts:
  - localhost
  - host.docker.internal
  http:
  - match:
    - uri:
        prefix: /vault/
    name: http
    rewrite:
      uri: /
    route:
    - destination:
        host: vault-ui.vault.svc.cluster.local
        port:
          number: 8200
        subset: http
      weight: 100

Apply VirtualService

kubectl apply -f virtual-service.yaml

Create a DestinationRule in your Vault namespace.

# destination-rule.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: vault
  namespace: vault
spec:
  host: vault-ui.vault.svc.cluster.local
  subsets:
  - labels:
      app.kubernetes.io/instance: vault
      app.kubernetes.io/name: vault
      component: server
    name: http
  trafficPolicy:
    tls:
      mode: DISABLE

Apply DestinationRule

kubectl apply -f destination-rule.yaml

Option 2: Ingress Annotation

Modify and run the following command:

helm install vault hashicorp/vault --set ui.enabled=true,server.ingress.enabled=true,server.ingress.annotations.kubernetes\.io/ingress\.class=istio,server.ingress.hosts[0].host=host.docker.internal,server.ingress.hosts[0].paths={/vault/} -n vault --create-namespace

Option 3: Ingress Class

Modify and run the following command:

helm install vault hashicorp/vault --set ui.enabled=true,server.ingress.enabled=true,server.ingress.ingressClassName=istio,server.ingress.hosts[0].host=host.docker.internal,server.ingress.hosts[0].paths={/vault/} -n vault --create-namespace

(Optional) If you have TLS enabled and your Ingress resource exists in a different namespace, modify and use the following command. Note: This command uses Cert Manager.

helm install vault hashicorp/vault --set ui.enabled=true,server.ingress.enabled=true,server.ingress.ingressClassName=istio,server.ingress.annotations.cert-manager\.io/cluster-issuer=letsencrypt-prod,server.ingress.tls[0].secretName=istio-ingressgateway-staging,server.ingress.tls[0].hosts={host.docker.internal},server.ingress.hosts[0].host=host.docker.internal,server.ingress.hosts[0].paths={/vault/} -n vault --create-namespace

Create a IngressClass resource in your Vault namespace:

# ingress-class.yaml
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: istio
spec:
  controller: istio.io/ingress-controller

Apply Ingress Class

kubectl apply -f ingress-class.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment