Hi All
I am trying to run vault in on premises k8s. I am deploying using helm chart. I went through this link Autounseal-transit
But it requires another vault. Is there a way to automatically unseal on restart of pods or kubernetes nodes?
Thanks
Guru
You can do unsealing much simpler than using another cluster/transit with a KMS, ie GCP Cloud KMS or AWS KMS:
Hi Mike
Thanks for replying so quickly
I am deploying vault in on premises k8s. It can’t connect to any cloud kms or another vault server.
Thanks
Guru
Then you’ll need to setup something like another cluster, which then will have to be unsealed as well. Sounds like shamir keys is your best bet unless you run a in-house KMS/HSM.
Thanks. I saw post startup hooks are in helm charts. I am leveraging that.
Hello @mikegreen
I am sorry to tell that but this procedure is too generic and not for Kubernetes.
The question which can not be answered;
"Without knowing/filling “kms_key_id” and “endpoint” information, how can Vault be deployed to AWS EKS Kubernetes via Helm chart? "
@tirelibirefe you need to feed the KMS credentials (if you unseal with AWS KMS) to the Helm chart.
Where do you get that initial secret? That is a hard question that has no good answer. You could:
Etc…
As far as the post startup hook I can work but it will not be secure.
You could script something that will call vault operator unseal with a single shard (no need for 3 since you’ve already thrown this security feature out the window). But you will end up with the shard(s) in your deployment configuration. You can then use the shard to do vault operator generate-root and do whatever you want with the secrets.
I guess that’s fine for a home lab or even a dev environment, but not much more.
Secure introduction of secrets is hard. Don’t let any vendor (including Hashicorp) convince you otherwise.
The only good solution is to tie yourself to a given platform, let it handle both the authentication and initial secret management. Then run Vault on top of that for the devops friendly API.
Hello @ixe013 ,
Thanks for explanation but it’s not what I asked.
I’ve already feeded my credentials.
Please check that topic: >>> here
I don’t have an installed Vault yet. I would like to install it by using Helm chart to AWS/EKS.
Regarding to the documentation, I should put the following expression to values.yaml file for aws auto-unseal, shouldn’t I?
seal "awskms" {
region = "us-east-1"
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
kms_key_id = "???"
endpoint = "?????"
}
The question is that where/how can I get kms_key and endpoint before installing Vault?
Thanks & Regards
You must create the key prior to installing Vault. You could use Terraform or your mouse to create a KMS key that will be used to unseal Vault. Once create, put the key id in your configuration.
You should probably let Vault figure out the endpoint parameter itself (remove it).
Thank you, that answer what I was looking for…