# Vault ## Prereqs ```bash brew tap hashicorp/tap brew install hashicorp/tap/vault brew install jq ``` ## Install (Standalone) ```bash kubectl apply -f certificate.yaml helm repo add hashicorp https://helm.releases.hashicorp.com helm search repo hashicorp/vault helm upgrade --install vault hashicorp/vault --values values.yaml mkdir ~/.vault-keys kubectl exec -ti vault-0 -- vault operator init -key-shares=5 -key-threshold=3 -format=json > ~/.vault-keys/cluster-keys.json kubectl exec -ti vault-0 -- vault operator unseal ``` ## Install (Cluster) ```bash kubectl apply -f certificate.yaml helm repo add hashicorp https://helm.releases.hashicorp.com helm search repo hashicorp/vault helm upgrade --install vault hashicorp/vault --values values.yaml mkdir ~/.vault-keys kubectl exec -ti vault-0 -- vault operator init -key-shares=5 -key-threshold=3 -format=json > ~/.vault-keys/cluster-keys.json kubectl exec -ti vault-0 -- vault operator unseal kubectl exec -ti vault-1 -- vault operator raft join http://vault-0.vault-internal:8200 kubectl exec -ti vault-1 -- vault operator unseal kubectl exec -ti vault-2 -- vault operator raft join http://vault-0.vault-internal:8200 kubectl exec -ti vault-2 -- vault operator unseal ``` ## Add policy ```bash vault policy write ducoterra policies/ducoterra.hcl ``` ## Add user ```bash vault auth enable userpass vault write auth/userpass/users/ducoterra \ policies=ducoterra \ password=password ``` ## Enable KV Secrets ```bash vault secrets enable -path=secret kv-v2 vault kv put secret/okta username='static-user' password='static-password' vault kv get secret/okta ``` ## TOTP ```bash vault secrets enable totp vault write totp/keys/okta \ url="otpauth://totp/Vault:test@test.com?secret=SECRET&issuer=Vault" vault read totp/code/okta ``` Policy: ```bash path "totp/keys/*" { capabilities = ["update"] } path "totp/code/*" { capabilities = ["read"] } ``` ## Kubernetes Secrets ```bash kubectl exec -it vault-0 -- /bin/sh vault login -method=token vault auth enable kubernetes vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt vault policy write internal-app - <