top of page
90s theme grid background

Guide to Vault Helm Chart | Secure Your Kubernetes Secrets

  • Writer: Gunashree RS
    Gunashree RS
  • Oct 3, 2024
  • 6 min read

In today’s dynamic cloud-native infrastructure, managing secrets—like API keys, passwords, and certificates—securely is critical. Kubernetes, while powerful, lacks native secret management capabilities robust enough for production environments. That’s where HashiCorp Vault comes in. By integrating Vault with Kubernetes through Helm charts, you gain a scalable, highly available, and secure way to manage your application secrets.

This guide will walk you through setting up Vault with Kubernetes using Helm charts. We’ll cover everything from installation to configuration and finally secret management, giving you a complete roadmap to secure your Kubernetes applications. Whether you're new to Kubernetes, Vault, or Helm charts, this guide has you covered.



Introduction to Vault Helm Chart

The Vault Helm chart simplifies the deployment of HashiCorp Vault on Kubernetes by automating the configuration and management of Vault clusters. Helm charts allow you to define, install, and upgrade Kubernetes applications easily. With the Vault Helm chart, you can deploy Vault quickly, configure it for high availability (HA), and manage secrets seamlessly across your Kubernetes applications.

In this guide, you’ll learn why Vault is a crucial addition to your Kubernetes cluster, how to use Helm to deploy it, and the best practices for managing secrets securely.


Vault Helm Chart


What is HashiCorp Vault?

HashiCorp Vault is a powerful, open-source tool designed to securely store, manage, and control access to sensitive data such as API keys, credentials, and tokens. Vault provides centralized secrets management, encryption, and access controls across cloud, on-premises, and hybrid infrastructures.


Vault’s key features include:

  • Secrets management: Securely store and manage access to secrets using key-value (KV) storage.

  • Encryption as a service: Encrypt sensitive data without managing your own encryption keys.

  • Identity-based access: Define access controls and policies based on identity.

  • Dynamic secrets: Generate secrets dynamically for various platforms and databases, reducing the risk of leaked credentials.

By integrating Vault with Kubernetes, you create a scalable and secure method of managing application secrets in a distributed environment.



Why Use Helm Charts for Vault on Kubernetes?

Deploying Vault manually on Kubernetes can be cumbersome, involving multiple configuration files and scripts. Helm, a package manager for Kubernetes, simplifies this process by providing reusable charts. These charts encapsulate the entire deployment process—making it easier to deploy, upgrade, and roll back Vault instances.


The Vault Helm chart provides several advantages:

  • Simplified deployment: Deploy Vault in minutes with a single Helm command.

  • Configuration flexibility: Customize Vault’s configuration with simple Helm values.

  • Scalability: Deploy Vault in different modes, including high availability.

  • Integration: Seamlessly integrates with Consul for storage and Kubernetes for authentication.

  • Automatic updates: Helm charts support versioning, enabling easier upgrades and rollbacks.

Using Helm charts allows teams to focus more on building applications and less on the intricacies of secret management.



How Vault Works with Kubernetes

Vault integrates with Kubernetes using the Kubernetes authentication method, allowing applications to securely authenticate to Vault. Vault communicates with the Kubernetes API to verify the identity of pods or service accounts, then grants access to secrets based on predefined policies.


Key Components of the Integration:

  1. Vault server: Handles encryption and storage of secrets.

  2. Kubernetes Auth method: Allows applications to authenticate using Kubernetes service accounts.

  3. Secret injection: Secrets can be injected into running containers via sidecar proxies or directly into environment variables.



Benefits of Using Vault in Kubernetes

Managing secrets natively in Kubernetes lacks security controls like encryption at rest, access policies, and dynamic secret generation. Vault fills these gaps, offering:

  • Centralized secret management: Store all secrets in one place, accessible across Kubernetes clusters.

  • Encryption at rest: Ensure all secrets are encrypted in transit and at rest.

  • Dynamic secrets: Generate short-lived credentials that are revoked after use, reducing the risk of leaks.

  • Audit logging: Track access to secrets for security audits and compliance.

  • Granular access control: Define who can access secrets, down to individual containers and applications.



Prerequisites for Installing Vault on Kubernetes

Before deploying Vault with Helm, you’ll need:

  • Helm: A package manager for Kubernetes.

  • Minikube: A local Kubernetes cluster to test deployments.

  • kubectl: Command-line tool for interacting with Kubernetes clusters.

  • Kubernetes cluster: Minikube or any existing cluster (on-premise or cloud-based).



Step-by-Step Guide: Installing Vault with Helm


1. Installing Helm and Minikube

First, you’ll need to install both Helm and Minikube.

Helm Installation: Follow the official Helm documentation to install Helm on your machine.

bash

$ curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Minikube Installation: Install Minikube to create a local Kubernetes cluster.

bash

$ brew install minikube

2. Setting up Kubernetes Cluster with Minikube

Start your Minikube cluster:

bash

$ minikube start --memory 4096

3. Installing Vault via Helm

Once the Kubernetes cluster is up, install Vault using the Helm chart:

bash

$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm install vault hashicorp/vault --set "server.dev.enabled=true"

Verify the Vault pods are running:

bash

$ kubectl get pods


Configuring Vault for Secrets Management


Enabling KV Secrets Engine

Vault’s KV (Key-Value) secrets engine stores and manages secrets. First, enable the KV secrets engine at a custom path (e.g., "internal"):

bash

$ kubectl exec -it vault-0 -- /bin/sh
$ vault secrets enable -path=internal kv-v2

Creating Secrets in Vault

Now, create a secret inside Vault:

bash

$ vault kv put internal/database/config username="db-user" password="db-pass"

This stores the database credentials at internal/database/config.



Integrating Vault with Kubernetes Applications


Setting up Kubernetes Auth Method

To authenticate Vault with Kubernetes, enable the Kubernetes auth method:

bash

$ vault auth enable kubernetes

Next, configure Vault to use Kubernetes service accounts for authentication:

bash

$ vault write auth/kubernetes/config \
    token_reviewer_jwt="$(cat
/var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

Injecting Secrets into Pods

You can now inject secrets into Kubernetes pods by using the Vault-Agent injector. This requires adding specific annotations to your deployment files. For example:

yaml

annotations:
  vault.hashicorp.com/agent-inject: "true"
  vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config"

This annotation tells Vault to inject the secret stored at internal/data/database/config into the pod.



High Availability and Fault Tolerance with Consul

Vault leverages Consul for high availability and fault tolerance. In an HA setup, Vault maintains multiple standby nodes with one active leader. Using Consul as the storage backend, Vault ensures that secrets are stored durably, and leadership is maintained through the Raft consensus algorithm.



Managing Policies and Permissions in Vault

Policies define what actions users and applications can perform in Vault. For example, to allow an application to read database secrets, you would create a policy like this:

hcl

path "internal/data/database/config" {
  capabilities = ["read"]
}

Then, associate the policy with the Kubernetes service account used by the application.



Best Practices for Securing Kubernetes Secrets with Vault

  • Use short-lived dynamic secrets: Rotate secrets frequently to minimize risk.

  • Enable audit logging: Track access to all secrets for security and compliance.

  • Use namespaces: For multi-tenant environments, Vault namespaces can help isolate secrets.

  • Secure Vault with TLS: Always configure Vault with TLS to encrypt communication between clients and servers.

  • Limit access via policies: Grant the least privilege necessary to users and applications.



Vault Helm Chart Configuration Values

Here are some key configuration values you can customize in the Helm chart:

Parameter

Description

Default

server.dev.enabled

Deploy Vault in development mode

false

server.ha.enabled

Enable high availability mode

false

server.dataStorage

Persistent volume storage for Vault

10Gi

injector.enabled

Enable Vault agent injector

true

ui.enabled

Enable the Vault web UI

false



Monitoring and Auditing Vault in Kubernetes

Monitoring and auditing are critical for maintaining a secure Vault deployment. Vault provides detailed logs of all access and actions performed on secrets. These logs can be integrated with monitoring tools like Prometheus and Grafana for real-time alerting and visualization.



Conclusion

Setting up Vault on Kubernetes with Helm charts provides a powerful and scalable way to manage secrets across your applications. By using Helm, you simplify the deployment process while gaining advanced features like high availability, fault tolerance, and dynamic secrets management. Following the best practices outlined in this guide will ensure your Kubernetes cluster remains secure and your secrets well-protected.




FAQs


1. What is a Vault Helm Chart?

A Vault Helm Chart is a pre-configured package for deploying HashiCorp Vault on Kubernetes using Helm, simplifying the setup and management process.


2. Why use Vault with Kubernetes?

Vault provides advanced secrets management, encryption, and access control features that Kubernetes lacks natively, making it essential for production environments.


3. Can I deploy Vault without Helm on Kubernetes?

Yes, but Helm simplifies the process by automating configurations, making it faster and easier to deploy Vault.


4. What are dynamic secrets in Vault?

Dynamic secrets are short-lived credentials generated on demand by Vault, which are automatically revoked after a specific time.


5. What is the role of Consul in Vault deployment?

Consul is used as a storage backend for Vault, providing high availability and fault tolerance through its consensus protocol.


6. How do I manage access to secrets in Vault?

You can manage access by creating policies that define which users or applications can read, write, or manage specific secrets.



Key Takeaways

  1. Helm simplifies Vault deployment on Kubernetes.

  2. Vault provides centralized secrets management, encryption, and access controls.

  3. Consul ensures high availability and fault tolerance for Vault.

  4. Secrets can be injected into Kubernetes pods using the Vault-Agent injector.

  5. Dynamic secrets and audit logging improve security and compliance.



External Sources


Comments

bottom of page