Setup vault in azure cluster
Prerequisites
You must perform this action from root account.
- You have a Microsoft Azure account and we will copy these and save for later use.
- Tenant ID
- Client ID
- Client Secret
- Subscription ID
Step1: Configure your terminal with AKS cluster and run below command
kubectl create namespace vault
kubens vault. #it will make vault your default namespaceStep2: Login to azure portal i.e. portal.azure.com
Step 3: Select Azure Active Directory and select Properties
Step 4: Copy the Tenant ID that we can below name and save it in a new place with TENANT_ID.
Step 5: From the side navigation, select App registrations.
Step 6: Select New registrations.
Step 7: Put any name as per your naming convention and click on register.
Step 8: Copy the Application (client) ID below display name and save it as CLIENT_ID
Step 9: Now you can see an application.
Step 10: From the side navigation, select Certificate & secrets.
Step 11: Under the Client secrets, click New client secret.
Step 12: Enter a description in the Description field as per your naming convention and expire as per your desire and click ADD.
Step 13: Copy the client secret value and save it with CLIENT_SECRET name.
Note: make sure to copy the value not id.
Step 14: From the side navigation, click API permissions.
Step 15: Under Configured permissions, click Add a permission.
Step 16: Under Supported legacy APIs, click Microsoft Graph that comes as recommended because Azure Active Directory Graph has been deprecated.
Step 17: Click Delegated permissions.
Step 18: Expand User, select the check-box for User.Read.
Step 19: Click Application permissions
Step 20:
- Expand Application, select the check-box for Application.ReadWrite.All.
2. Expand Directory, select the check-box for Directory.ReadWrite.All.
3. Click API permissions and it should look like below image.
Step 21: Click Grant admin consent for azure to grant the permissions.
Step 22: Navigate to the Subscriptions blade and copy subscription id. and save it as SUBSCRIPTION_ID.
Note: To go to subscription, go to home and you can see on mid left side
Step 23: Click the name of the subscription.
Step 24: From the side navigation, click Access control (IAM).
Step 25: Click on ADD and then click on Add role assignment.
Step 26: From ROLE select field, click on Privileged administrator roles and then select Owner
In Member section field, Choose User, group, or service principal from the Assign Access To select field.
Enter the application name or application id in the Select member field.
Click the application when it is displayed
Note: This application name should be from Step 7 that you can also get from azure directory and app registration
Step 27: Click save.
The application is created with the correct permissions and you have these identifiers and credentials:
- Tenant ID
- Client ID
- Client Secret
- Subscription ID
Step 28: use these credentials in values.yaml file to run during installation either through helm or terraform.
you can refer values.yaml from my repo.
Step 29: Now to get vault_name, go to home page and click on key vaults and create a new vault.
Note: Just Make sure to choose the same subscription , region and location.
Step 30: Now to get key_name, click on vault_name, you created in step 29 and on left hand side under Objects and click on keys
Step 31: Click on Generate/Import and create a key and use that name in values.yaml.
Step 32: Now we are ready with all credentials.
Step 33: now perform below commands
helm repo add vault https://helm.releases.hashicorp.com
Perform helm repo list to see that has been added
helm repo list
helm search repo vault --versions #to get all versions
Now select version, we are taking chart 0.24.1 as latest version of vault-1.13.1
helm install vault vault/vault --values values-vault-dev.yaml --version 0.24.1
After running that command, we can see that pod,Step 34: Now perform initialisation.
