Installing HashiCorp Vault with Key Management Service support
HashiCorp Vault
The application image contains a pre-installed build of HashiCorp Vault with added support for Auto Unseal
To install HashiCorp Vault:
Before you start, install kubectl
Creating a service account and keys
To use HashiCorp Vault, you need:
- Service account with the
kms.keys.encrypterDecrypter
role - Authorized key
- Symmetric encryption key
-
yc iam service-account create --name vault-kms
-
Create an authorized key for the service account and save it to a file named
authorized-key.json
:yc iam key create \ --service-account-name vault-kms \ --output authorized-key.json
-
Create a Key Management Service symmetric key:
yc kms symmetric-key create \ --name example-key \ --default-algorithm aes-256 \ --rotation-period 24h
Save the key ID (
id
). You will need it when installing the application. -
Assign the role
kms.keys.encrypterDecrypter
to the Key Management Service key:yc resource-manager folder add-access-binding \ --id <folder_ID> \ --service-account-name vault-kms \ --role kms.keys.encrypterDecrypter
You can fetch the folder ID with a list of folders.
Installation using Yandex Cloud Marketplace
- Go to the folder page
and select Managed Service for Kubernetes. - Click the name of the Managed Service for Kubernetes cluster you need and select the Marketplace
- Under Applications available for installation, select HashiCorp Vault with Key Management Service support and click Use.
- Configure the application:
- Namespace: Select a namespace or create a new one.
- Application name: Enter a name for the application.
- Service account key for Vault: Copy the contents of the
authorized-key.json
file to this field. - KMS key ID for Vault: Specify the previously obtained Key Management Service key ID.
- Click Install.
- Wait for the application to change its status to
Deployed
.
Installation using a Helm chart
-
Install Helm
v3.7.0 or higher. -
To install a Helm chart
with HashiCorp Vault, run the following command:export HELM_EXPERIMENTAL_OCI=1 && \ cat authorized-key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \ helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/vault/chart/vault \ --version 0.27.0_yckms \ --untar && \ helm install \ --namespace <namespace> \ --create-namespace \ --set-file yandexKmsAuthJson=authorized-key.json \ hashicorp ./vault/
This command also creates a new namespace required for HashiCorp Vault.
Initializing the vault
Once HashiCorp Vault is installed, you need to initialize one of its servers. The initialization process generates credentials required to unseal
Note
While initializing the vault, there is no need to perform the unseal
operation, because the application image is integrated with Key Management Service.
For more information, see Auto Unseal and the HashiCorp Vault
To initialize the vault:
-
Make sure that the application switched to
Running
and has0/1
ready pods:kubectl get pods --selector='app.kubernetes.io/name=vault'
Result:
NAME READY STATUS RESTARTS AGE <vault_pod_name> 0/1 Running 0 58s
-
Initialize the vault:
kubectl exec \ --stdin=true \ --tty=true <vault_pod_name> \ -- vault operator init
Result:
Recovery Key 1: ulbugw4IKttmCCPprF6JwmUCyx1YfieCQPQi******** Recovery Key 2: S0kcValC6qSfEI4WJBovSbJWZntBUwtTrtis******** Recovery Key 3: t44ZRqbzLZNzfChinZNzLCNnwvFN/R52vbD*/******* ... Recovery key initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above.
-
Query the list of application pods again and make sure that one pod is ready:
kubectl get pods --selector='app.kubernetes.io/name=vault'
Result:
NAME READY STATUS RESTARTS AGE vault-yckms-k8s-0 1/1 Running 0 5m