Installing HashiCorp Vault with Key Management Service support
HashiCorp Vault is an open source tool for securely storing and accessing secrets (such as passwords, certificates, and tokens).
The application image contains a pre-installed build of HashiCorp Vault with added support for Auto Unseal via Yandex Key Management Service. The build is based on HashiCorp Vault 1.8.2.
To install HashiCorp Vault:
Creating a service account and keys
To use HashiCorp Vault, you need:
- A service account with the
kms.keys.encrypterDecrypterrole. - An authorized key.
- A symmetric encryption key.
-
yc iam service-account create --name vault-kms -
Create an authorized key for the service account and save it to a file named
authorized-key.json:yc iam key create \ --service-account-name vault-kms \ --output authorized-key.json -
Create a Key Management Service symmetric key:
yc kms symmetric-key create \ --name example-key \ --default-algorithm aes-256 \ --rotation-period 24hSave the key ID (
id). You will need it when installing the application. -
Assign the role
kms.keys.encrypterDecrypterto the Key Management Service key:yc resource-manager folder add-access-binding \ --id <folder ID> \ --service-account-name vault-kms \ --role kms.keys.encrypterDecrypterYou can fetch the folder ID with a list of folders.
Installing HashiCorp Vault
- Go to the folder page and select Managed Service for Kubernetes.
- Click the name of the desired cluster and open the Marketplace tab.
- Under Applications available for installation, select HashiCorp Vault 1.8.2 with Key Management Service support and click Use.
- Configure the application:
- Namespace: Select a namespace or create a new one.
- Application name: Enter an application name.
- Service account key for Vault: Copy the contents of the
authorized-key.jsonfile to this field. - KMS key ID for Vault: Specify the previously obtained Key Management Service key ID.
- Click Install.
-
To install a Helm chart with HashiCorp Vault , run the following command:
export HELM_EXPERIMENTAL_OCI=1 && \ cat authorized-key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \ helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/vault/chart/vault \ --version <Helm chart version> \ --untar && \ helm install \ --namespace hashicorp \ --create-namespace \ --set-file yandexKmsAuthJson=authorized-key.json \ hashicorp ./vault/This command also creates a new
hashicorpnamespace required for HashiCorp Vault.You can check the current version of the Helm chart on the application page.
Initializing the vault
Once HashiCorp Vault is installed, you need to initialize one of its servers. The initialization process generates credentials required to unseal all the vault servers.
Note
While initializing the vault, there is no need to perform the unseal operation, since the application image is integrated with Key Management Service.
For more information, see Auto Unseal and the HashiCorp Vault documentation.
To initialize the vault:
-
Make sure that the application switched to
Runningand has0/1ready pods:kubectl get pods --selector='app.kubernetes.io/name=vault'Command result:
NAME READY STATUS RESTARTS AGE <vault pod name> 0/1 Running 0 58s -
Initialize the vault:
kubectl exec \ --stdin=true \ --tty=true <vault pod name> \ -- vault operator initCommand result:
Recovery Key 1: ulbugw4IKttmCCPprF6JwmUCyx1YfieCQPQiI2S0VV9o Recovery Key 2: S0kcValC6qSfEI4WJBovSbJWZntBUwtTrtisSIcS3n0e Recovery Key 3: t44ZRqbzLZNzfChinZNzLCNnwvFN/R52vbDq/UueHPPg ... Recovery key initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. -
Query the list of application pods again and make sure that one pod is ready:
kubectl get pods --selector='app.kubernetes.io/name=vault'Command result:
NAME READY STATUS RESTARTS AGE vault-yckms-k8s-0 1/1 Running 0 5m