How do I setup ingress for Vault UI in Kubernetes

4,538 views
Skip to first unread message

Рома Марусик

unread,
Jul 26, 2019, 10:13:43 AM7/26/19
to Vault
I have just installed an Vault on my Kubernetes cluster using. 
I want it to work through my existing ingress controller so I have created a new ingress rule using the yaml below:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: vault-ingress
namespace: vault
annotations:
spec:
rules:
- http:
paths:
- path: /vault
backend:
serviceName: mbv-vault
servicePort: 8200
To my service which runs as:
apiVersion: v1
kind: Service
metadata:
name: mbv-vault
namespace: vault
labels:
module: vault
spec:
selector:
module: vault
ports:
- port: 8200
targetPort: 8200
However, when I try and access my URL: http://localhost:8089/vault/ui
I get empty page with errors
favicon-68e1a9c89026b0efeddf718a48c282a5.png:1 

My configmap:
apiVersion: v1
kind: ConfigMap
metadata:
name: vault
namespace: vault
labels:
module: vault
data:
config.json : '{
"ui": "true",
"disable_mlock": "true",
"listener": [
{
"tcp": {
"address": "0.0.0.0:8200",
"tls_disable": 1
}
}
]
}'
My Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault
namespace: vault
labels:
module: vault
spec:
selector:
matchLabels:
module: vault
replicas: 1
template:
metadata:
labels:
module: vault
spec:
containers:
- name: vault
image: vault
imagePullPolicy: "Always"
command: ["/bin/sh", "-c"]
args:
- vault server -config /vault/config/config.json
securityContext:
capabilities:
add:
- IPC_LOCK
volumeMounts:
- name: configurations
mountPath: /vault/config/config.json
subPath: config.json
env:
- name: VAULT_ADDR
ports:
- containerPort: 8200
imagePullSecrets:
- name: regcred
volumes:
- name: configurations
configMap:
name: vault

How do I setup ingress for Vault UI in Kubernetes?


Michel Vocks

unread,
Jul 29, 2019, 5:47:04 AM7/29/19
to Vault
Hi there!

Vault's UI does not support a subpath. You have to replace the subpath "/vault" with "/" (root).

Cheers,
Michel

Рома Марусик

unread,
Jul 29, 2019, 6:45:32 AM7/29/19
to Vault
So, is it possible to set up UI behind ingress?

понеділок, 29 липня 2019 р. 12:47:04 UTC+3 користувач Michel Vocks написав:

Michel Vocks

unread,
Jul 29, 2019, 8:13:32 AM7/29/19
to Vault
So, is it possible to set up UI behind ingress?

Yes, you just have to bind it to the root path.
I recommend to setup a separate domain/subdomain for it. This allows you to route your Vault traffic only via this domain/subdomain.

Рома Марусик

unread,
Jul 29, 2019, 8:48:21 AM7/29/19
to Vault
Could you please show some example? I can't create another domain, I have one domain with my Ingress, so the UI (and other services) should be : https://ingress.domain/{service name}. I need the Vault UI https://ingress.domain/vault. What should I change in my files?
Thank you in advance

понеділок, 29 липня 2019 р. 15:13:32 UTC+3 користувач Michel Vocks написав:

Рома Марусик

unread,
Jul 29, 2019, 11:44:01 AM7/29/19
to Vault
Do you mean remove from config "api_addr": "http://127.0.0.1:8200/vault",? or from 

- name: VAULT_ADDR

because I've tried but no result

понеділок, 29 липня 2019 р. 15:13:32 UTC+3 користувач Michel Vocks написав:

Michel Vocks

unread,
Jul 30, 2019, 9:11:27 AM7/30/19
to Vault
I need the Vault UI https://ingress.domain/vault.

Like I said, this is (currently) not possble. Vault's UI (and API) is not able to work with domain subpathing.

Cheers,
Michel

Рома Марусик

unread,
Jul 30, 2019, 10:10:10 AM7/30/19
to Vault
Thank you for your help. Hope this will be implemented in the future. It will really helpful because we all using k8s+ingress for microservices.

вівторок, 30 липня 2019 р. 16:11:27 UTC+3 користувач Michel Vocks написав:
Reply all
Reply to author
Forward
0 new messages