Getting Started (Machine)¶
In this tutorial, we will deploy Vault on an LXD cloud.
Pre-requisites¶
A Ubuntu 22.04 machine with the following requirements:
A
x86_64CPU8GB of RAM
20GB of free disk space
1. Install LXD¶
sudo snap install lxd
2. Bootstrap a Juju controller¶
Bootstrap a LXD Juju controller:
juju bootstrap localhost localhost
3. Deploy Vault¶
Create a Juju model named demo:
juju add-model demo
Deploy the Vault operator:
juju deploy vault --channel=1.15/beta
Deploying Vault will take several minutes, wait for the unit to be in the blocked/idle state, awaiting initialisation.
$ juju status
Model Controller Cloud/Region Version SLA Timestamp
demo localhost-localhost localhost/localhost 3.4.0 unsupported 11:41:15-04:00
App Version Status Scale Charm Channel Rev Exposed Message
vault blocked 1 vault 1.15/beta 257 no Waiting for Vault to be initialized
Unit Workload Agent Machine Public address Ports Message
vault/0* blocked idle 0 10.191.126.116 Waiting for Vault to be initialized
Machine State Address Inst id Base AZ Message
0 started 10.191.126.116 juju-b8368f-0 [email protected] Running
4. Set up the Vault CLI¶
To communicate with Vault via CLI, we need to install the Vault CLI client and set the following environment variables:
VAULT_ADDRVAULT_TOKENVAULT_CAPATH
Install the Vault client and yq:
sudo snap install vault
sudo snap install yq
Set the VAULT_ADDR environment variable:
export VAULT_ADDR=https://$(juju status vault/leader --format=yaml | awk '/public-address/ { print $2 }'):8200; echo $VAULT_ADDR
Extract and store Vault’s CA certificate to a vault.pem file:
cert_juju_secret_id=$(juju secrets --format=yaml | yq 'to_entries | .[] | select(.value.label == "self-signed-vault-ca-certificate") | .key'); echo $cert_juju_secret_id
juju show-secret ${cert_juju_secret_id} --reveal --format=yaml | yq '.[].content.certificate' > vault.pem
This will put the CA certificate in a file called vault.pem. Now, you can point the vault client to this file by setting the VAULT_CAPATH variable.
export VAULT_CAPATH=$(pwd)/vault.pem; echo $VAULT_CAPATH
Validate that Vault is accessible and up and running:
vault status
You should expect the following output.
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.15.4
Build Date n/a
Storage Type raft
HA Enabled true
5. Initialise and unseal Vault¶
Initialise Vault:
$ vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=
Initial Root Token: hvs.0d26h3eSnlZzpUoVu49Sj64V
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 1 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Set the VAULT_TOKEN variable using the root token:
export VAULT_TOKEN=hvs.0d26h3eSnlZzpUoVu49Sj64V
Unseal Vault using the unseal key:
vault operator unseal NXw7vSzWOnNuNF2v5aEkQcQy/TdTuryYS9Qz3hxDS38=
7. Create a key-value type secret¶
Enable the kv secret engine:
vault secrets enable -version=2 kv
Create a secret under the kv/mypasswords path with these attributes:
key:
bobvalue:
1jioaf123901jdeja
vault kv put kv/mypasswords bob=1jioaf123901jdeja
Good job, you created your first secret!
You can now retrieve it:
vault kv get kv/mypasswords
And delete it:
vault kv delete kv/mypasswords
8. Destroy the environment¶
Destroy the Juju controller and its models:
juju kill-controller localhost-localhost
Uninstall all the installed packages:
sudo snap remove juju --purge
sudo snap remove yq --purge
sudo snap remove vault --purge