HashiCorp Vault is an open source tool for securely storing and accessing secrets (for example, passwords, certificates, and tokens). The image contains a pre-installed build of HashiCorp Vault with added support for Auto Unseal via Yandex Key Management Service. The build is based on HashiCorp Vault 1.17.2.
-
Create a service account, which is required for HashiCorp Vault:
yc iam service-account create --name vault-kms
-
Create an authorized key for the service account and save it to the file
authorized-key.json
:yc iam key create \ --service-account-name vault-kms \ --output authorized-key.json
-
Create a Yandex Key Management Service key:
yc kms symmetric-key create \ --name example-key \ --default-algorithm aes-256 \ --rotation-period 24h
Save the key ID (
id
). You will need it when installing the application. -
Assign the service account the
kms.keys.encrypterDecrypter
role for the Yandex Key Management Service key:yc kms symmetric-key add-access-binding \ --name example-key \ --service-account-name vault-kms \ --role kms.keys.encrypterDecrypter
-
Configure the application:
- Namespace: Select a namespace or create a new one.
- Application name: Enter an application name.
- Service account key: Copy the contents of the
authorized-key.json
file to this field. - KMS key ID: Specify the ID of the Yandex Key Management Service key that you got earlier.
-
Click Install.
-
Make sure that the application switched to
Running
and has0/1
ready pods:kubectl get pods --selector='app.kubernetes.io/name=vault'
Expected output:
NAME READY STATUS RESTARTS AGE <vault pod name> 0/1 Running 0 58s
-
Initialize the vault:
kubectl exec --stdin=true --tty=true <vault pod name> -- vault operator init
Expected output:
Recovery Key 1: ulbugw4IKttmCCPprF6JwmUCyx1YfieCQPQiI2S0VV9o Recovery Key 2: S0kcValC6qSfEI4WJBovSbJWZntBUwtTrtisSIcS3n0e Recovery Key 3: t44ZRqbzLZNzfChinZNzLCNnwvFN/R52vbDq/UueHPPg Recovery Key 4: af4PRlm3VdXRzEHoDpYEnSgbwj4oc4zLCwkJG36cOUER Recovery Key 5: rw9LXcyGEhoO4y4O5IA32IwiDS2t76zd52eiVqfpu+b6 Initial Root Token: s.4ddyD9kkIKVrslVBQBX1I5Pq Success! Vault is initialized Recovery key initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above.
Don’t run the
unseal
operation when initializing the vault. For more information, see Auto Unseal and the HashiCorp Vault documentation. -
Query the list of application pods again and make sure that one pod is ready:
kubectl get pods --selector='app.kubernetes.io/name=vault'
Expected output:
NAME READY STATUS RESTARTS AGE vault-yckms-k8s-0 1/1 Running 0 1h
Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available and their response time depend on your pricing plan. You can activate paid support in the management console. Learn more about requesting technical support. You can also get help from the community.
Helm chart | Version | Pull-command | Documentation |
---|---|---|---|
yandex-cloud/vault/chart/vault | 0.28.1_yckms | Open |
Docker image | Version | Pull-command |
---|---|---|
yandex-cloud/vault/vault-k8s1721661666224330603612865640135376997075149811052 | 1.4.2 | |
yandex-cloud/vault/vault1721661666224330603612865640135376997075149811052 | 1.17.2_yckms | |
yandex-cloud/vault/vault1721661666224330603612865640135376997075149811052 | 1.17.2_yckms | |
yandex-cloud/vault/vault-csi-provider1721661666224330603612865640135376997075149811052 | 1.4.3 |