Installing HashiCorp Vault with Key Management Service support
HashiCorp Vault
The application image contains a pre-installed build of HashiCorp Vault with added support for Auto Unseal
To install HashiCorp Vault:
- Prepare everything you need to get started.
- Install HashiCorp Vault using Yandex Cloud Marketplace or Helm.
- Initialize the vault.
Getting started
To use HashiCorp Vault, you need:
- Service account with the
kms.keys.encrypterDecrypter
role. - Authorized key.
- Symmetric encryption key.
-
yc iam service-account create --name vault-kms
-
Create an authorized key for the service account and save it to the
authorized-key.json
file:yc iam key create \ --service-account-name vault-kms \ --output authorized-key.json
-
Create a Key Management Service symmetric key:
yc kms symmetric-key create \ --name example-key \ --default-algorithm aes-256 \ --rotation-period 24h
Save the key
id
. You will need it when installing the application. -
Assign the
kms.keys.encrypterDecrypter
role to the service account you created previously:yc resource-manager folder add-access-binding \ --id <folder_ID> \ --service-account-name vault-kms \ --role kms.keys.encrypterDecrypter
You can fetch the folder ID with a list of folders.
-
Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Install kubectl
and configure it to work with the created cluster.
Installation using Yandex Cloud Marketplace
Warning
When using Cloud Marketplace to install HashiCorp Vault that supports Key Management Service, the Agent injector
- Go to the folder page
and select Managed Service for Kubernetes. - Click the name of the Managed Service for Kubernetes cluster you need and select the
Marketplace tab. - Under Application available for installation, select HashiCorp Vault with Key Management Service support and click Go to install.
- Configure the application:
- Namespace: Select a namespace or create a new one.
- Application name: Specify the app name.
- Service account key for Vault: Copy the contents of the
authorized-key.json
file to this field. - KMS key ID for Vault: Specify the previously obtained Key Management Service key ID.
- Click Install.
- Wait for the application to change its status to
Deployed
.
Installation using a Helm chart
-
Install Helm
v3.8.0 or higher. -
Install kubectl
and configure it to work with the created cluster. -
To install a Helm chart
with HashiCorp Vault, run the following command, specifying the parameters of the resources you created earlier:cat <path_to_file_with_authorized_key> | helm registry login cr.yandex \ --username 'json_key' \ --password-stdin && \ helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/vault/chart/vault \ --version 0.28.1+yckms \ --untar && \ helm install \ --namespace <namespace> \ --create-namespace \ --set-file yandexKmsAuthJson=<path_to_file_with_authorized_key> \ --set yandexKmsKeyId=<KMS_key_ID> \ hashicorp ./vault/
Note
If you are using a Helm version below 3.8.0, append the
export HELM_EXPERIMENTAL_OCI=1 && \
string to the command to enable Open Container Initiative (OCI) support in the Helm client.Command parameters:
<path_to_file_with_authorized_key>
: Path to theauthorized-key.json
file you saved earlier.<namespace>
: New namespace that will be created for HashiCorp Vault.<KMS_key_ID>
: Previously obtained Key Management Service key ID.
This command will install HashiCorp Vault with KMS support and the Agent injector
secret delivery tool to the cluster. To use the alternative Vault CSI provider mechanism, add the following parameters to the command:--set "injector.enabled=false" \ --set "csi.enabled=true"
For more information about the differences between these mechanisms, see the Hashicorp documentation
.
Initializing the vault
Once HashiCorp Vault is installed, you need to initialize one of its servers. The initialization process generates credentials required to unseal
Note
While initializing the vault, there is no need to perform the unseal
operation, because the application image is integrated with Key Management Service.
For more information, see Auto Unseal and the HashiCorp Vault
To initialize the vault:
-
Make sure that the application switched to
Running
and has0/1
ready pods:kubectl get pods \ --namespace=<namespace> \ --selector='app.kubernetes.io/name=vault'
Result:
NAME READY STATUS RESTARTS AGE <vault_pod_name> 0/1 Running 0 58s
-
Initialize the vault:
kubectl exec \ --namespace=<namespace> \ --stdin=true \ --tty=true <vault_pod_name> \ -- vault operator init
Result:
Recovery Key 1: ulbugw4IKttmCCPprF6JwmUCyx1YfieCQPQi******** Recovery Key 2: S0kcValC6qSfEI4WJBovSbJWZntBUwtTrtis******** Recovery Key 3: t44ZRqbzLZNzfChinZNzLCNnwvFN/R52vbD*/******* ... Recovery key initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above.
Save the resulting data in a secure location.
-
Query the list of application pods again and make sure that one pod is ready:
kubectl get pods \ --namespace=<namespace> \ --selector='app.kubernetes.io/name=vault'
Result:
NAME READY STATUS RESTARTS AGE vault-yckms-k8s-0 1/1 Running 0 5m