/vault-terraform-demo

Deploy HashiCorp Vault with Terraform in GKE.

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

Vault Terraform Demo

Introduction

This demo will show you how to install Vault on a Kubernetes cluster using the official Helm Chart from HashiCorp and then manage Vault's configuration through Terraform with the Vault provider.

Standing up Kubernetes and Installing Vault

The Terraform code in the terraform-vault-deployment directory stands up a GKE cluster and installs Vault through the official Helm chart.

Example terraform.tfvars:

project            = "jacobmammoliti"
vault_tls_disable  = false
vault_service_type = "LoadBalancer"

Initializing and Unsealing Vault

When a Vault cluster is provisioned, it first needs to be initalized and unsealed. Proceed with the following steps:

If a KMS is not leveraged, you can configure Vault to use the Shamir method to produce unseal keys:

# initalize Vault with one key share and one key threshold
$ kubectl exec -it vault-0 -n vault -- vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: PgfBDMjWLqc+FVVY6+mXFT9kPOy/RUu9WEYS742jktw=

Initial Root Token: s.UvA9TZl4BC3VSjz2hn9PJJUG

Vault initialized with 1 key shares and a key threshold of 1...

# unseal each instance of Vault
$ for i in 0 1 2; do
  kubectl exec -it vault-${i} -n vault -- vault operator unseal PgfBDMjWLqc+FVVY6+mXFT9kPOy/RUu9WEYS742jktw=
done

# verify all pods are running
$ kubectl get pods -n vault
NAME                                   READY   STATUS    RESTARTS   AGE
vault-0                                1/1     Running   0          2m51s
vault-1                                1/1     Running   0          2m51s
vault-2                                1/1     Running   0          2m51s
vault-agent-injector-98dc5c764-77gk9   1/1     Running   0          2m51s

If a KMS is leveraged, the above command looks very similar, however, you provide a recovery key share instead of unseal key.

Note: Recovery keys cannot decrypt the master key and therefore are not able to unseal Vault.

Below are the steps to initialize and unseal the vault.

# initalize Vault with one key share and one key threshold
$ kubectl exec -it vault-0 -n vault -- vault operator init -recovery-shares=1 -recovery-threshold=1
Recovery Key 1: h4lwnpw+W2d9oIMM09PPHj56r58Iw/jDL9IWQDpNFag=

Initial Root Token: s.UvA9TZl4BC3VSjz2hn9PJJUG

...

# verify all pods are running
$ kubectl get pods -n vault
NAME                                   READY   STATUS    RESTARTS   AGE
vault-0                                1/1     Running   0          2m51s
vault-1                                1/1     Running   0          2m51s
vault-2                                1/1     Running   0          2m51s
vault-agent-injector-98dc5c764-77gk9   1/1     Running   0          2m51s