Prod/HA HashiCorp-Vault Integration with Kubernetes

Aditya PatilAditya Patil
3 min read

🔐 Secrets deserve better than config files!

🚀 Learn how to set up Production-Grade HA HashiCorp Vault inside Kubernetes for secure, scalable, and seamless secret management.

Stage - I

1. Launch EC2 Instance

Launch EC2 with Instance-type = t2.medium

Security Group Ports Allowed: 3000-11000, 587, 80, 443, 22 (Anywhere)

Login to Instance

ssh -i <your-key.pem> ubuntu@<ec2-public-ip>
sudo apt update

Connects to the EC2 instance using SSH and updates package lists

Create IAM Role and Attach to EC2 instance :

i) Goto -- IAM -- Create User -- Attach Permissions -- Administrator Access -- Create Access/Secret Keys

ii) Create role -- Attach to EC2 Instance

2. Install AWS CLI

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
sudo apt install unzip
unzip awscliv2.zip
sudo ./aws/install

3. Configure your Instnace

aws configure

Installs and configures AWS CLI v2 on the system

4. Install Terraform

sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update && sudo apt-get install terraform -y
terraform -version

Installs HashiCorp Terraform and verifies the installation

5. Clone Terraform Code For EKS

https://github.com/jaiswaladi246/Mega-Project-Terraform.git

cd Mega-Project-Terraform

terraform init

terraform plan

terraform apply  -auto-approve

It will create the EKS Cluster for you

6. Configure Kubeconfig

aws eks --region ap-south-1 update-kubeconfig --name devopsshack-cluster

Updates kubeconfig to connect kubectl with the specified EKS cluster ( Making Sure Kubeconfig file is present using which we can communicate with cluster)- Fetches EKS cluster details and updates kubeconfig to access cluster with kubectl helps to connect to EKS Cluster

7. Install kubectl

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl version --client

Installs kubectl and verifies client version

Alternative kubectl install (manual)

#chmod +x kubectl
#mkdir -p ~/.local/bin
#mv ./kubectl ~/.local/bin/kubectl
# and then append (or prepend) ~/.local/bin to $PATH

Alternative manual method for placing kubectl in PATH

8. Install eksctl

curl -sLO "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz"
tar -xzf eksctl_$(uname -s)_amd64.tar.gz
sudo mv eksctl /usr/local/bin
eksctl version

Installs eksctl (EKS cluster management tool) and verifies version

Reference

https://github.com/Arindam20/awesome-ai-apps/tree/main/advance_ai_agents/job_finder_agent Example GitHub repo reference (job finder agent)

9. Install HELM

Using which we will install Vault into Cluster

sudo apt update && sudo apt upgrade -y
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

wget https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz
sudo mv linux-amd64/helm /usr/local/bin/helm
helm version

Installs Helm 3 package manager and verifies installation

10. Associate IAM OIDC Provider

eksctl utils associate-iam-oidc-provider --region ap-south-1 --cluster devopsshack-cluster --approve

Associates IAM OIDC provider with EKS cluster to enable IAM roles for service accounts, so that Service account can have access to other AWS resources eg: Pods require access to EBS Volume

11. Create the Service Account

Create IAM Service Account for EBS CSI Driver

eksctl create iamserviceaccount \
  --region ap-south-1 \
  --name ebs-csi-controller-sa \
  --namespace kube-system \
  --cluster devopsshack-cluster \
  --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
  --approve \
  --override-existing-serviceaccounts

Creates an IAM service account in the kube-system namespace for the EBS CSI controller, attaches the required AmazonEBSCSIDriverPolicy, and associates it with the EKS cluster. Which is responsible for provisioning the EBS Volumes

Deploy AWS EBS CSI Driver, NGINX Ingress Controller, Cert-Manager

kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/ecr/?ref=release-1.11"
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

Commands Explaination:

  • Deploys the AWS EBS CSI Driver to enable dynamic EBS volume provisioning in the EKS cluster

  • Installs NGINX ingress controller for managing external access to Kubernetes services

  • Installs Cert-Manager for automatic SSL/TLS certificate management in the cluster

Till now its EKS Cluster Configuration

So now we have successfully created and configured a cluster

Stage -II

Lets Begin With the Vault Setup

0
Subscribe to my newsletter

Read articles from Aditya Patil directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Vaulthashicorp-vaultDevopsKubernetesSecurityWeb Development

Written by

Aditya Patil
Aditya Patil

Hi, I'm Aditya — a Cloud & DevOps Engineer passionate about automating everything from CI/CD pipelines to multi-cloud infrastructure. I specialize in AWS, Kubernetes, Terraform, and GitOps tools like Argo CD. I’ve helped teams scale applications, cut cloud costs by 90%, and build disaster-ready infra. I love sharing real-world DevOps lessons, cloud cost optimization tips, and infrastructure design patterns. Let’s connect and simplify the cloud — one YAML file at a time ☁️⚙️