Configuring Vault for Dev Mode and Audit Log Ingestion into Apica Ascent in OCI.
Step 1: Create a Namespace for Vault
Create a namespace named vault:
Copy kubectl create namespace vault
kubectl get namespace Step 2: Create a Persistent Volume Claim (PVC) with AccessMode ReadWriteOnce
Apply the PVC configuration for the Vault namespace:
Copy kubectl apply -f vault-pvc.yaml -n vault
kubectl get pvc -n vault Common Error:
If you encounter the following error:
Copy failed to provision volume with StorageClass "oci-bv": rpc error: code = InvalidArgument desc = invalid volume capabilities requested. Only SINGLE_NODE_WRITER is supported ('accessModes.ReadWriteOnce' on Kubernetes) You can proceed to update the Persistent Volume (PV) later to ReadWriteMany mode after the pods are in the running state.
Step 3: Install Vault in Dev Mode and Verify the Installation
Install Vault in dev mode with Helm and enable the UI:
Copy helm upgrade --install vault hashicorp/vault \
--set= 'server.dev.enabled=true' \
--set= 'ui.enabled=true' \
--set= 'ui.serviceType=LoadBalancer' \
--namespace vault -f server.yaml --debug
kubectl get all -n vault Verify the pods are in the running state, then edit the PV to change the access mode:
Copy kubectl get pv -n vault
kubectl edit pv/ < replace PV nam e > -n vault Update the access mode from ReadWriteOnce to ReadWriteMany and save the configuration:
Copy spec :
accessModes :
- ReadWriteMany Step 4: Enable Audit Logs from the CLI
Access the Vault pod and enable audit logs:
Copy kubectl exec -it pod/vault-0 -n vault -- sh
vault login root
vault audit list
vault audit enable file file_path=/vault/logs/vault-audit.log log_format=json
vault audit list Step 5: Install Fluent Bit and Add Helm Repository
Add the Fluent Bit Helm repository and update it:
Copy helm repo add fluent https://fluent.github.io/helm-charts
helm repo update Step 6: Create a ConfigMap for Fluent Bit
Apply the ConfigMap for Fluent Bit configuration.
Note: Before creating the ConfigMap, update the following TODOs in fb-configmap.yaml:
Replace the file path (#TODO: REPLACE PATH).
Replace the host (#TODO: REPLACE HOST).
Replace the URI if needed (#TODO: REPLACE URI IF NEEDED).
Replace the Bearer token (#TODO: REPLACE Bearer token).
Copy kubectl apply -f fb-configmap.yaml -n vault
kubectl get configmap -n vault
kubectl apply -f fb-deployment.yaml -n vault Step 7: Generate Logs and Verify Fluent Bit Output
Generate some logs by logging into the Vault UI and creating secrets.
Verify the Fluent Bit pod logs:
Copy kubectl logs pod/ < pod nam e > -n vault You should see the recent audit log content.
Step 8: Verify Logs in Apica Ascent
Navigate to Logs & Insights .
Look for the vault-logs namespace.
Click on the Vault app to view the logs.
