These steps are now compiled into Python and shell scripts in the tools directory.
-
Generate TLS certificates and keys. The following files should be in
rp-vault/tls
:ca-key.pem
(with private key)ca.pem
(with cert)vault-key.pem
(with private key)vault.pem
(with cert)
-
Deploy Vault
helm install vault rp-vault --values prod-values.yaml
- Initialize and unseal Vault, run a script to create basic policies
kubectl -n vault exec -it vault-0 -- sh
vault operator init -n 1 -t 1 // will create two tokens: unseal and root
vault operator unseal <unseal token goes here>
vault login <root token goes here>
sh /home/create-policies.sh
- Deploy MongoDB
helm install mongo rp-mongo --namespace=vault --values prod-values.yaml
- Create policies for MondoDB credentials rotation
kubectl -n vault exec -it vault-0 -- sh
vault login <root token goes here>
sh /home/create-mongo-policies.sh
- Create application secrets in Vault
vault kv put secret/path/is/in/vault/values apiKey=***
- Deploy the application
helm install app manual-rp-chart --namespace=vault --values prod-values.yaml
Wait 10-15 seconds after this step.
- Go to the application service and query its endpoint:
kubectl -n vault port-forward svc/manual-rp-service 32343:3000
-
...