Skip to content

Instantly share code, notes, and snippets.

@reedho

reedho/local-storage.yaml

Created December 12, 2024 23:33
Show Gist options
  • Save reedho/c8248e1074debec332d04c525569a469 to your computer and use it in GitHub Desktop.
Save reedho/c8248e1074debec332d04c525569a469 to your computer and use it in GitHub Desktop.
Download ZIP
k0s Lab: vault
Raw
local-storage.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-storage # Name of the StorageClass
provisioner: kubernetes.io/no-provisioner # Specify the provisioner (manual static provisioning)
volumeBindingMode: WaitForFirstConsumer # Waits until a Pod is scheduled before binding a PV
reclaimPolicy: Delete
Raw
pv-local-storage.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: vol001
spec:
capacity:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Delete
storageClassName: local-storage
local:
path: /srv/cluster/storage/001
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- k0s-wk1
Raw
setup.md

Setup Vault on k0s

Reference:

Create LocalStorage named local-storage

k apply -f local-storage.yaml

Create PersistentVolume named vol001 Using StorageClass named local-storage above

# First pick a node where we want to put the storage, here we will set it to `k0s-wk1`
docker exec k0s-wk1 mkdir -p /srv/cluster/storage/001

# Then create the pv
k apply -f pv-local-storage.yaml

Install vault

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install --values vault-values.yaml vault hashicorp/vault

At this point, the status of pods that has been created should be shown as below, the vault-0 pod READY value is 0/1. It won't ready until we initialize the created vault.

Init the Vault, note the cluster-keys.json created from the init operation. The -key-shares=1 tell the number of key shares required to unseal it.

k exec vault-0 -- vault operator init \
    -key-shares=1 \
    -key-threshold=1 \
    -format=json

cat cluster-keys.json

Unseal the Vault

VAULT_UNSEAL_KEY=$(jq -r ".unseal_keys_b64[]" cluster-keys.json)
k exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY

After unsealing finish, the vault-0 pod is now should be READY 1/1.

Check if whole installation is performed successfully: the status of resources created should be something like this

# Created services
NAME                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
vault                      ClusterIP   10.108.242.144   <none>        8200/TCP,8201/TCP   22h
vault-agent-injector-svc   ClusterIP   10.100.192.98    <none>        443/TCP             22h
vault-internal             ClusterIP   None             <none>        8200/TCP,8201/TCP   22h

# Created pods
NAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE
default       vault-0                                 1/1     Running   0          1m
default       vault-agent-injector-84b987db6f-t5sfv   1/1     Running   0          1m

# Used pvc
NAME           STATUS   VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS    VOLUMEATTRIBUTESCLASS   AGE
data-vault-0   Bound    vol001   10Gi       RWO            local-storage   <unset>                 1m

# Used pv
NAME     CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                  STORAGECLASS    VOLUMEATTRIBUTESCLASS   REASON   AGE
vol001   10Gi       RWO            Delete           Bound    default/data-vault-0   local-storage   <unset>                          22h

Login to Vault admin UI, use the root token shown in cluster-keys.json

k port-forward service/vault -n vault 8200:8200
Raw
vault-values.yaml
server:
dataStorage:
storageClass: local-storage
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment