openshifthashicorp-vaultpersistent-volumesopenshift-enterprise

deploy hashicorp vault without persistent storage in openshift


How to deploy the hashicorp vault in openshift with out using persistent volumes(PV)?

In the openshift cluster as a normal user(not a cluster admin),need to deploy the vault server. I followed the URL but it has persistent volumes (/vault/file) in vault.yaml file in it, which requires permission for my account to create persistent container but I do not have enough permission for my account. so i removed the pv mount paths in the vault-config.json like below, but I am seeing the below error.

{"backend": 
    {"file": 
        {"path": "/tmp/file"}
    }, 
...
...
}

Is it possible to create the vault server without PV, like using the local file path (/tmp/file) as backend storage as a normal user?

What is the alternative way to deploy vault in openshift without PV to deploy hashicorp vault?

Below is the error when run with pv,

--> Scaling vault-1 to 1
-->  FailedCreate: vault-1 Error creating: pods "vault-1-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
error: update acceptor rejected vault-1: pods for rc 'dev-poc-environment/vault-1' took longer than 600 seconds to become available

Solution

  • How to deploy the hashicorp vault in openshift with out using persistent volumes(PV)?

    You can use In-Memory storage backend as mentioned here. So your vault config looks something like this:

    $cat config.hcl
    disable_mlock = true
    storage "inmem" {}
    
    listener "tcp" {
      address = "0.0.0.0:8200"
      tls_disable = 0
      tls_cert_file = "/etc/service/vault-server/vault-server.crt"
      tls_key_file = "/etc/service/vault-server/vault-server.key"
    }
    
    ui = true
    max_lease_ttl = "7200h"
    default_lease_ttl = "7200h"
    api_addr = "http://127.0.0.1:8200"
    

    But with this data/secrets are not persistent.

    Another way is to add a file path to the storage, so that all the secrets which are encrypted stored at the mentioned path.

    so now your config changes to

    storage "file" {
        path = "ANY-PATH"
    }
    

    POINTS TO BE NOTED HERE:

    1. Path defined should have permissions to write/read data/secrets
    2. This could be any path that is inside the container, just to avoid dependency on persistence volume.

    But what is the problem with this model? When the container restarts, all the data will be lost as the container doesn't store data.

    No High Availability – the Filesystem backend does not support high availability.

    So what should be the ideal solution? Anything that makes our data highly available, which is achieved by using dedicated backend storage using a database.

    For simplicity, let us take PostgreSQL as backend storage.

    storage "postgresql" {
      connection_url = "postgres://user123:secret123!@localhost:5432/vault"
    }
    

    so now config looks something like this:

    $ cat config.hcl
    disable_mlock = true
    
    storage "postgresql" {
      connection_url = "postgres://vault:vault@vault-postgresql:5432/postgres?sslmode=disable"
    }
    
    listener "tcp" {
      address = "0.0.0.0:8200"
      tls_disable = 0
      tls_cert_file = "/etc/service/vault-server/vault-server.crt"
      tls_key_file = "/etc/service/vault-server/vault-server.key"
    }
    
    ui = true
    max_lease_ttl = "7200h"
    default_lease_ttl = "7200h"
    api_addr = "http://127.0.0.1:8200"
    

    So choosing backend storage helps you to persist your data even if the container restarts.

    As you are specifically looking for a solution in openshift, create a postgresSQL container using template provided and make vault point it to it using the service name as explanied in the above config.hcl

    Hope this helps!