Vault is a powerful secrets management tool. Running Vault on Kubernetes in HA mode with Raft backend provides resilience and scalability for secure secrets storage. This guide covers: installing Vault, setting up namespaces, deploying via Helm, joining Vault nodes, unsealing, and troubleshooting common issues.
Prerequisites
- Kubernetes cluster accessible with
kubectl - Helm 3 installed
- Sufficient permissions to create namespaces and PVs
- Basic familiarity with Vault concepts and Kubernetes
Step 1: Setting Up Namespace and Helm Repo
Create a namespace for Vault to isolate it:
kubectl create namespace vault
Add the HashiCorp Helm repo and update:
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
Step 2: Installing Vault with Helm in HA Mode
Create a values.yaml for Vault HA using Raft storage (Integrated Storage):
injector:
enabled: false
server:
image:
repository: "hashicorp/vault"
tag: "1.9.0"
# Overrides the default Image Pull Policy
pullPolicy: IfNotPresent
# Configure the Update Strategy Type for the StatefulSet
updateStrategyType: "OnDelete"
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m
ha:
enabled: true
replicas: 3
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
dataStorage:
enabled: true
size: 500Mi
Install Vault:
helm install vault hashicorp/vault -n vault -f values.yaml
Verify pods:
$ kubectl get pods -n vault
NAME READY STATUS RESTARTS
vault-0 0/1 Running 0
vault-1 0/1 Running 0
vault-2 0/1 Running 0
Step 3: Joining Vault Nodes and Initializing Cluster
- Only the first Vault pod (vault-0) is initialized once.
- Initialize Vault on
vault-0:
kubectl exec -it vault-0 -n vault -- vault operator init -key-shares=5 -key-threshold=3
Recovery Key 1: FKjt5wkzN5bUBIuR52KrPP1c2Il/f7RZdn5E+ipfNF8s
Recovery Key 2: FCzUyduESPyavh6QtqWZpdnUDKa3bEEpBHbX3NgTrCiU
Recovery Key 3: Tf7FVEpj5tdJLqQqNw/Jt0OytRI5FAZYig/yafSVz3Xg
Recovery Key 4: duLpa/6IozTOR0mkO7sp0CwmnI+1DsC6d2+oZG/A1CIZ
Recovery Key 5: pyVFs/rRFEk9rSn57Ru+KeuAQzW6eurl3j0/pS/JRpXD
Initial Root Token: s.PMOJxNxZYgvXzby5YZr9p3J1
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 keys to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Now, we see the Vault unsealer in action:
$ kubectl exec -it vault-0 -n vault -- vault operator unseal <unseal_key_1>
$ kubectl exec -it vault-0 -n vault -- vault operator unseal <unseal_key_2>
$ kubectl exec -it vault-0 -n vault -- vault operator unseal <unseal_key_3>
$ kubectl get pods -n vault
NAME READY STATUS RESTARTS
vault-0 1/1 Running 0
vault-1 0/1 Running 0
vault-2 0/1 Running 0
However, our replica vault-1 and vault-2 are still not ready. They are follower pods of the leader vault-0. In order to make vault-0 visible, we need to login using our Initial Root Token.
$ kubectl exec -it vault-0 -- vault login s.d0LAlSnAerb4a7d6ibkfxrZy
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.d0LAlSnAerb4a7d6ibkfxrZy
token_accessor hJEFibLTbUP4sgA8X4tMBqZ8
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
- Other pods (vault-1, vault-2) must join the Raft cluster. Next, let’s join vault-1 and vault-2 to Vault-0 to make the Vault setup Highly available by running commands as shown below:
$ kubectl exec -it vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
Key Value
--- -----
Joined true
$ kubectl exec -it vault-2 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
Key Value
--- -----
Joined true
Save unseal keys securely.
Step 4: Unsealing Vault Pods
Unseal all Vault pods (vault-0, vault-1, vault-2) manually with the unseal keys:
kubectl exec -it vault-1 -n vault -- vault operator unseal <unseal_key_1>
kubectl exec -it vault-1 -n vault -- vault operator unseal <unseal_key_2>
kubectl exec -it vault-1 -n vault -- vault operator unseal <unseal_key_3>
kubectl exec -it vault-2 -n vault -- vault operator unseal <unseal_key_1>
kubectl exec -it vault-2 -n vault -- vault operator unseal <unseal_key_2>
kubectl exec -it vault-2 -n vault -- vault operator unseal <unseal_key_3>
Let’s check the pod status and this time you would be able to see them in running as well as Ready mode:
$ kubectl get pods -n vault
NAME READY STATUS RESTARTS
vault-0 1/1 Running 0
vault-1 1/1 Running 0
vault-2 1/1 Running 0
The last but important step is to verify whether the HA setup is correct or not, is by running the below command against each Vault pod and making sure that the value of HA Enabled parameters is true.
$ kubectl exec -it -n vault vault-0 -- vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.9.0
Storage Type raft
Cluster Name vault-cluster-30882e80
Cluster ID 1afbe13a-e951-482d-266b-e31693d17e20
HA Enabled true
HA Cluster https://vault-0.vault-internal:8201
HA Mode active
Active Since 2022-01-19T04:39:37.586622342Z
Raft Committed Index 61
Raft Applied Index 61
$ kubectl exec -it -n vault vault-1 -- vault status
Key Value
--- -----
…
HA Enabled true
HA Cluster https://vault-0.vault-internal:8201
HA Mode standby
Active Node Address http://10.244.0.17:8200
Raft Committed Index 61
Raft Applied Index 61
$ kubectl exec -it -n vault vault-2 -- vault status
Key Value
--- -----
HA Enabled true
HA Cluster https://vault-0.vault-internal:8201
HA Mode standby
Active Node Address http://10.244.0.17:8200
Raft Committed Index 61
Raft Applied Index 61
Troubleshooting Common Issues
ClusterRoleBinding Already Exists
- Delete conflicting ClusterRoleBinding before reinstalling Helm chart:
kubectl delete clusterrolebinding vault-server-binding
Helm Upgrade Errors ("no deployed releases")
- Uninstall previous release from default namespace:
helm uninstall vault -n default
- Then install again in the proper namespace.
Pods Not Unsealing or Ready
- Check pod logs for errors:
kubectl logs vault-1 -n vault
- Verify PVCs are bound and healthy:
kubectl get pvc -n vault
- If corrupted PVC, delete PVC and pod, then rejoin:
kubectl delete pvc data-vault-1 -n vault
kubectl delete pod vault-1 -n vault
kubectl exec -it vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
- Unseal vault-1 after join with the same unseal keys.
PVC Stuck in Terminating
- Remove finalizers to force delete:
kubectl patch pvc data-vault-1 -n vault -p '{"metadata":{"finalizers":[]}}' --type=merge
Removing Corrupted Raft Node
- Remove node from cluster:
kubectl exec -it vault-0 -n vault -- vault operator raft remove-peer <node-id>
- Delete PVC and pod, then re-join as new.
Conclusion
Deploying Vault in Kubernetes with HA and Raft backend provides secure secret storage with scalability. Proper initialization, joining, and unsealing procedures are critical. Troubleshooting involves managing PVC health, pod status, and cluster raft membership carefully.
Top comments (0)