OpenWare OPEX


#Vault installation and administration


  1. Kite
  2. Helm CLI
  3. Kubernetes (kubectl commands line interface)
  4. Terraform CLI


Initial configuration

Vault deployment configuration is located at config/environments/*environment_name*/vault.yml

[Optional] Create a GCS bucket to serve as a Vault backend(should be automatically created by applying the Terraform configuration):

  gsustil gsutil mb -p *project_name* gs://*bucket_name*

Bucket names are rendered automatically:

Example for GCP

    bucket: "bucket-name" # GCS bucket name
    # This path is used inside of the Kubernetes pod to determine the mounted Secret location so you must not change it
    credentials_file: "/safe/credentials.json"


Run the Vault installation command:

./bin/opex install vault --env *environment_name*

It will do the following things:

  • Create a Kubernetes Secret with the service account key encrypted inside
  • Deploy the Vault chart using Helm
  • Display the post-deploy instructions

After the successful installation you should run kubectl logs *vault-pod-name* and copy the unseal keys and the root access token located at the start of the logs into config/environments/*environment_name*/vault.txt


To finalize the Vault deployment, you should follow these steps:

Create a temporary Vault pod to execute commands from:

kubectl run -i --rm --tty vault-init --image=vault --restart=Never - sh

Export the main Vault adress to access it:

export VAULT_ADDR="http://vault-vault"

Run vault init to initialize the Vault

Unseal the storage by running vault operator unseal *unseal_key* three times with different unseal keys you have in vault.txt

Authorize using your root access token(from vault.txt):

vault login *vault-root-token*

Enable the Vault's TOTP engine

vault secrets enable totp

Policy and token creation

Do not use the root access tokens in production, you must create a Vault policy to be able to create tokens which only have access to paths/secrets used by Barong(everything from the totp secrets engine).

First step is to create a policy limiting access only to totp:

path "totp/*" {
 capabilities = ["create", "read", "update", "delete", "list"]

Save this policy in a file called barong_policy.hcl inside of the environment and apply it:

vault policy write barong acl.hcl

Test if the policy has been loaded by:

vault policy read barong

Finally, create a token with the policy bound to it:

vault token create -policy=barong -period=30m
Key                Value
---                -----
token              fdb90d58-af87-024f-fdcd-9f95039e353a
token_accessor     4cd9177c-034b-a004-c62d-54bc56c0e9bd
token_duration     30m
token_renewable    true
token_policies     [barong]

The resulting token will have a duration of 30 minutes but will be automatically renewed.

The final step is to put the generated token into config/environments/*environment_name*/barong.yml:

Example for GCP

  enabled: true
  adress: "http://vault-vault" # This address is internal to Kubernetes so it shouldn't be changed
  token: "vault-barong-token" # Replace with the generated access token

Congratulations, your Vault is now deployed and fully configured!


How to get Vault's root token?

Copy it from the Pod's logs:

kubectl log <vault-pod-name>

How to list all of the Vault policies?


vault policy list

How to get a Vault's Pod name?

Find vault in the list of pods

kubectl get pods