// Add steps as necessary for accessing the software, post-configuration, and testing. Don’t include full usage instructions for your software, but add links to your product documentation for that information. //Should any sections not be applicable, remove them == Post deployment steps === Kubernetes Consul deployment namespace and dedicated node selection This deployment creates a `vault-server` namespace by default. Verify the namespace in Kubernetes: ---- $ kubectl get ns NAME STATUS AGE default Active 4d7h kube-node-lease Active 4d7h kube-public Active 4d7h kube-system Active 4d7h vault-server Active 30m ---- This deployment builds Kubernetes server pods on dedicated nodes in the `vault-server` namespace. Verify the nodes: ---- $ kubectl get pods -o wide -n vault-server NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES boot-vault-sg-01f5e0c0d6458ed88-5hrf8 0/1 Completed 0 25m 10.0.32.188 ip-10-0-60-134.eu-north-1.compute.internal boot-vault-sg-01f5e0c0d6458ed88-dfwkp 0/1 Error 0 27m 10.0.59.145 ip-10-0-60-134.eu-north-1.compute.internal certificate-vault-sg-01f5e0c0d6458ed88-24h6n 0/1 Completed 0 29m 10.0.30.86 ip-10-0-16-209.eu-north-1.compute.internal vault-sg-01f5e0c0d6458ed88-0 1/1 Running 0 26m 10.0.12.215 ip-10-0-6-233.eu-north-1.compute.internal vault-sg-01f5e0c0d6458ed88-1 1/1 Running 0 26m 10.0.64.124 ip-10-0-86-92.eu-north-1.compute.internal vault-sg-01f5e0c0d6458ed88-2 1/1 Running 0 26m 10.0.55.38 ip-10-0-60-134.eu-north-1.compute.internal vault-sg-01f5e0c0d6458ed88-agent-injector-b76f744b6-6pjp9 1/1 Running 0 26m 10.0.86.51 ip-10-0-86-92.eu-north-1.compute.internal ---- ==== Kubernetes services Check that this deployment creates at least the following seven services: ---- $ kubectl get svc -n vault-server NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE vault-sg-01f5e0c0d6458ed88 ClusterIP 172.20.238.238 8200/TCP,8201/TCP 27m vault-sg-01f5e0c0d6458ed88-active ClusterIP 172.20.9.90 8200/TCP,8201/TCP 27m vault-sg-01f5e0c0d6458ed88-agent-injector-svc ClusterIP 172.20.235.220 443/TCP 27m vault-sg-01f5e0c0d6458ed88-internal ClusterIP None 8200/TCP,8201/TCP 27m vault-sg-01f5e0c0d6458ed88-standby ClusterIP 172.20.169.201 8200/TCP,8201/TCP 27m vault-sg-01f5e0c0d6458ed88-ui LoadBalancer 172.20.59.230 a4b85f61XXXXXXXXX01d-1681023831.eu-north-1.elb.amazonaws.com 443:32436/TCP 27m ---- ==== Vault configuration Verify that Vault is configured for high availability (HA): ---- $ kubectl exec -ti -n vault-server vault-sg-01f5e0c0d6458ed88-0 -- /bin/sh / $ export VAULT_SKIP_VERIFY=true / $ vault login s.JWF4aXXXXXXXXXXXXX9cgZ Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.JWF4aKPXXXXXXXXXXXojl9cgZ token_accessor xceUAbCKAAS86OKupBK2Bhlr token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"] / $ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.5.3 Cluster Name vault-cluster-9abfeb1c Cluster ID f04374ee-3ebe-4e0f-fa50-892d48421e70 HA Enabled true HA Cluster https://vault-sg-01f5e0c0d6458ed88-0.vault-sg-01f5e0c0d6458ed88-internal:8201 HA Mode active Raft Committed Index 119 Raft Applied Index 119 ---- In the previous output, note values for `HA Enabled`, `HA Cluster`, and `HA Mode` configuration entries. ==== Vault UI Secure Socket Layer (SSL) certificate Verify the DNS endpoint of the deployment, and check for the SSL certificate: ---- $ openssl s_client -connect lonconsul.gargana.myinstance.com:443 CONNECTED(00000007) depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = lonconsul.gargana.myinstance.com verify return:1 --- Certificate chain 0 s:CN = lonconsul.gargana.myinstance.com i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon i:C = US, O = Amazon, CN = Amazon Root CA 1 2 s:C = US, O = Amazon, CN = Amazon Root CA 1 i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFrDCCBJSgAwIBAgIQA+/KZ0HG5aT6xAZLv0NjlDANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMDEwMTUwMDAwMDBaFw0yMTExMTMy MzU5NTlaMCsxKTAnBgNVBAMTIGxvbmNvbnN1bC5nYXJnYW5hLm15aW5zdGFuY2Uu .... .... .... .... NOEMjRe008xraTpAzfSjr2fupjltJB6lXehPe5sJaWPJ0mX3OBt4VyfrO6MYdmpy iGLhMXM357+CN75aMv1BD4pVA+a75dhvcUOfZCni4guQ+7wbbwONrKdwtg9FudWf XzvTdg1Q8VPfuQWUJb8tmITseg+8KDTyUn1u2SiNWHj17hBTSBTjkVt97id0BtZ/ UYrBWVldmJw0pJ6XYgQc6pBg6A86390sGkRzOfhYkT8AIbKNKSwtCRV0aBY2Nb4+ i81nP0KKeSvWcRf4/Gj+WA== -----END CERTIFICATE----- subject=CN = lonconsul.gargana.myinstance.com issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon --- ---- ==== Vault Raft-peer election Check the Raft-peer election status: ---- $ kubectl exec -ti -n vault-server vault-sg-01f5e0c0d6458ed88-0 -- /bin/sh / $ vault operator raft list-peers Node Address State Voter ---- ------- ----- ----- vault-sg-01f5e0c0d6458ed88-0 vault-sg-01f5e0c0d6458ed88-0.vault-sg-01f5e0c0d6458ed88-internal:8201 leader true vault-sg-01f5e0c0d6458ed88-1 vault-sg-01f5e0c0d6458ed88-1.vault-sg-01f5e0c0d6458ed88-internal:8201 follower true vault-sg-01f5e0c0d6458ed88-2 vault-sg-01f5e0c0d6458ed88-2.vault-sg-01f5e0c0d6458ed88-internal:8201 follower true ---- === Best practices for using Vault on AWS The following best practices are enabled by default for this Quick Start: * Enabled AWS KMS auto-unseal: This uses AWS KMS to store and encrypt Vault's unseal keys. For more information, see https://learn.hashicorp.com/tutorials/vault/autounseal-aws-kms[Auto-unseal using AWS KMS^]. * Enable cluster HA: This helps to ensure that Vault is set up for fault tolerance. For more information, see https://learn.hashicorp.com/tutorials/vault/raft-storage?in=vault/interactive[Vault HA Cluster with Integrated Storage^]. * Enable Raft storage for HA: This sets up the Raft consensus protocol as Vault's storage backend. For more information, see https://learn.hashicorp.com/tutorials/vault/raft-ha-storage?in=vault/interactive[Use Integrated Storage for HA Coordination^]. * Enable Vault audit to Amazon CloudWatch: This lets you troubleshoot audit logs. For more information, see https://learn.hashicorp.com/tutorials/vault/troubleshooting-vault#enabling-audit-devices[Enabling audit devices^]. * Enable SSL at the Vault UI endpoint: This helps to secure the Vault UI endpoint with an SSL certificate. For more information, see https://www.vaultproject.io/docs/configuration/ui[Vault UI^]. == Other useful information //Provide any other information of interest to users, especially focusing on areas where AWS or cloud usage differs //from on-premises usage. * https://www.vaultproject.io/docs/platform/k8s[{partner-product-short-name} Kubernetes integration, role=external, window=_blank]