Current supported versions:
consul:1.0.7vault:0.10.0
- A kubectl context is already set to the target k8s cluster.
consul,vaultandcfsslon the client.- a public host fronting the vault api, like
vault.example.comand a public certificates.
For example for certificates from Let's Encrypt and vault.example.com
you should put the certificates at vault.example.com/privkey.pem and vault.example.com/fullchain.pem.
VAULT_HOST=vault.example.com ./bin/setup_vault
- A ca root certificates is created, and certificates are generated for consul and vault for internal communication.
- A 3 replicas Consul statefulset is created and configured.
- A 2 replicas Vault statefulset is created and configured.
- A 2 replicas Nginx deployment for exposing the vault cluster and ssl termination.
- For disaster recovery, and backup should be done regularly of the consul cluster, for example using
consul snapshot savecommand. - At this time, in order to use the consul dns from any node, which allows nginx to query the active vault
replica using
active.vault.service.consul, we configurekube-dnsusing the ips of the 3 consul replicas. If these instances crash, new ips are issued for the pods, and the vault cluster might become inaccessible from outside (nginx not being able to useactive.vault.service.consul). Using a loadbalancer doesn't seem to work.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent