Current supported versions:
consul
:1.0.7
vault
:0.10.0
- A kubectl context is already set to the target k8s cluster.
consul
,vault
andcfssl
on the client.- a public host fronting the vault api, like
vault.example.com
and a public certificates.
For example for certificates from Let's Encrypt and vault.example.com
you should put the certificates at vault.example.com/privkey.pem
and vault.example.com/fullchain.pem
.
VAULT_HOST=vault.example.com ./bin/setup_vault
- A ca root certificates is created, and certificates are generated for consul and vault for internal communication.
- A 3 replicas Consul statefulset is created and configured.
- A 2 replicas Vault statefulset is created and configured.
- A 2 replicas Nginx deployment for exposing the vault cluster and ssl termination.
- For disaster recovery, and backup should be done regularly of the consul cluster, for example using
consul snapshot save
command. - At this time, in order to use the consul dns from any node, which allows nginx to query the active vault
replica using
active.vault.service.consul
, we configurekube-dns
using the ips of the 3 consul replicas. If these instances crash, new ips are issued for the pods, and the vault cluster might become inaccessible from outside (nginx not being able to useactive.vault.service.consul
). Using a loadbalancer doesn't seem to work.