vault — Secret Storage

Vault provides the storage for secrets which are materialized into Phalanx applications as Kubernetes Secrets.

It is simply the Official Hashicorp Helm chart for Vault configured the way we require.

It is intended to run under Roundtable, and there should only be one production and one development instance per organization-with-its-own-secret-store.

The Vault Agent Injector is not enabled since we instead use the Vault Secrets Operator.

Vault is configured in HA mode with a public API endpoint accessible at vault.lsst.cloud, or vault-dev.lsst.cloud for the development instance. TLS termination is done at the nginx ingress layer using a Let’s Encrypt server certificate.

To directly manipulate the secrets stored in this Vault instance, use lsstvaultutils . However, in normal operation, secrets will be managed via each application’s secrets.yaml and manual interaction with Vault and its data will not be necessary.

Guides

• Seal configuration
• Changing seal keys
• External configuration
• Vault Migration
• Upgrading Vault
  • Changing Vault configuration
  • Upgrade Process
• Vault Helm values reference