Home > Software engineering >  Autounseal Vault with GCP KMS
Autounseal Vault with GCP KMS

Time:06-26

I would like to use auto unseal vault mechanism using the GCP KMS.

I have been following this enter image description here

My cluster is just a local cluster created with kind.

On the first replica of the vault server all seems ok (but not running though):

enter image description here

And on the two others got the normal message claiming that the vault is sealed:

enter image description here

Any idea what could be wrong? Should I create one key for each replica?

CodePudding user response:

OK well, I have succeeded in setting in place the Vault with auto unseal ! What I did:

  • Change the project (the id was required, not the name)

  • I disabled the raft (raft.enabled: false)

  • I moved the backend to google cloud storage adding to the config:

storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
}

ha_enabled=true was compulsory (with regional bucket)

My final helm values is:

global:
  enabled: true

server:
  logLevel: "debug"
  injector:
    logLevel: "debug"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: esgi-projects-354109
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: false
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "esgi-projects-354109"
        region      = "global"
        key_ring    = "gitter"
        crypto_key  = "vault-helm-unseal-key"
      }

      storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
      }

Using a service account with permissions:

  • Cloud KMS CryptoKey Encrypter/Decrypter
  • Storage Object Admin Permission on gitter-secrets only

I had an issue at first, the vault-0 needed to run a vault operator init. After trying several things (post install hooks among others) and comming back to the initial state the pod were unsealing normally without running anything.

  • Related