1--- 2layout: docs 3page_title: Running Vault - OpenShift 4description: >- 5 Vault can run directly on OpenShift in various configurations. For 6 pure-OpenShift workloads, this enables Vault to also exist purely within 7 Kubernetes. 8--- 9 10# Run Vault on OpenShift 11 12The following documentation describes installing, running and using 13Vault and Vault Agent Injector on OpenShift. 14 15## Requirements 16 17The following are required to install Vault and Vault Agent Injector 18on OpenShift: 19 20- Cluster Admin privileges to bind the `auth-delegator` role to Vault's service account 21- Helm v3 22- OpenShift 4.X 23- Vault Helm v0.6.0+ 24- Vault K8s v0.4.0+ 25 26~> **Note:** At this time, Consul does not support OpenShift. For highly available 27deployments, Raft integrated storage is recommended. 28 29## Additional Resources 30 31The documentation, configuration and examples for Vault Helm and Vault K8s Agent Injector 32are applicable to OpenShift installations. For more examples see the existing documentation: 33 34- [Vault Helm documentation](/docs/platform/k8s/helm) 35- [Vault K8s documentation](/docs/platform/k8s/injector) 36 37## Helm Chart 38 39The [Vault Helm chart](https://github.com/hashicorp/vault-helm) 40is the recommended way to install and configure Vault on OpenShift. 41In addition to running Vault itself, the Helm chart is the primary 42method for installing and configuring Vault Agent Injection Mutating 43Webhook. 44 45While the Helm chart automatically sets up complex resources and exposes the 46configuration to meet your requirements, it **does not automatically operate 47Vault.** You are still responsible for learning how to monitor, backup, upgrade, 48etc. the Vault cluster. 49 50~> **Security Warning:** By default, the chart runs in standalone mode. This 51mode uses a single Vault server with a file storage backend. This is a less 52secure and less resilient installation that is **NOT** appropriate for a 53production setup. It is highly recommended to use a [properly secured Kubernetes 54cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/), 55[learn the available configuration 56options](/docs/platform/k8s/helm/configuration), and read the [production deployment 57checklist](/docs/platform/k8s/helm/run#architecture). 58 59## How-To 60 61### Install Vault 62 63To use the Helm chart, add the Hashicorp helm repository and check that you have 64access to the chart: 65 66```shell-session 67$ helm repo add hashicorp https://helm.releases.hashicorp.com 68"hashicorp" has been added to your repositories 69 70$ helm search repo hashicorp/vault 71NAME CHART VERSION APP VERSION DESCRIPTION 72hashicorp/vault 0.13.0 1.7.3 Official HashiCorp Vault Chart 73``` 74 75-> **Important:** The Helm chart is new and under significant development. 76Please always run Helm with `--dry-run` before any install or upgrade to verify 77changes. 78 79Use `helm install` to install the latest release of the Vault Helm chart. 80 81```shell-session 82$ helm install vault hashicorp/vault 83``` 84 85Or install a specific version of the chart. 86 87```shell-session 88# List the available releases 89$ helm search repo hashicorp/vault -l 90NAME CHART VERSION APP VERSION DESCRIPTION 91hashicorp/vault 0.13.0 1.7.3 Official HashiCorp Vault Chart 92hashicorp/vault 0.12.0 1.7.2 Official HashiCorp Vault Chart 93hashicorp/vault 0.11.0 1.7.0 Official HashiCorp Vault Chart 94hashicorp/vault 0.10.0 1.7.0 Official HashiCorp Vault Chart 95hashicorp/vault 0.9.1 1.6.2 Official HashiCorp Vault Chart 96hashicorp/vault 0.9.0 1.6.1 Official HashiCorp Vault Chart 97hashicorp/vault 0.8.0 1.5.4 Official HashiCorp Vault Chart 98hashicorp/vault 0.7.0 1.5.2 Official HashiCorp Vault Chart 99hashicorp/vault 0.6.0 1.4.2 Official HashiCorp Vault Chart 100 101# Install version 0.13.0 102$ helm install vault hashicorp/vault --version 0.13.0 103``` 104 105The `helm install` command accepts parameters to override default configuration 106values inline or defined in a file. For all OpenShift deployments, `global.openshift` 107should be set to `true`. 108 109Override the `server.dev.enabled` configuration value: 110 111```shell-session 112$ helm install vault hashicorp/vault \ 113 --set "global.openshift=true" \ 114 --set "server.dev.enabled=true" 115``` 116 117Override all the configuration found in a file: 118 119```shell-session 120$ cat override-values.yml 121global: 122 openshift: true 123 124server: 125 ha: 126 enabled: true 127 replicas: 5 128## 129$ helm install vault hashicorp/vault \ 130 --values override-values.yml 131``` 132 133#### Dev mode 134 135The Helm chart may run a Vault server in development. This installs a single 136Vault server with a memory storage backend. 137 138-> **Dev mode:** This is ideal for learning and demonstration environments but 139NOT recommended for a production environment. 140 141Install the latest Vault Helm chart in development mode. 142 143```shell-session 144$ helm install vault hashicorp/vault \ 145 --set "global.openshift=true" \ 146 --set "server.dev.enabled=true" 147``` 148 149#### Highly Available Raft Mode 150 151The following creates a Vault cluster using the Raft integrated storage backend. 152 153Install the latest Vault Helm chart in HA Raft mode: 154 155```shell-session 156$ helm install vault hashicorp/vault \ 157 --set='global.openshift=true' \ 158 --set='server.ha.enabled=true' \ 159 --set='server.ha.raft.enabled=true' 160``` 161 162Next, initialize and unseal `vault-0` pod: 163 164```shell-session 165$ oc exec -ti vault-0 -- vault operator init 166$ oc exec -ti vault-0 -- vault operator unseal 167``` 168 169Finally, join the remaining pods to the Raft cluster and unseal them. The pods 170will need to communicate directly so we'll configure the pods to use the internal 171service provided by the Helm chart: 172 173```shell-session 174$ oc exec -ti vault-1 -- vault operator raft join http://vault-0.vault-internal:8200 175$ oc exec -ti vault-1 -- vault operator unseal 176 177$ oc exec -ti vault-2 -- vault operator raft join http://vault-0.vault-internal:8200 178$ oc exec -ti vault-2 -- vault operator unseal 179``` 180 181To verify if the Raft cluster has successfully been initialized, run the following. 182 183First, login using the `root` token on the `vault-0` pod: 184 185```shell-session 186$ oc exec -ti vault-0 -- vault login 187``` 188 189Next, list all the raft peers: 190 191```shell-session 192$ oc exec -ti vault-0 -- vault operator raft list-peers 193 194Node Address State Voter 195---- ------- ----- ----- 196a1799962-8711-7f28-23f0-cea05c8a527d vault-0.vault-internal:8201 leader true 197e6876c97-aaaa-a92e-b99a-0aafab105745 vault-1.vault-internal:8201 follower true 1984b5d7383-ff31-44df-e008-6a606828823b vault-2.vault-internal:8201 follower true 199``` 200 201Vault with integrated storage (Raft) is now ready to use! 202 203#### External mode 204 205The Helm chart may be run in external mode. This installs no Vault server and 206relies on a network addressable Vault server to exist. 207 208Install the latest Vault Helm chart in external mode. 209 210```shell-session 211$ helm install vault hashicorp/vault \ 212 --set "global.openshift=true" \ 213 --set "injector.externalVaultAddr=http://external-vault:8200" 214``` 215 216-> **Step-by-step instructions:** The [Integrate a Kubernetes Cluster with an 217External Vault](https://learn.hashicorp.com/vault/getting-started-k8s/external-vault) 218guide demonstrates using an external Vault within a Kubernetes cluster. 219