DEV Community

Cover image for Accessing HashiCorp Vault UI in Kubernetes with LoadBalancer Service
Durrell Gemuh
Durrell Gemuh

Posted on

Accessing HashiCorp Vault UI in Kubernetes with LoadBalancer Service

#kubernetes #vault #linux #devops

After successfully deploying Vault in Kubernetes with High Availability (HA) and Raft storage, securely accessing the Vault UI is the next critical step for management and usage.

This guide explains how to expose the Vault UI externally using a LoadBalancer service in Kubernetes.

Why Use a LoadBalancer Service?

  • Vault UI runs on port 8200 of the Vault service.
  • By default, Vault Helm chart creates a ClusterIP service, accessible only inside the Kubernetes cluster.
  • A LoadBalancer service provisions a cloud provider-managed external IP, enabling outside access to Vault UI.
  • This simplifies browser access and integration with your infrastructure.

Step 1: Create a LoadBalancer Service Manifest

Create a file vault-loadbalancer.yaml with the following content:

apiVersion: v1
kind: Service
metadata:
  name: vault-loadbalancer
  namespace: vault
spec:
  type: LoadBalancer
  ports:
    - name: http
      port: 8200
      targetPort: 8200
    - name: cluster
      port: 8201
      targetPort: 8201
  selector:
    app.kubernetes.io/name: vault
Enter fullscreen mode Exit fullscreen mode

Step 2: Apply the LoadBalancer Service

Apply the manifest:

kubectl apply -f vault-loadbalancer.yaml -n vault
Enter fullscreen mode Exit fullscreen mode

Step 3: Get the External IP

Check the service and wait for the external IP to be assigned:

kubectl get svc vault-loadbalancer -n vault
Enter fullscreen mode Exit fullscreen mode

Output will look like:

NAME                  TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)             AGE
vault-loadbalancer     LoadBalancer   10.x.x.x        <external-ip>    8200:xxxxx/TCP      1m
Enter fullscreen mode Exit fullscreen mode

Once the <external-ip> populates, you can proceed.

Step 4: Access Vault UI

Open your browser and navigate to:

http://<external-ip>:8200/ui
Enter fullscreen mode Exit fullscreen mode

You'll be greeted by the Vault UI login page.

Step 5: Login Using Vault Token

  • Use the root or any valid Vault token generated during Vault initialization.
  • Enter the token in the login screen to access the UI.

Optional: Secure Your Vault UI

  • Enable TLS on your Vault server to encrypt UI traffic.
  • Use Kubernetes Ingress with TLS termination for better control.
  • Restrict access using firewall rules or VPN.

Alternative for Development

For quick access without a LoadBalancer:

kubectl port-forward svc/vault -n vault 8200:8200
Enter fullscreen mode Exit fullscreen mode

Then open:

http://127.0.0.1:8200/ui
Enter fullscreen mode Exit fullscreen mode

Conclusion

Using a LoadBalancer service in Kubernetes to expose Vault UI provides convenient external access for users and admins. Combine it with proper security best practices for production deployments.

Top comments (0)