Search code examples
kubernetesgoogle-cloud-platformhashicorp-vaultvaultgoogle-cloud-kms

Autounseal Vault with GCP KMS

I would like to use auto unseal vault mechanism using the GCP KMS.

I have been following this tutorial (section: 'Google KMS Auto Unseal') and applying the official hashicorp helm chart with the following values:

global:
  enabled: true

server:
  logLevel: "debug"
  injector:
    logLevel: "debug"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: ESGI-projects
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json

  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "ESGI-projects"
        region      = "global"
        key_ring    = "gitter"
        crypto_key  = "vault-helm-unseal-key"
      }

      storage "raft" {
        path = "/vault/data"
      }

I have created a kms-creds with the json credentials for a service account (I have tried with Cloud KMS Service Agent and owner role but none of them work.

Here are the keys in my key ring :

enter image description here

My cluster is just a local cluster created with kind.

On the first replica of the vault server all seems ok (but not running though):

enter image description here

And on the two others got the normal message claiming that the vault is sealed:

enter image description here

Any idea what could be wrong? Should I create one key for each replica?

Solution

  • OK well, I have succeeded in setting in place the Vault with auto unseal ! What I did:

    • Change the project (the id was required, not the name)

    • I disabled the raft (raft.enabled: false)

    • I moved the backend to google cloud storage adding to the config:

    storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
}

    ha_enabled=true was compulsory (with regional bucket)

    My final helm values is:

    global:
  enabled: true

server:
  logLevel: "debug"
  injector:
    logLevel: "debug"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: esgi-projects-354109
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: false
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "esgi-projects-354109"
        region      = "global"
        key_ring    = "gitter"
        crypto_key  = "vault-helm-unseal-key"
      }

      storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
      }

    Using a service account with permissions:

    • Cloud KMS CryptoKey Encrypter/Decrypter
    • Storage Object Admin Permission on gitter-secrets only

    I had an issue at first, the vault-0 needed to run a vault operator init. After trying several things (post install hooks among others) and comming back to the initial state the pod were unsealing normally without running anything.