Apache APISIX Logo

Vault HashiCorp Provisioning

Laralord automates the deployment of Vault HashiCorp, a robust secrets management solution, within your Kubernetes cluster. Vault securely stores, manages, and accesses sensitive data such as API keys, passwords, and certificates, integrating seamlessly with your Laravel applications. This page details the Vault service and Vault Secrets Operator deployed by Laralord, including their configurations, features, and benefits for multi-tenant SaaS applications.

Secure Access Proxy to Vault Hashicorp. UI
Secure access to Vault Hashicorp. UI via Laralord’s SSO proxy

Vault HashiCorp Overview

Vault HashiCorp is an industry-standard tool for managing secrets and sensitive data in cloud-native environments. It provides secure storage, dynamic secret generation, and fine-grained access control, making it ideal for multi-tenant SaaS applications. Laralord provisions Vault as a default service in your Kubernetes cluster, enabling secure secret management for your Laravel applications and tenants.

Vault Deployment Details

Laralord deploys Vault HashiCorp in a high-availability (HA) configuration within the databases namespace of your Kubernetes cluster. The deployment uses the official Vault Helm chart (version 0.25.0) from HashiCorp’s Helm repository. Below are the key aspects of the Vault deployment:

  • High Availability (HA) Mode: Vault is configured with HA enabled, ensuring resilience and failover. The HA setup uses the Raft consensus protocol for data replication and leader election.
  • Replicas: Two Vault pods are deployed to provide redundancy and fault tolerance.
  • Namespace: Vault is installed in the databases namespace, isolating it from other services for better organization and security.
  • Automatic Pod Management: The deployment ensures pods are recreated or updated as needed to maintain consistency and apply configuration changes.

Vault Secrets Operator

Alongside Vault, Laralord deploys the Vault Secrets Operator (version 0.8.0) in the same databases namespace. The operator enhances Vault’s integration with Kubernetes by automating secret management workflows. Key details include:

  • Purpose: The Vault Secrets Operator synchronizes secrets from Vault to Kubernetes, allowing applications to access secrets as Kubernetes secrets or environment variables.
  • Static Secret Rendering: The operator is configured to refresh static secrets every 30 seconds, ensuring applications receive up-to-date credentials.
  • Deployment Stability: The operator is deployed with options to replace, force update, and recreate pods, ensuring consistent behavior during upgrades or changes.

Key Features

The Vault and Vault Secrets Operator deployment by Laralord provides the following features:

  • Secure Secret Storage: Vault stores sensitive data (e.g., database credentials, API keys) with encryption at rest and in transit.
  • Dynamic Secrets: Generate short-lived credentials for databases, cloud services, or other systems, reducing the risk of credential leaks.
  • Kubernetes Integration: The Vault Secrets Operator seamlessly syncs secrets to Kubernetes, making them accessible to your Laravel applications.
  • High Availability: The HA setup with Raft ensures Vault remains available even during pod failures.
  • User-Friendly UI: Vault includes a web-based interface for managing secrets, policies, and access controls, accessible via Laralord’s SSO-protected UI.
  • Policy-Based Access Control: Define fine-grained access policies to restrict secret access to specific tenants or applications.

Why Vault HashiCorp?

Vault HashiCorp is a trusted solution for secrets management, chosen by Laralord for its robust features and Kubernetes compatibility. Key advantages include:

  • Kubernetes-Native Integration: Vault and the Vault Secrets Operator integrate seamlessly with Kubernetes, syncing secrets directly to pods or secrets.
  • High Availability: The HA configuration with Raft ensures reliability for mission-critical applications.
  • Rich API and UI: Vault’s API supports advanced automation, while the UI allows non-technical users to manage secrets easily.
  • Community and Ecosystem Support: Vault is widely adopted, with extensive documentation, plugins, and community resources.

Integration with Laralord

Vault is a core component of Laralord’s multi-tenant SaaS platform, enabling secure secret management for tenants and applications. Key integrations include:

  • Tenant Secret Management: Each tenant’s credentials (e.g., database passwords, API keys) are stored in Vault, with isolated access policies to ensure security.
  • SSO-Protected UI: Access Vault’s web interface through Laralord’s frontend, secured with Single Sign-On (SSO) and mTLS encryption.
  • Automatic Secret Injection: The Vault Secrets Operator injects secrets into tenant applications, such as the Laravel CRM demo, without manual configuration.
  • Custom Domain Support: Secrets for custom domains (e.g., TLS certificates) are managed by Vault and integrated with Laralord’s Cert Manager and APISIX Gateway.
  • Argo CD Integration: Vault secrets are used to authenticate Argo CD for private repository access during application deployments.

Vault Enterprise Integration

If you would like to use or integrate Vault Enterprise, please contact us at [email protected]. Currently, Laralord does not offer a direct integration solution for Vault Enterprise, but we are happy to discuss your requirements and explore potential solutions. This ensures compliance with HashiCorp’s licensing requirements for enterprise use cases.

Laralord © 2024UI Build: 0.1.0-rc1-42-g4cde