- Create a keyring and key
- Generate a service account credentials with encrypter-decryper role
- Download https://github.com/hashicorp/vault-helm
- Checkout a particular version (say tags/v0.3.0)
- Edit values.yaml and update it as shown below.
- Install helm/tiller and install vault component
diff --git a/values.yaml b/values.yaml
index f0393c2..11f7e42 100644
--- a/values.yaml
+++ b/values.yaml
@@ -127,10 +127,10 @@ server:
# extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
- extraEnvironmentVars: {}
- # GOOGLE_REGION: global
- # GOOGLE_PROJECT: myproject
- # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
+ extraEnvironmentVars:
+ GOOGLE_REGION: global
+ GOOGLE_PROJECT: <insert-your-GCP-project-name>
+ GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
# extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set.
# These variables take value from existing Secret objects.
@@ -142,10 +142,10 @@ server:
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
- extraVolumes: []
- # - type: secret (or "configMap")
- # name: my-secret
- # path: null # default is `/vault/userconfig`
+ extraVolumes:
+ - type: secret
+ name: kms-creds
+ path: /vault/userconfig # default is `/vault/userconfig`
# Affinity Settings
# Commenting out or setting as empty the affinity variable, will allow
@@ -195,7 +195,7 @@ server:
# Configures the service type for the main Vault service. Can be ClusterIP
# or NodePort.
- #type: ClusterIP
+ type: ClusterIP
# If type is set to "NodePort", a specific nodePort value can be configured,
# will be random if left blank.
@@ -270,12 +270,12 @@ server:
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
- #seal "gcpckms" {
- # project = "vault-helm-dev"
- # region = "global"
- # key_ring = "vault-helm-unseal-kr"
- # crypto_key = "vault-helm-unseal-key"
- #}
+ seal "gcpckms" {
+ project = "<insert-your-GCP-project-name>"
+ region = "global"
+ key_ring = "<insert-your-keyring-name>"
+ crypto_key = "<insert-your-key-name>"
+ }
# Run Vault in "HA" mode. There are no storage requirements unless audit log
# persistence is required. In HA mode Vault will configure itself to use Consul
Create a secret to store GCP service account for KMS encrypter-decrypter
kubectl create secret generic kms-creds --from-file=credentials.jsonNote that both the name of the secret
kms-credsand the name of the filecredentials.jsonare important and are being referenced in the values.yaml
Install helm/tiller on your k8s cluster
#!/usr/bin/env bash
kubectl -n kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller \
--clusterrole cluster-admin \
--serviceaccount kube-system:tiller
helm init --service-account tillerInstall vault on k8s cluster
helm install --name vault ./Initialize vault when containers are up
kubectl exec -it vault-0 -- vault operator initMake sure vault is unsealed automatically
kubectl exec -it vault-0 -- vault statusmkdir -p /path/to/vault/storageCreate a file called vault.hcl
storage "file" {
path = "/path/to/vault/storage"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
seal "gcpckms" {
credentials = "credentials.json"
project = "<insert-your-GCP-project-name>"
region = "global"
key_ring = "<insert-your-keyring-name>"
crypto_key = "<insert-your-key-name>"
}
Start vault
vault server -config=vault.hcl