diff --git a/content/vault/v1.20.x/content/docs/deploy/aws/eks-anywhere.mdx b/content/vault/v1.20.x/content/docs/deploy/aws/eks-anywhere.mdx new file mode 100644 index 0000000000..1200859a88 --- /dev/null +++ b/content/vault/v1.20.x/content/docs/deploy/aws/eks-anywhere.mdx @@ -0,0 +1,449 @@ +--- +layout: docs +page_title: Deploy Vault on Amazon EKS Anywhere +description: >- + Guide to deploying and setting up Vault on Amazon EKS Anywhere. +--- + +This guide provides guidance on deploying Vault in Amazon Elastic Kubernetes +Service (EKS) Anywhere. Amazon EKS Anywhere is a new deployment option for +Amazon EKS that allows customers to create and operate Kubernetes clusters on +customer-managed infrastructure, supported by AWS. There are several layers in +this stack and this tutorial will help you set up your infrastructure +end-to-end. + +The bottom-most layer of the stack consists of Bare Metal with VMware's vSphere +as the first layer of abstraction. Amazon EKS runs on top of that as the +Kubernetes distribution with Vault running as the secrets manager for it. + +## Prerequisites + +This tutorial requires the following prerequisites to follow this tutorial: + +- A copy of `VMware-VCSA-all-.iso` is in an s3 bucket in your AWS account. +- Download the version of the [vSan Management SDK for +Python](https://developer.broadcom.com/sdks/vsan-management-sdk-for-python/latest) matching the version ofthe server in the previous step. Copy the **bindings >vsanmgmtObjects.py** and **samplecode>vsanapiutils.py** to the s3 bucket. +- The Amazon S3 bucket should look similar to the following + + + +```plain-text +Object Store Root: + |__ Bucket_Name + |__ VMware-VCSA-all-7.0.3-18700403.iso + |__ vsanapiutils.py + |__ vsanmgmtObjects.py +``` + + + +- AWS account with permissions for S3 and EKS services +- [AWS CLI](https://aws.amazon.com/cli/) +- [eksctl](https://eksctl.io/) +- [AWS EKS Anywhere CLI](https://anywhere.eks.amazonaws.com/docs/getting-started/) +- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [Helm CLI](https://helm.sh/docs/helm/) +- [Amazon EKS Anywhere cluster](https://anywhere.eks.amazonaws.com/docs/tasks/cluster/cluster-verify/) already deployed +- Vault Enterprise license (if using Enterprise version of Vault) + +## EKS clusters on Equinix Metal +## TODO: is there no more vCenter? +To setup vCenter cluster using Equinix Bare Metal services follow these steps, for a more detailed setup follow the instructions for the [Workshop: EKS Anywhere on Equinix Metal](https://equinix-labs.github.io/eks-anywhere-on-equinix-metal-workshop/) on their website. + +## Deploy Vault on Amazon EKS Anywhere + +Vault installation on Amazon EKS Anywhere is same as any kubernetes +installation. For a step-by-step instruction, refer to the [Vault on Kubernetes +Deployment Guide](/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide). + +1. Create a configuration file to configure Vault installation. + + ```shell-session + $ vi config.yaml + server: + standalone: + enabled: true + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "file" { + path = "/vault/data" + } + service: + enabled: true + ui: + enabled: true + serviceType: NodePort + ``` + +1. To access the Vault Helm chart, add the Hashicorp Helm repository. + + ```shell-session + $ helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +1. Install the Vault helm chart. + + ```shell-session + $ helm install vault hashicorp/vault --namespace vault -f config.yaml + ``` + +1. Initialize and unseal Vault. + +1. Unseal the Vault server using the unseal keys until the key threshold is met. + + ```shell-session + $ kubectl exec --stdin=true --tty=true vault-0 -- vault operator unseal + Unseal Key (will be hidden): + ``` + + When prompted, enter the Unseal Key 1 value. + + ```shell-session + $ kubectl exec --stdin=true --tty=true vault-0 -- vault operator unseal + Unseal Key (will be hidden): + ``` + + When prompted, enter the Unseal Key 2 value. + + ```shell-session + $ kubectl exec --stdin=true --tty=true vault-0 -- vault operator unseal + Unseal Key (will be hidden): + ``` + + When prompted, enter the Unseal Key 3 value. + +1. Validate that Vault is up and running. + + ```shell-session + $ kubectl get pods --selector='app.kubernetes.io/name=vault' + + NAME READY STATUS RESTARTS AGE + vault-0 1/1 Running 0 1m49s + vault-1 1/1 Running 0 1m49s + ``` + +1. Display all Vault services. + + ```shell-session + $ kubectl get services -n vault --selector='app.kubernetes.io/name=vault-ui' + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + vault-ui NodePort 10.97.113.241 8200:30096/TCP 16d + ``` + +1. Display the nodes of the cluster. + + ```shell-session + $ kubectl get nodes + + NAME STATUS ROLES AGE VERSION + 172.16.0.134 Ready 16d v1.21.6 + 172.16.0.53 Ready 16d v1.21.6 + 172.16.0.63 Ready control-plane,master 16d v1.21.6 + 172.16.0.97 Ready control-plane,master 16d v1.21.6 + ``` + +1. Install the HashiCorp tap, a repository of all our Homebrew packages. + + ```shell-session + $ brew tap hashicorp/tap + ``` + +1. Install Vault with hashicorp/tap/vault. + + ```shell-session + $ brew install hashicorp/tap/vault + ``` + +1. Set the `VAULT_ADDR` environment variable. Since we exposed Vault using +`NodePort`, Vault will be available at `172.16.0.97:8200`. Access it from your +bastion host or VPN from the [optional +step](#setup-vpn-to-connect-to-vcenter-cluster-via-cli-optioal). + + ```shell-session + $ export VAULT_ADDR='http://172.16.0.97:30096' + ``` + +1. Set the `VAULT_TOKEN` environment variable value to the initial root token +value generated during the Vault initialization. + + ```shell-session + $ export VAULT_TOKEN="s.zJNwZlRrqISjyBHFMiEca6GF" + ``` + +1. Enable the kv secrets engine. + + ```shell-session + $ vault secrets enable -path=kv kv + + Success! Enabled the kv secrets engine at: kv/ + ``` + + 1. Store some test data at `kv/hello`. + + ```shell-session + $ vault kv put kv/hello target=world + + Key Value + --- ----- + created_time 2022-03-21T21:23:00.540998543Z + custom_metadata + deletion_time n/a + destroyed false + version 1 + ``` + +1. Read the stored data to verify. + + ```shell-session + $ vault kv get kv/hello + + ======= Metadata ======= + Key Value + --- ----- + created_time 2022-03-21T21:23:00.540998543Z + custom_metadata + deletion_time n/a + destroyed false + version 1 + + ===== Data ===== + Key Value + --- ----- + target world + ``` + +### Configure Kubernetes auth method + + + + Refer to the [Vault Agent with +Kubernetes](/vault/tutorials/kubernetes/agent-kubernetes) tutorial for more details. + + + +1. Retrieve the additional configuration by cloning the +`hashicorp/learn-vault-agent` repository from GitHub. + + ```shell-session + $ git clone https://github.com/hashicorp-education/learn-vault-agent + ``` + +1. Change the working directory to `learn-vault-agent/vault-agent-k8s-demo`. + + ```shell-session + $ cd learn-vault-agent/vault-agent-k8s-demo + ``` + +1. Update the vault-auth service account. + + ```shell-session + $ kubectl apply --filename vault-auth-service-account.yaml + ``` + +1. Create a read-only policy, `myapp-kv-ro` in Vault. + + ```shell-session + $ vault policy write myapp-kv-ro - < + + Starting in v1.24, Kubernetes will no longer + auto-generate the [Secret + object](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). + So, for the best compatibility with recent Kubernetes versions, ensure you + are using Vault v1.9.3 or greater. + + + + ```shell-session + $ vault write auth/kubernetes/config \ + kubernetes_host="$K8S_HOST" + ``` + + **Output:** + + + + ```plaintext + Success! Data written to: auth/kubernetes/config + ``` + + + +1. Create a role named, `example`, that maps the Kubernetes Service Account to + Vault policies and default token TTL. + + ```shell-session + $ vault write auth/kubernetes/role/example \ + bound_service_account_names=vault-auth \ + bound_service_account_namespaces=default \ + token_policies=myapp-kv-ro \ + ttl=24h + ``` + + **Output:** + + + + ```plaintext + Success! Data written to: auth/kubernetes/role/example + ``` + + + +### Verify the Kubernetes auth method configuration + +1. Create a variable named `EXTERNAL_VAULT_ADDR`. + + ```shell-session + $ export EXTERNAL_VAULT_ADDR="172.16.0.97:30096" + ``` + +1. Define a Pod with a container. + + ```shell-session + $ cat > devwebapp.yaml < + + ```json + { + "request_id": "2febc920-6feb-182a-19cd-c95c0cd70bf7", + "lease_id": "", + "renewable": false, + "lease_duration": 0, + "data": null, + "wrap_info": null, + "warnings": null, + "auth": { + "client_token": "s.ZOZk5OkIW1rbdMEqGmwJW7vj", + "accessor": "yPwZcQG6LP721LryKzkgA4eA", + "policies": [ + "default", + "myapp-kv-ro" + ], + "token_policies": [ + "default", + "myapp-kv-ro" + ], + "metadata": { + "role": "example", + "service_account_name": "vault-auth", + "service_account_namespace": "default", + "service_account_secret_name": "", + "service_account_uid": "649f0652-42ef-44ba-a416-76862bc1b6c3" + }, + "lease_duration": 86400, + "renewable": true, + "entity_id": "3f684285-bc1c-6b9e-e580-4ce310c956b2", + "token_type": "service", + "orphan": true + } + } + ``` + + + +## Help and reference + +- [Injecting Secrets into Kubernetes Pods via Vault Agent Containers](/vault/tutorials/kubernetes/kubernetes-sidecar) +- [Vault Installation to Amazon Elastic Kubernetes Service via Helm](/vault/tutorials/kubernetes/kubernetes-amazon-eks) +- [Vault documentation](/vault/docs/platform/k8s) \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/deploy/aws/eks.mdx b/content/vault/v1.20.x/content/docs/deploy/aws/eks.mdx new file mode 100644 index 0000000000..c69d8096d1 --- /dev/null +++ b/content/vault/v1.20.x/content/docs/deploy/aws/eks.mdx @@ -0,0 +1,384 @@ +--- +layout: docs +page_title: Deploy Vault on Amazon EKS +description: >- + Guide to deploying and setting up Vault on Amazon EKS. +--- + +# Deploy Vault on Amazon EKS + +Amazon Elastic Kubernetes Service (EKS) can run and scale Vault in the Amazon Web Services (AWS) cloud or on-premises. Amazon EKS is a managed Kubernetes service that makes it easy to run Kubernetes without needing to install and operate your own Kubernetes control plane or nodes. + +In this guide, you create an EKS cluster in AWS, deploy a MySQL server, install Vault in high-availability (HA) mode via the Helm chart. Then you configure the authentication between Vault and the cluster. + +## Prerequisites + +This guide focuses on setting up HashiCorp Vault on Amazon EKS and assumes a understanding of both Amazon EKS concepts and terminology. The guide assumes the user is familiar with AWS accounts, EKS clusters, Kubernetes pods, service accounts, and manifests. + +This guide requires: + +- [AWS account](https://aws.amazon.com/account/) +- [AWS command-line interface (CLI)](https://aws.amazon.com/cli/) +- [Amazon EKS CLI](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html) +- [Kubernetes CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [Helm CLI](https://helm.sh/docs/helm/) +- [jq](https://jqlang.org/) + +In addition you need to have the Vault Helm chart. You can add the Helm repositories with the following commands: + +```shell-session +$ helm repo add hashicorp https://helm.releases.hashicorp.com +"hashicorp" has been added to your repositories +``` + +You will need a SSH key pair to access the nodes in your cluster. You can create a key pair using the AWS Management Console or the AWS CLI. For more information, see [Create a key pair for Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html). + +## Step 1: Start cluster + +A high availability Vault cluster that requires a Kubernetes cluster with three nodes. + +1. Log in to your AWS account with the AWS CLI. + +1. Create a three node cluster named `learn-vault`. + + ```shell-session + $ eksctl create cluster \ + --name learn-vault \ + --nodes 3 \ + --with-oidc \ + --ssh-access \ + --ssh-public-key learn-vault \ + --managed + ``` + +1. MySQL needs EBS volume type to use a the `gp2` storage class as the default. Patch the default storage class with the following command. + + ```shell-session + $ kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' + ``` + +1. Once all the nodes are in `Ready` status, enable volume support with the [EBS CSI driver add-on](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html). + + ```shell-session + $ eksctl create iamserviceaccount \ + --name ebs-csi-controller-sa \ + --namespace kube-system \ + --cluster learn-vault \ + --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ + --approve \ + --role-only \ + --role-name AmazonEKS_EBS_CSI_DriverRole + ``` + +1. Run the following command to create the add-on: + + ```shell-session + $ eksctl create addon \ + --name aws-ebs-csi-driver \ + --cluster learn-vault \ + --service-account-role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AmazonEKS_EBS_CSI_DriverRole + ``` + + The cluster is ready. + +## Step 2: Install Vault + +The Vault Helm chart contains all the necessary components to run Vault in several different modes. + +1. Create a file named `helm-vault-raft-values.yml` with the following contents: + + ```shell-session + $ cat > helm-vault-raft-values.yml < + + If you are using Prometheus for monitoring and alerting, we recommend to set the `cluster_name` in the HCL configuration. use the `config` parameter in the Vault Helm chart. + + + + Helm deploys the Vault pods and Vault Agent Injector pod in the default namespace. + +1. Install the latest version of the Vault Helm chart with Integrated Storage. + + ```shell-session + $ helm install vault hashicorp/vault --values helm-vault-raft-values.yml + ``` + + This creates three Vault server instances with an Integrated Storage (Raft) backend. + + Helm installs the Vault pods and Vault Agent Injector pod in the default namespace. + +## Step 3: Initialize and unseal primary Vault pod + +Vault starts [uninitialized](/vault/docs/commands/operator/init) and in the [sealed](/vault/docs/concepts/seal#why) state. Prior to initialization the Integrated Storage backend is not prepared to receive data. + +1. Initialize Vault with one key share and one key threshold. + + ```shell-session + $ kubectl exec vault-0 -- vault operator init \ + -key-shares=1 \ + -key-threshold=1 \ + -format=json > cluster-keys.json + ``` + +1. Display the unseal key found in `cluster-keys.json`. + + ```shell-session + $ cat cluster-keys.json | jq -r ".unseal_keys_b64[]" + ``` + +1. Create a variable named `VAULT_UNSEAL_KEY` to capture the Vault unseal key. + + ```shell-session + $ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]") + ``` + +1. Unseal Vault running on the `vault-0` pod. + + ```shell-session + $ kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + +## Step 4: Join the other Vaults to the Vault cluster + +The Vault server running on the `vault-0` pod is a Vault HA cluster with a +single node. To display the list of nodes requires that you are logging in with +the root token. + +1. Create a variable named `CLUSTER_ROOT_TOKEN` to capture the Vault unseal key. + + ```shell-session + $ CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token") + ``` + +1. Login with the root token on the `vault-0` pod. + + ```shell-session + $ kubectl exec vault-0 -- vault login $CLUSTER_ROOT_TOKEN + ``` + +1. Join the Vault server on `vault-1` to the Vault cluster. + + ```shell-session + $ kubectl exec vault-1 -- vault operator raft join http://vault-0.vault-internal:8200 + ``` + + This Vault server joins the cluster sealed. To unseal the Vault server requires + the same unseal key, `VAULT_UNSEAL_KEY`, provided to the first Vault server. + +1. Unseal the Vault server on `vault-1` with the unseal key. + + ```shell-session + $ kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + + The Vault server on `vault-1` is now a functional node within the Vault + cluster. + +1. Join the Vault server on `vault-2` to the Vault cluster. + + ```shell-session + $ kubectl exec vault-2 -- vault operator raft join http://vault-0.vault-internal:8200 + ``` + +1. Unseal the Vault server on `vault-2` with the unseal key. + + ```shell-session + $ kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + +## Step 5: Set a secret in Vault + +The web application expects Vault to store a username and password at the path `secret/webapp/config`. Creating this secret requires you to login with the root token, enable the key-value secret engine](/vault/docs/secrets/kv/kv-v2), and store a secret username and password at that defined path. + +1. First, start an interactive shell session on the `vault-0` pod. + + ```shell-session + $ kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh + / $ + ``` + + This replaces the system prompt with a new prompt `/ $`. + +1. Enable kv-v2 secrets at the path `secret`. + + ```shell-session + $ vault secrets enable -path=secret kv-v2 + ``` + +1. Create a secret at path `secret/devwebapp/config` with a `username` and +`password`. + + ```shell-session + $ vault kv put secret/devwebapp/config username='giraffe' password='salsa' + ``` + +1. Verify that the secret is defined at the path `secret/data/devwebapp/config`. + + ```shell-session + $ vault kv get secret/devwebapp/config + ``` + + + + For more information refer to the [Versioned Key/Value Secrets Engine](/vault/tutorials/secrets-management/versioned-kv) tutorial. + + + + You created the secret for the web application. + +## Step 7: Configure Kubernetes authentication + +The initial [root token](/vault/docs/concepts/tokens#root-tokens) is a privileged user that can perform any operation at any path. The web application only requires the ability to read secrets defined at a single path. This application should authenticate and Vault grants a token with limited access. + + + +We recommend that [root +tokens](/vault/docs/concepts/tokens#root-tokens) are +used only for initial setup of an authentication method and policies. Afterwards they should be revoked. This tutorial does not show you how to revoke the root token. + + + +Vault provides a [Kubernetes authentication](/vault/docs/auth/kubernetes) method that enables clients to authenticate with a Kubernetes Service Account Token. + +1. Enable the Kubernetes authentication method. + + ```shell-session + $ vault auth enable kubernetes + Success! Enabled kubernetes auth method at: kubernetes/ + ``` + + Vault accepts a service token from any client within the Kubernetes cluster. During authentication, Vault verifies that the service account token is valid by querying a token review Kubernetes endpoint. + +1. Configure the Kubernetes authentication method to use the location of the Kubernetes API. It will automatically use the pod's own identity to authenticate with Kubernetes when querying the token review API. + + ```shell-session + $ vault write auth/kubernetes/config \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" + ``` + +1. Write out the policy named `devwebapp` that enables the `read` capability for secrets at path `secret/data/devwebapp/config` + + ```shell-session + $ vault policy write devwebapp - < devwebapp.yaml < + + For more information about annotations refer to the + [Injecting Secrets into Kubernetes Pods via Vault Agent + Injector](/vault/tutorials/kubernetes/kubernetes-sidecar) tutorial. + + + +1. Create the `devwebapp` pod. + + ```shell-session + $ kubectl apply --filename devwebapp.yaml + ``` + +1. Wait until the `devwebapp` pod reports that is running and ready (`2/2`). + +1. Display the secrets written to the file `/vault/secrets/secret-credentials.txt` +on the `devwebapp` pod. + + ```shell-session + $ kubectl exec --stdin=true --tty=true devwebapp -c devwebapp -- cat /vault/secrets/credentials.txt + data: map[password:salsa username:giraffe] + metadata: map[created_time:2020-12-11T19:14:05.170436863Z deletion_time: destroyed:false version:1] + ``` + + The result displays the unformatted secret data present on the container. + + + +Apply a [template](/vault/tutorials/kubernetes/kubernetes-sidecar#apply-a-template-to-the-injected-secrets) to this structure this data to meet the needs of the application. + + + +## Step 9: Clean up + +Destroy the cluster. + +```shell-session +$ eksctl delete cluster --name learn-vault +``` \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/deploy/aws/index.mdx b/content/vault/v1.20.x/content/docs/deploy/aws/index.mdx index d4a8b319a8..293f6817d2 100644 --- a/content/vault/v1.20.x/content/docs/deploy/aws/index.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/aws/index.mdx @@ -7,12 +7,27 @@ description: >- # Run Vault on AWS -You can deploy Vault on Amazon Web Services (AWS) with the official HashiCorp -[AWS Marketplace offering of HCP Vault](https://aws.amazon.com/marketplace/pp/prodview-arpkegbgk6zfy?sr=0-6&ref_=beagle&applicationId=AWSMPContessa). +A number of ways to deploying Vault on Amazon Web Services (AWS) are available: - +- [HCP Vault Dedicated tier](https://portal.cloud.hashicorp.com) deployed on AWS. +- Amazon EKS with the official HashiCorp [Vault Helm chart](/vault/docs/deploy/kubernetes/helm). +- Manual deployment on an Amazon EC2 instance. -HashiCorp no longer releases Vault as Amazon Machine Images (AMIs). +## Integrations - +- [Vault Lambda Extension](/vault/docs/platform/lambda) for AWS Lambda functions. +- [Vault secrets sync to AWS Secrets Manager](/vault/docs/sync/awssm). +- [What is Vault Agent?](/vault/docs/agent-and-proxy/agent) +- [Vault Agent Injector](/vault/docs/deploy/kubernetes/injector) +## Get started with Vault and AWS + +There are several ways to try Vault with Amazon Web Services. + +### Installation guides + +- [Deploy Vault on Amazon EKS with Helm](/vault/docs/deploy/aws/eks). +- [Retrieve secrets for AWS applications with Vault Agent](/vault/tutorials/vault-agent/agent-aws). +- [Retrieve secrets with the Vault AWS Lambda extension](/vault/tutorials/app-integration/intro-vault-aws-lambda-extension). +- [Manage secrets by injecting a Vault agent container](/vault/tutorials/kubernetes/kubernetes-sidecar). +- [Synchronize cloud native secrets](/vault/tutorials/enterprise/enable-secrets-sync). \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/deploy/azure/aks.mdx b/content/vault/v1.20.x/content/docs/deploy/azure/aks.mdx new file mode 100644 index 0000000000..45e970c13f --- /dev/null +++ b/content/vault/v1.20.x/content/docs/deploy/azure/aks.mdx @@ -0,0 +1,368 @@ +--- +layout: docs +page_title: Deploy Vault on Microsoft AKS +description: >- + Guide to deploying and setting up Vault on Microsoft Azure Kubernetes Service (AKS). +--- + +# Deploy Vault on Azure Kubernetes Service (AKS) + +Azure Kubernetes Service (AKS) can run Vault in a managed Kubernetes cluster with the Vault UI enabled for web-based secrets management. + +In this guide, you create a cluster in AKS, install Vault with the Web UI enabled, and then configure the authentication between Vault and the cluster. Then you deploy a web application with deployment annotations so the Vault Agent injector service installs application's. + +## Prerequisites + +This guide focuses on setting up HashiCorp Vault on Azure AKS and assumes a understanding of both Azure Kubernetes concepts and terminology. The guide assumes the user is familiar with Azure groups, AKS, Kubernetes pods, service accounts, and manifests. + +This guide requires: + +- [Azure account](https://azure.microsoft.com/en-us/account/) +- [Azure command-line interface (cli)](https://docs.microsoft.com/en-us/cli/azure/) +- [Kubernetes CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [Helm CLI](https://helm.sh/docs/helm/) +- [jq](https://jqlang.org/) + +In addition you need to have the Vault Helm chart. You can add the Helm repositories with the following commands: + +```shell-session +$ helm repo add hashicorp https://helm.releases.hashicorp.com +"hashicorp" has been added to your repositories +``` + +The user should log in to Azure via the CLI and have a subscription and region selected. + + +## Step 1: Start cluster + +1. Create a resource group named `learn-vault` with the location specified. + + ```shell-session + $ az group create --name learn-vault --location eastus + ``` + +1. Create a cluster named `learn-vault-cluster` with `1` node in the `learn-vault` resource group. + + ```shell-session + $ az aks create --resource-group learn-vault \ + --name learn-vault-cluster \ + --node-count 1 \ + --enable-addons monitoring \ + --generate-ssh-keys + ``` + +1. When the cluster is ready, configure the `kubectl` CLI to communicate to the `learn-vault-cluster` cluster. + + ```shell-session + $ az aks get-credentials --resource-group learn-vault --name learn-vault-cluster + ``` + +1. Helm deploys the Vault pod and Vault Agent Injector pod in the default namespace. + + ```shell-session + $ helm install vault hashicorp/vault --set 'server.dev.enabled=true' + ``` + +The `vault-agent-injector` pod deployed is a Kubernetes Mutation Webhook Controller. The controller intercepts pod events and applies mutations to the pod if specific annotations exist within the request. + +## Step 2: Install Vault + +The Vault Helm chart contains all the necessary components to run Vault in several different modes. + +1. Create a file named `helm-vault-raft-values.yml` with the following contents: + + ```shell-session + $ cat > helm-vault-raft-values.yml < + + If you are using Prometheus for monitoring and alerting, we recommend to set the `cluster_name` in the HCL configuration. use the `config` parameter in the Vault Helm chart. + + + + Helm deploys the Vault pods and Vault Agent Injector pod in the default namespace. + +1. Install the latest version of the Vault Helm chart with Integrated Storage. + + ```shell-session + $ helm install vault hashicorp/vault --values helm-vault-raft-values.yml + ``` + + This creates three Vault server instances with an Integrated Storage (Raft) backend. + + Helm installs the Vault pods and Vault Agent Injector pod in the default namespace. + +## Step 3: Initialize and unseal primary Vault pod + +Vault starts [uninitialized](/vault/docs/commands/operator/init) and in the [sealed](/vault/docs/concepts/seal#why) state. Prior to initialization the Integrated Storage backend is not prepared to receive data. + +1. Initialize Vault with one key share and one key threshold. + + ```shell-session + $ kubectl exec vault-0 -- vault operator init \ + -key-shares=1 \ + -key-threshold=1 \ + -format=json > cluster-keys.json + ``` + +1. Display the unseal key found in `cluster-keys.json`. + + ```shell-session + $ cat cluster-keys.json | jq -r ".unseal_keys_b64[]" + ``` + +1. Create a variable named `VAULT_UNSEAL_KEY` to capture the Vault unseal key. + + ```shell-session + $ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]") + ``` + +1. Unseal Vault running on the `vault-0` pod. + + ```shell-session + $ kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + +## Step 4: Join the other Vaults to the Vault cluster + +The Vault server running on the `vault-0` pod is a Vault HA cluster with a +single node. To display the list of nodes requires that you are logging in with +the root token. + +1. Create a variable named `CLUSTER_ROOT_TOKEN` to capture the Vault unseal key. + + ```shell-session + $ CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token") + ``` + +1. Login with the root token on the `vault-0` pod. + + ```shell-session + $ kubectl exec vault-0 -- vault login $CLUSTER_ROOT_TOKEN + ``` + +1. Join the Vault server on `vault-1` to the Vault cluster. + + ```shell-session + $ kubectl exec vault-1 -- vault operator raft join http://vault-0.vault-internal:8200 + ``` + + This Vault server joins the cluster sealed. To unseal the Vault server requires + the same unseal key, `VAULT_UNSEAL_KEY`, provided to the first Vault server. + +1. Unseal the Vault server on `vault-1` with the unseal key. + + ```shell-session + $ kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + + The Vault server on `vault-1` is now a functional node within the Vault + cluster. + +1. Join the Vault server on `vault-2` to the Vault cluster. + + ```shell-session + $ kubectl exec vault-2 -- vault operator raft join http://vault-0.vault-internal:8200 + ``` + +1. Unseal the Vault server on `vault-2` with the unseal key. + + ```shell-session + $ kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + +## Step 5: Set a secret in Vault + +The web application expects Vault to store a username and password at the path `secret/webapp/config`. Creating this secret requires you to login with the root token, enable the key-value secret engine](/vault/docs/secrets/kv/kv-v2), and store a secret username and password at that defined path. + +1. First, start an interactive shell session on the `vault-0` pod. + + ```shell-session + $ kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh + / $ + ``` + + This replaces the system prompt with a new prompt `/ $`. + +1. Enable kv-v2 secrets at the path `secret`. + + ```shell-session + $ vault secrets enable -path=secret kv-v2 + ``` + +1. Create a secret at path `secret/devwebapp/config` with a `username` and +`password`. + + ```shell-session + $ vault kv put secret/devwebapp/config username='giraffe' password='salsa' + ``` + +1. Verify that the secret is defined at the path `secret/data/devwebapp/config`. + + ```shell-session + $ vault kv get secret/devwebapp/config + ``` + + + + For more information refer to the [Versioned Key/Value Secrets Engine](/vault/tutorials/secrets-management/versioned-kv) tutorial. + + + + You created the secret for the web application. + +## Step 7: Configure Kubernetes authentication + +The initial [root token](/vault/docs/concepts/tokens#root-tokens) is a privileged user that can perform any operation at any path. The web application only requires the ability to read secrets defined at a single path. This application should authenticate and Vault grants a token with limited access. + + + +We recommend that [root +tokens](/vault/docs/concepts/tokens#root-tokens) are +used only for initial setup of an authentication method and policies. Afterwards they should be revoked. This tutorial does not show you how to revoke the root token. + + + +Vault provides a [Kubernetes authentication](/vault/docs/auth/kubernetes) method that enables clients to authenticate with a Kubernetes Service Account Token. + +1. Enable the Kubernetes authentication method. + + ```shell-session + $ vault auth enable kubernetes + Success! Enabled kubernetes auth method at: kubernetes/ + ``` + + Vault accepts a service token from any client within the Kubernetes cluster. During authentication, Vault verifies that the service account token is valid by querying a token review Kubernetes endpoint. + +1. Configure the Kubernetes authentication method to use the location of the Kubernetes API. It will automatically use the pod's own identity to authenticate with Kubernetes when querying the token review API. + + ```shell-session + $ vault write auth/kubernetes/config \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" + ``` + +1. Write out the policy named `devwebapp` that enables the `read` capability for secrets at path `secret/data/devwebapp/config` + + ```shell-session + $ vault policy write devwebapp - < devwebapp.yaml < + + For more information about annotations refer to the + [Injecting Secrets into Kubernetes Pods via Vault Agent + Injector](/vault/tutorials/kubernetes/kubernetes-sidecar) tutorial. + + + +1. Create the `devwebapp` pod. + + ```shell-session + $ kubectl apply --filename devwebapp.yaml + ``` + +1. Wait until the `devwebapp` pod reports that is running and ready (`2/2`). + +1. Display the secrets written to the file `/vault/secrets/secret-credentials.txt` +on the `devwebapp` pod. + + ```shell-session + $ kubectl exec --stdin=true --tty=true devwebapp -c devwebapp -- cat /vault/secrets/credentials.txt + data: map[password:salsa username:giraffe] + metadata: map[created_time:2020-12-11T19:14:05.170436863Z deletion_time: destroyed:false version:1] + ``` + + The result displays the unformatted secret data present on the container. + + + +Apply a [template](/vault/tutorials/kubernetes/kubernetes-sidecar#apply-a-template-to-the-injected-secrets) to this structure this data to meet the needs of the application. + + + +## Step 9: Clean up + +Destroy the cluster. + +```shell-session +$ az group delete --name learn-vault --yes --no-wait +``` \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/deploy/azure/index.mdx b/content/vault/v1.20.x/content/docs/deploy/azure/index.mdx new file mode 100644 index 0000000000..f6459388a3 --- /dev/null +++ b/content/vault/v1.20.x/content/docs/deploy/azure/index.mdx @@ -0,0 +1,32 @@ +--- +layout: docs +page_title: Run Vault on Azure +description: >- + Configure and deploy Vault in the cloud with Azure +--- + + +# Run Vault on Microsoft Azure + +A number of ways to deploying Vault on Microsoft Azure are available: + +- [HCP Vault Dedicated tier](https://portal.cloud.hashicorp.com) deployed on Azure. +- Vault Enterprise on Microsoft Azure with the official HashiCorp +[Azure Marketplace offering of Vault Enterprise](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/hashicorp-4665790.vault-azure-saas?tab=overview). +- AKS with the official HashiCorp [Vault Helm chart](/vault/docs/deploy/kubernetes/helm). +- Manual deployment on an Azure VM instance. + +## Integrations + +- [Sync secrets from Vault to Azure Key Vault](/vault/docs/sync/azurekv). +- [What is Vault Agent?](/vault/docs/agent-and-proxy/agent) +- [Vault Agent Injector](/vault/docs/deploy/kubernetes/injector). + +## Get started with Vault and Azure + +There are several ways to try Vault with Microsoft Azure. + +### Installation guides + +- [Deploy Vault on Azure AKS with Helm](/vault/docs/deploy/azure/aks). +- [Manage secrets by injecting a Vault agent container](/vault/tutorials/kubernetes/kubernetes-sidecar). \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/deploy/gcp/gke.mdx b/content/vault/v1.20.x/content/docs/deploy/gcp/gke.mdx new file mode 100644 index 0000000000..07ce60d944 --- /dev/null +++ b/content/vault/v1.20.x/content/docs/deploy/gcp/gke.mdx @@ -0,0 +1,355 @@ +--- +layout: docs +page_title: Deploy Vault on Google Kubernetes Engine (GKE) +description: >- + Guide to deploying and setting up Vault on Google Kubernetes Engine (GKE). +--- + +# Deploy Vault on Google Kubernetes Engine (GKE) + +Google Kubernetes Engine (GKE) can run Vault in its secured and managed +Kubernetes service in standard or autopilot mode. Standard mode gives you the flexibility to configure the cluster's underlying infrastructure while autopilot mode gives you an optimized cluster with a hands-off experience. + +In this tutorial, you create a cluster in GKE, install Vault in +high-availability (HA) mode via the Helm chart and then configure the +authentication between Vault and the cluster. Then you deploy a web application with deployment annotations and the Vault Agent injector service installs the application's secrets. + +## Prerequisites + +This guide focuses on setting up HashiCorp Vault on Google Kubernetes Engine (GKE) and assumes a understanding of both Google Cloud and Kubernetes concepts and terminology. The guide assumes the user is familiar with Google Cloud projects, GKE, Kubernetes pods, service accounts, and manifests. + +This guide requires: + +- [Google Cloud account](https://console.cloud.google.com) + - A project initialized and + - Google container service (`container.googleapis.com`) enabled. +- [Google Cloud command-line interface (CLI)](https://cloud.google.com/sdk/docs/quickstart) +- [Kubernetes CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl/) +- [Helm CLI](https://helm.sh/docs/helm/) +- [jq](https://jqlang.org/) + +In addition you need to have the Vault Helm chart. You can add the Helm repositories with the following commands: + +```shell-session +$ helm repo add hashicorp https://helm.releases.hashicorp.com +``` + +The user should log in to Google Cloud via the CLI and have a project and region selected. + +## Step 1: Start cluster + +A high-availability Vault cluster requires a Kubernetes cluster with three nodes. You can manually create these nodes or use the Autopilot mode. Autopilot mode manages the underlying infrastructure and provisions nodes as needed. + +1. Create a cluster in Autopilot mode named `learn-vault`. + + ```shell-session + $ gcloud container clusters create-auto learn-vault + ``` + + After cluster creation and deployment, and it is then health-checked. When the cluster is + ready the command modifies the `kubectl` configuration so that it performs the commands you + issue against that cluster. + + Autopilot displays a smaller set of nodes but provisions more as needed. + +## Step 2: Install Vault + +The Vault Helm chart contains all the necessary components to run Vault in several different modes. + +1. Create a file named `helm-vault-raft-values.yml` with the following contents: + + ```shell-session + $ cat > helm-vault-raft-values.yml < + + If you are using Prometheus for monitoring and alerting, we recommend to set the `cluster_name` in the HCL configuration. use the `config` parameter in the Vault Helm chart. + + + + Helm deploys the Vault pods and Vault Agent Injector pod in the default namespace. + +1. Install the latest version of the Vault Helm chart with Integrated Storage. + + ```shell-session + $ helm install vault hashicorp/vault --values helm-vault-raft-values.yml + ``` + + This creates three Vault server instances with an Integrated Storage (Raft) backend. + + Helm installs the Vault pods and Vault Agent Injector pod in the default namespace. + + +## Step 4: Initialize and unseal primary Vault pod + +Vault starts [uninitialized](/vault/docs/commands/operator/init) and in the [sealed](/vault/docs/concepts/seal#why) state. Prior to initialization the Integrated Storage backend is not prepared to receive data. + +1. Initialize Vault with one key share and one key threshold. + + ```shell-session + $ kubectl exec vault-0 -- vault operator init \ + -key-shares=1 \ + -key-threshold=1 \ + -format=json > cluster-keys.json + ``` + +1. Display the unseal key found in `cluster-keys.json`. + + ```shell-session + $ cat cluster-keys.json | jq -r ".unseal_keys_b64[]" + ``` + +1. Create a variable named `VAULT_UNSEAL_KEY` to capture the Vault unseal key. + + ```shell-session + $ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]") + ``` + +1. Unseal Vault running on the `vault-0` pod. + + ```shell-session + $ kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + +## Step 5: Join the other Vaults to the Vault cluster + +The Vault server running on the `vault-0` pod is a Vault HA cluster with a +single node. To display the list of nodes requires that you are logging in with +the root token. + +1. Create a variable named `CLUSTER_ROOT_TOKEN` to capture the Vault unseal key. + + ```shell-session + $ CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token") + ``` + +1. Login with the root token on the `vault-0` pod. + + ```shell-session + $ kubectl exec vault-0 -- vault login $CLUSTER_ROOT_TOKEN + ``` + +1. Join the Vault server on `vault-1` to the Vault cluster. + + ```shell-session + $ kubectl exec vault-1 -- vault operator raft join http://vault-0.vault-internal:8200 + ``` + + This Vault server joins the cluster sealed. To unseal the Vault server requires + the same unseal key, `VAULT_UNSEAL_KEY`, provided to the first Vault server. + +1. Unseal the Vault server on `vault-1` with the unseal key. + + ```shell-session + $ kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + + The Vault server on `vault-1` is now a functional node within the Vault + cluster. + +1. Join the Vault server on `vault-2` to the Vault cluster. + + ```shell-session + $ kubectl exec vault-2 -- vault operator raft join http://vault-0.vault-internal:8200 + ``` + +1. Unseal the Vault server on `vault-2` with the unseal key. + + ```shell-session + $ kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY + ``` + +## Step 6: Set a secret in Vault + +The web application expects Vault to store a username and password at the path `secret/webapp/config`. Creating this secret requires you to login with the root token, enable the key-value secret engine](/vault/docs/secrets/kv/kv-v2), and store a secret username and password at that defined path. + +1. First, start an interactive shell session on the `vault-0` pod. + + ```shell-session + $ kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh + / $ + ``` + + This replaces the system prompt with a new prompt `/ $`. + +1. Enable kv-v2 secrets at the path `secret`. + + ```shell-session + $ vault secrets enable -path=secret kv-v2 + ``` + +1. Create a secret at path `secret/devwebapp/config` with a `username` and +`password`. + + ```shell-session + $ vault kv put secret/devwebapp/config username='giraffe' password='salsa' + ``` + +1. Verify that the secret is defined at the path `secret/data/devwebapp/config`. + + ```shell-session + $ vault kv get secret/devwebapp/config + ``` + + + + For more information refer to the [Versioned Key/Value Secrets Engine](/vault/tutorials/secrets-management/versioned-kv) tutorial. + + + + You created the secret for the web application. + +## Step 7: Configure Kubernetes authentication + +The initial [root token](/vault/docs/concepts/tokens#root-tokens) is a privileged user that can perform any operation at any path. The web application only requires the ability to read secrets defined at a single path. This application should authenticate and Vault grants a token with limited access. + + + +We recommend that [root +tokens](/vault/docs/concepts/tokens#root-tokens) are +used only for initial setup of an authentication method and policies. Afterwards they should be revoked. This tutorial does not show you how to revoke the root token. + + + +Vault provides a [Kubernetes authentication](/vault/docs/auth/kubernetes) method that enables clients to authenticate with a Kubernetes Service Account Token. + +1. Enable the Kubernetes authentication method. + + ```shell-session + $ vault auth enable kubernetes + Success! Enabled kubernetes auth method at: kubernetes/ + ``` + + Vault accepts a service token from any client within the Kubernetes cluster. During authentication, Vault verifies that the service account token is valid by querying a token review Kubernetes endpoint. + +1. Configure the Kubernetes authentication method to use the location of the Kubernetes API. It will automatically use the pod's own identity to authenticate with Kubernetes when querying the token review API. + + ```shell-session + $ vault write auth/kubernetes/config \ + kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" + ``` + +1. Write out the policy named `devwebapp` that enables the `read` capability for secrets at path `secret/data/devwebapp/config`. + + ```shell-session + $ vault policy write devwebapp - < devwebapp.yaml < + + For more information about annotations refer to the [Injecting Secrets into Kubernetes Pods via Vault Agent + Injector](/vault/tutorials/kubernetes/kubernetes-sidecar) tutorial. + + + +1. Create the `devwebapp` pod. + + ```shell-session + $ kubectl apply --filename devwebapp.yaml + ``` + +1. Wait until the `devwebapp` pod reports that is running and ready (`2/2`). + +1. Display the secrets written to the file `/vault/secrets/secret-credentials.txt` +on the `devwebapp` pod. + + ```shell-session + $ kubectl exec --stdin=true --tty=true devwebapp -c devwebapp -- cat /vault/secrets/credentials.txt + data: map[password:salsa username:giraffe] + metadata: map[created_time:2020-12-11T19:14:05.170436863Z deletion_time: destroyed:false version:1] + ``` + + The result displays the unformatted secret data present on the container. + + + +Apply a [template](/vault/tutorials/kubernetes/kubernetes-sidecar#apply-a-template-to-the-injected-secrets) to this structure this data to meet the needs of the application. + + + +## Step 9: Clean up + +Destroy the cluster. + +```shell-session +$ gcloud container clusters delete learn-vault +``` diff --git a/content/vault/v1.20.x/content/docs/deploy/gcp/index.mdx b/content/vault/v1.20.x/content/docs/deploy/gcp/index.mdx new file mode 100644 index 0000000000..9571334ca3 --- /dev/null +++ b/content/vault/v1.20.x/content/docs/deploy/gcp/index.mdx @@ -0,0 +1,26 @@ +--- +layout: docs +page_title: Run Vault on Google Cloud Platform (GCP) +description: >- + Configure and deploy Vault on Google Cloud Platform (GCP) +--- + +# Run Vault on Google Cloud Platform (GCP) + +- GKE with the official HashiCorp [Vault Helm chart](/vault/docs/deploy/kubernetes/helm). +- Manual deployment on a Google Compute Engine instance. + +## Integrations + +- [Sync secrets from Vault to Google Secret Manager](/vault/docs/sync/gcpsm). +- [What is Vault Agent?](/vault/docs/agent-and-proxy/agent) +- [Vault Agent Injector](/vault/docs/deploy/kubernetes/injector). + +## Get started with Vault and GCP + +There are several ways to try Vault with Google Cloud Platform. + +### Installation guides + +- [Deploy Vault on GKE with Helm](/vault/docs/deploy/gcp/gke). +- [Manage secrets by injecting a Vault agent container](/vault/tutorials/kubernetes/kubernetes-sidecar). \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/consul-to-raft.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/consul-to-raft.mdx index 668019d39a..117931bf12 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/consul-to-raft.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/consul-to-raft.mdx @@ -23,7 +23,7 @@ This guide uses an intermediate Helm configuration to introduce an init containe ### Vault and Kubernetes setup -Consider the following `vault status` output and Helm Chart values for Vault: +Consider the following `vault status` output and Helm chart values for Vault: @@ -322,7 +322,7 @@ server: To revert to the original configuration, you'll just need to delete the Helm deployment, and re-deploy it using the override values specifying your Consul storage configuration. -Note that the Vault Helm Chart's default configuration using Raft storage will retain any PVCs created. Vault does not use these while configured with Consul storage. You will need to remove the PVCs before re-attempting the migration. +Note that the Vault Helm chart's default configuration using Raft storage will retain any PVCs created. Vault does not use these while configured with Consul storage. You will need to remove the PVCs before re-attempting the migration. 1. Uninstall Vault via Helm. @@ -333,7 +333,7 @@ Note that the Vault Helm Chart's default configuration using Raft storage will r 1. Install Vault via Helm with old Consul storage configuration. ```shell-session - $ `helm install vault hashicorp/vault -f vault-consul-values.yml + $ helm install vault hashicorp/vault -f vault-consul-values.yml ``` 1. Unseal Vault and confirm the storage has reverted to Consul. @@ -366,9 +366,9 @@ Note that the Vault Helm Chart's default configuration using Raft storage will r ## References - [Vault operator migrate command](/vault/docs/commands/operator/migrate) -- [Helm Chart configuration](/vault/docs/platform/k8s/helm/configuration) +- [Helm chart configuration](/vault/docs/platform/k8s/helm/configuration) - [Vault on Kubernetes deployment guide](/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide) -- [Vault Helm Chart configuration](https://github.com/hashicorp/vault-helm) +- [Vault Helm chart configuration](https://github.com/hashicorp/vault-helm) - [kubectl commands](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands) - [Kubernetes storage volumes](https://kubernetes.io/docs/concepts/storage/volumes/) - [Create a Pod that has an Init Container](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-initialization/#create-a-pod-that-has-an-init-container) diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/index.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/index.mdx index eda1d4ad27..84828e7032 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/index.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/index.mdx @@ -7,7 +7,7 @@ description: >- # Run Vault on Kubernetes -Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart. +Deploying Vault into Kubernetes using the official HashiCorp [Vault Helm chart](/vault/docs/deploy/kubernetes/helm). The Helm chart allows users to deploy Vault in various configurations: - Dev: a single in-memory Vault server for testing Vault diff --git a/content/vault/v1.20.x/content/docs/enterprise/lease-count-quotas.mdx b/content/vault/v1.20.x/content/docs/enterprise/lease-count-quotas.mdx index 7f85870b14..dfd4d63b9f 100644 --- a/content/vault/v1.20.x/content/docs/enterprise/lease-count-quotas.mdx +++ b/content/vault/v1.20.x/content/docs/enterprise/lease-count-quotas.mdx @@ -95,12 +95,6 @@ Vault returns a `429 - Too Many Requests` response if a new lease request violates the quota limit. For more information on this error, refer to [the error document](/vault/docs/concepts/lease-count-quota-exceeded). -## Tutorial - -Refer to [Protecting Vault with Resource -Quotas](/vault/tutorials/operations/resource-quotas) for a -step-by-step tutorial. - ## API Lease count quotas can be managed over the HTTP API. Please see diff --git a/content/vault/v1.20.x/data/docs-nav-data.json b/content/vault/v1.20.x/data/docs-nav-data.json index 4b40a402d6..ee5effbc08 100644 --- a/content/vault/v1.20.x/data/docs-nav-data.json +++ b/content/vault/v1.20.x/data/docs-nav-data.json @@ -726,12 +726,60 @@ "title": "Vault Lambda Extension", "path": "deploy/aws/lambda-extension" }, + { + "title": "Vault on Amazon EKS", + "path": "deploy/aws/eks" + }, { "title": "Running Vault", "path": "deploy/aws/run" + }, + { + "title": "Amazon EKS", + "path": "deploy/aws/eks" + } + ] + }, + { + "title": "Run on Azure", + "routes": [ + { + "title": "Overview", + "path": "deploy/azure" + }, + { + "title": "Azure Kubernetes Service (AKS)", + "path": "deploy/azure/aks" + } + ] + }, + { + "title": "Run on Google Cloud Platform", + "routes": [ + { + "title": "Overview", + "path": "deploy/gcp" + }, + { + "title": "Google Kubernetes Engine (GKE)", + "path": "deploy/gcp/gke" + } + ] + }, + { + "title": "Run on Azure", + "routes": [ + { + "title": "Overview", + "path": "deploy/azure" + }, + { + "title": "Azure Kubernetes Service (AKS)", + "path": "deploy/azure/aks" } ] }, + { "title": "Run on Kubernetes", "routes": [