kelseyhightower/vault-on-google-kubernetes-engine kelseyhightower/vault-on-google-kubernetes-engine

  • Stars
    star
    387
  • Rank 107,003 (Top 3 %)
  • Language
    Shell
  • Created about 6 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
kelseyhightower/vault-on-google-kubernetes-engine
github

kelseyhightower

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

How to guide on running HashiCorp's Vault on Google Kubernetes Engine

Vault on Google Kubernetes Engine

This tutorial walks you through provisioning a multi-node HashiCorp Vault cluster on Google Kubernetes Engine.

Cluster Features

  • High Availability - The Vault cluster will be provisioned in multi-server mode for high availability.
  • Google Cloud Storage Storage Backend - Vault's data is persisted in Google Cloud Storage.
  • Production Hardening - Vault is configured and deployed based on the guidance found in the production hardening guide.
  • Auto Initialization and Unsealing - Vault is automatically initialized and unsealed at runtime. Keys are encrypted using Cloud KMS and stored on Google Cloud Storage.

Tutorial

Create a New Project

In this section you will create a new GCP project and enable the APIs required by this tutorial.

Generate a project ID:

PROJECT_ID="vault-$(($(date +%s%d)/1000000))"

Create a new GCP project:

gcloud projects create ${PROJECT_ID} \
  --name "${PROJECT_ID}"

Enable billing on the new project before moving on to the next step.

Enable the GCP APIs required by this tutorial:

gcloud services enable \
  cloudapis.googleapis.com \
  cloudkms.googleapis.com \
  container.googleapis.com \
  containerregistry.googleapis.com \
  iam.googleapis.com \
  --project ${PROJECT_ID}

Set Configuration

COMPUTE_ZONE="us-west1-c"

COMPUTE_REGION="us-west1"

GCS_BUCKET_NAME="${PROJECT_ID}-vault-storage"

KMS_KEY_ID="projects/${PROJECT_ID}/locations/global/keyRings/vault/cryptoKeys/vault-init"

Create KMS Keyring and Crypto Key

In this section you will create a Cloud KMS keyring and cryptographic key suitable for encrypting and decrypting Vault master keys and root tokens.

Create the vault kms keyring:

gcloud kms keyrings create vault \
  --location global \
  --project ${PROJECT_ID}

Create the vault-init encryption key:

gcloud kms keys create vault-init \
  --location global \
  --keyring vault \
  --purpose encryption \
  --project ${PROJECT_ID}

Create a Google Cloud Storage Bucket

Google Cloud Storage is used to persist Vault's data and hold encrypted Vault master keys and root tokens.

Create a GCS bucket:

gsutil mb -p ${PROJECT_ID} gs://${GCS_BUCKET_NAME}

Create the Vault IAM Service Account

An IAM service account is used by Vault to access the GCS bucket and KMS encryption key created in the previous sections.

Create the vault service account:

gcloud iam service-accounts create vault-server \
  --display-name "vault service account" \
  --project ${PROJECT_ID}

Grant access to the vault storage bucket:

gsutil iam ch \
  serviceAccount:vault-server@${PROJECT_ID}.iam.gserviceaccount.com:objectAdmin \
  gs://${GCS_BUCKET_NAME}

gsutil iam ch \
  serviceAccount:vault-server@${PROJECT_ID}.iam.gserviceaccount.com:legacyBucketReader \
  gs://${GCS_BUCKET_NAME}

Grant access to the vault-init KMS encryption key:

gcloud kms keys add-iam-policy-binding \
  vault-init \
  --location global \
  --keyring vault \
  --member serviceAccount:vault-server@${PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
  --project ${PROJECT_ID}

Provision a Kubernetes Cluster

In this section you will provision a three node Kubernetes cluster using Google Kubernetes Engine with access to the vault-server service account across the entire cluster.

Create the vault Kubernetes cluster:

gcloud container clusters create vault \
  --enable-autorepair \
  --machine-type e2-standard-2 \
  --service-account vault-server@${PROJECT_ID}.iam.gserviceaccount.com \
  --num-nodes 3 \
  --zone ${COMPUTE_ZONE} \
  --project ${PROJECT_ID}

Warning: Each node in the vault Kubernetes cluster has access to the vault-server service account. The vault cluster should only be used for running Vault. Other workloads should run on a different cluster and access Vault through an internal or external load balancer.

Provision IP Address

In this section you will create a public IP address that will be used to expose the Vault server to external clients.

Create the vault compute address:

gcloud compute addresses create vault \
  --region ${COMPUTE_REGION} \
  --project ${PROJECT_ID}

Store the vault compute address in an environment variable:

VAULT_LOAD_BALANCER_IP=$(gcloud compute addresses describe vault \
  --region ${COMPUTE_REGION} \
  --project ${PROJECT_ID} \
  --format='value(address)')

Generate TLS Certificates

In this section you will generate the self-signed TLS certificates used to secure communication between Vault clients and servers.

Create a Certificate Authority:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

Generate the Vault TLS certificates:

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname="vault,vault.default.svc.cluster.local,localhost,127.0.0.1,${VAULT_LOAD_BALANCER_IP}" \
  -profile=default \
  vault-csr.json | cfssljson -bare vault

Deploy Vault

In this section you will deploy the multi-node Vault cluster using a collection of Kubernetes and application configuration files.

Create the vault secret to hold the Vault TLS certificates:

cat vault.pem ca.pem > vault-combined.pem

kubectl create secret generic vault \
  --from-file=ca.pem \
  --from-file=vault.pem=vault-combined.pem \
  --from-file=vault-key.pem

The vault configmap holds the Google Cloud Platform settings required bootstrap the Vault cluster.

Create the vault configmap:

kubectl create configmap vault \
  --from-literal api-addr=https://${VAULT_LOAD_BALANCER_IP}:8200 \
  --from-literal gcs-bucket-name=${GCS_BUCKET_NAME} \
  --from-literal kms-key-id=${KMS_KEY_ID}

Create the Vault StatefulSet

In this section you will create the vault statefulset used to provision and manage two Vault server instances.

Create the vault statefulset:

kubectl apply -f vault.yaml

service "vault" created
statefulset "vault" created

At this point the multi-node cluster is up and running:

kubectl get pods

NAME      READY     STATUS    RESTARTS   AGE
vault-0   2/2       Running   0          1m
vault-1   2/2       Running   0          1m

Automatic Initialization and Unsealing

In a typical deployment Vault must be initialized and unsealed before it can be used. In our deployment we are using the vault-init container to automate the initialization and unseal steps.

kubectl logs vault-0 -c vault-init

2018/11/03 22:37:35 Starting the vault-init service...
2018/11/03 22:37:35 Get https://127.0.0.1:8200/v1/sys/health: dial tcp 127.0.0.1:8200: connect: connection refused
2018/11/03 22:37:45 Vault is not initialized. Initializing and unsealing...
2018/11/03 22:37:53 Encrypting unseal keys and the root token...
2018/11/03 22:37:53 Unseal keys written to gs://vault-1541283682815-vault-storage/unseal-keys.json.enc
2018/11/03 22:37:53 Root token written to gs://vault-1541283682815-vault-storage/root-token.enc
2018/11/03 22:37:53 Initialization complete.
2018/11/03 22:37:55 Unseal complete.
2018/11/03 22:37:55 Next check in 10s
2018/11/03 22:38:05 Vault is initialized and unsealed.
2018/11/03 22:38:05 Next check in 10s

The vault-init container runs every 10 seconds and ensures each vault instance is automatically unsealed.

Health Checks

A readiness probe is used to ensure Vault instances are not routed traffic when they are sealed.

Sealed Vault instances do not forward or redirect clients even in HA setups.

Expose the Vault Cluster

In this section you will expose the Vault cluster using an external network load balancer.

Generate the vault service configuration:

cat > vault-load-balancer.yaml <<EOF
apiVersion: v1
kind: Service
metadata:
  name: vault-load-balancer
spec:
  type: LoadBalancer
  loadBalancerIP: ${VAULT_LOAD_BALANCER_IP}
  ports:
    - name: http
      port: 8200
    - name: server
      port: 8201
  selector:
    app: vault
EOF

Create the vault-load-balancer service:

kubectl apply -f vault-load-balancer.yaml

Wait until the EXTERNAL-IP is populated:

kubectl get svc vault-load-balancer

NAME                  TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)
vault-load-balancer   LoadBalancer   XX.XX.XXX.XXX   <pending>     8200:31805/TCP,8201:32754/TCP

Smoke Tests

Source the vault.env script to configure the vault CLI to use the Vault cluster via the external load balancer:

source vault.env

Get the status of the Vault cluster:

vault status

Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false
Total Shares           5
Threshold              3
Version                0.11.4
Cluster Name           vault-cluster-46821b83
Cluster ID             dcd56552-27d0-fa18-4ccc-25b252464971
HA Enabled             true
HA Cluster             https://XX.XX.X.X:8201
HA Mode                standby
Active Node Address    https://XX.XXX.XXX.XX:8200

Logging in

Download and decrypt the root token:

export VAULT_TOKEN=$(gsutil cat gs://${GCS_BUCKET_NAME}/root-token.enc | \
  base64 --decode | \
  gcloud kms decrypt \
    --project ${PROJECT_ID} \
    --location global \
    --keyring vault \
    --key vault-init \
    --ciphertext-file - \
    --plaintext-file - 
)

Working with Secrets

The following examples assume Vault 0.11 or later.

vault secrets enable -version=2 kv

vault kv enable-versioning secret/

vault kv put secret/my-secret my-value=s3cr3t

vault kv get secret/my-secret

Clean Up

Ensure you are working with the right project ID:

echo $PROJECT_ID

Delete the project:

gcloud projects delete ${PROJECT_ID}

More Repositories

1

nocode

The best way to write secure and reliable applications. Write nothing; deploy nowhere.
Dockerfile
59,013
star
2

kubernetes-the-hard-way

Bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.
38,169
star
3

confd

Manage local application configuration files using templates and data from etcd or consul
Go
8,274
star
4

envconfig

Golang library for managing configuration data from environment variables
Go
4,881
star
5

kube-cert-manager

Manage Lets Encrypt certificates for a Kubernetes cluster.
Go
1,087
star
6

intro-to-kubernetes-workshop

Intro to Kubernetes Workshop
1,016
star
7

pipeline

A step by step guide on creating build and deployment pipelines for Kubernetes.
747
star
8

consul-on-kubernetes

Running HashiCorp's Consul on Kubernetes
Shell
598
star
9

konfd

Manage application configuration using Kubernetes secrets, configmaps, and Go templates.
Go
494
star
10

kubernetes-cluster-federation

Kubernetes cluster federation tutorial
458
star
11

vault-controller

Automate the creation of unique Vault tokens for Kubernetes Pods using init containers.
Go
448
star
12

compose2kube

Convert docker-compose service files to Kubernetes objects.
Go
417
star
13

serverless-vault-with-cloud-run

Guide to running Vault on Cloud Run
Shell
392
star
14

app

Example 12 Facter App
Go
379
star
15

terminus

Get facts about a Linux system.
Go
361
star
16

nomad-on-kubernetes

Tutorial on running Nomad on Kubernetes.
Shell
342
star
17

istio-ingress-tutorial

How to run the Istio Ingress Controller on Kubernetes
Shell
322
star
18

kubernetes-initializer-tutorial

Hands-on tutorial for building and deploying Kubernetes Initializers.
Go
321
star
19

kubestack

Manage Kubernetes with Packer and Terraform on Google Compute Engine.
297
star
20

grpc-hello-service

grpc examples
Go
272
star
21

coreos-ipxe-server

CoreOS iPXE server
Go
218
star
22

kubernetes-redis-cluster

Kubernetes Redis Cluster configs and tutorial
Shell
215
star
23

standalone-kubelet-tutorial

Standalone Kubelet Tutorial
Go
204
star
24

grafeas-tutorial

A step by step guide for getting started with Grafeas and Kubernetes.
Go
191
star
25

docker-kubernetes-tls-guide

Step by step guide on how to secure Docker and Kubernetes using TLS with CloudFlare’s CFSSL
191
star
26

google-cloud-functions-go

Google Cloud Function tutorial and hacks to enable the use of Go.
Go
180
star
27

helloworld

Go
180
star
28

scheduler

Toy Kubernetes Scheduler
Go
174
star
29

craft-kubernetes-workshop

Craft Kubernetes Workshop
Shell
172
star
30

ingress-with-static-ip

Tutorial on creating a Kubernetes Ingress Resource with a Static IP Address in GCP or GKE
165
star
31

mesh

Cloud native service mesh for the rest of us.
160
star
32

lobsters-on-kubernetes

Lobsters, the Hacker News clone, on Kubernetes
Shell
156
star
33

denyenv-validating-admission-webhook

An Kubernetes validating admission webhook that rejects pods that use environment variables.
JavaScript
154
star
34

vault-init

Automate the initialization and unsealing of HashiCorp Vault on Google Cloud Platform.
Go
151
star
35

certificate-init-container

Bootstrap TLS certificates for Pods using the Kubernetes certificates API.
Go
146
star
36

kubeadm-single-node-cluster

How to bootstrap a single-node Kubernetes cluster on Google Compute Engine using kubeadm.
Shell
140
star
37

hashiapp

Demo 12 Factor application that utilizes Hashicorp tools.
Go
134
star
38

kubernetes-envoy-sds

Kubernetes Envoy Service Discovery Service.
Go
133
star
39

setup-network-environment

Create an environment file with system networking information.
Go
131
star
40

kargo

Go
125
star
41

contributors

Display GitHub contributors for a specific repo.
Go
123
star
42

self-deploying-hello-universe

What if applications could deploy themselves?
Go
123
star
43

konfig

Go
119
star
44

event-gateway-on-kubernetes

How to guide on running Serverless.com's Event Gateway on Kubernetes
Go
119
star
45

gke-service-accounts-tutorial

A tutorial on using Google Cloud service account with Google Container Engine (GKE).
Go
109
star
46

run

Package run provides helper functions for building Cloud Run applications.
Go
107
star
47

hashiconf-eu-2016

HashiConf EU 2016
Shell
106
star
48

talks

Shell
99
star
49

badger

Generate build status images for Google Cloud Build
Go
98
star
50

riff-tutorial

How-to guide for testing the riff FaaS platform and Istio on Google Kubernetes Engine.
Go
97
star
51

cri-o-tutorial

A guided tutorial for the cri-o (ocid) Kubernetes container runtime.
95
star
52

lambda-on-cloud-run

Tutorial: Running Lambda Functions on Cloud Run
Dockerfile
83
star
53

gophercon-2018

Kelsey's GopherCon 2018 Keynote: Going Serverless
Go
72
star
54

12-fractured-apps

Example code for the 12 Fractured Apps blog posts.
Go
71
star
55

etcd-production-setup

Setting up etcd to run in production.
69
star
56

cmd-tutorial

68
star
57

oscon-2017-kubernetes-tutorial

OSCON 2017 Kubernetes Tutorial
68
star
58

jira-on-kubernetes

Notes: Running Atlassian's Jira on Kubernetes
67
star
59

conf2kube

conf2kube can read and create Kubernetes secrets based on the contents of configuration files.
Go
64
star
60

endpoints

Kubernetes endpoints load balancer.
Go
62
star
61

oscon-metrics-tutorial

OSCON Metrics Tutorial
60
star
62

echo

echo prints the first positional argument to stdout
Assembly
59
star
63

memkv

Simple in-memory key/value store backed by a map
Go
58
star
64

motorboat

Dynamically sync Nginx Plus backends from Kubernetes service endpoints.
Go
57
star
65

app-healthz

Example app with a healthz endpoint
Go
55
star
66

dynamic-ports-tutorial

A prototype of using dynamic ports with Kubernetes.
Go
54
star
67

ipxed

Web interface and api for ipxed
Go
51
star
68

helloworld-infrastructure-production

51
star
69

intro-to-go-workshop

Intro to Go Workshop
Go
50
star
70

pipeline-application

Go
48
star
71

reposync

Sync GitHub and Google Cloud Source Repos
Go
45
star
72

journal-2-logentries

Ship systemd journal entries to logentries.com
Go
45
star
73

pm

Package manager
Go
44
star
74

time

Educational package to teach aspiring programmers about history through the lens of time.
Go
44
star
75

container-instance-metadata-server

Cloud Run Container Instance Metadata Server Emulator
Go
41
star
76

kube

Basic single node Kubernetes using a bash script.
Shell
40
star
77

helloworld-infrastructure-staging

36
star
78

gcscache

GCS Cache implements the autocet.Cache interface using Google Cloud Storage.
Go
35
star
79

helloworld-infrastructure-qa

35
star
80

memq

In memory message queue prototype.
Go
32
star
81

kubestack-solo

Create a single node Kubernetes image for local testing with VMware Fusion.
32
star
82

jsonrpc-server

Complete example on using net/rpc over HTTP with the jsonrpc encoding
Go
32
star
83

opa-on-cloud-run

Tutorial: Open Policy Agent on Cloud Run
Shell
31
star
84

confidence

Example application which demonstrates various configuration options for modern applications.
Go
30
star
85

cloud-functions-min-instances-tutorial

Cloud Functions Min Instances Tutorial
Go
30
star
86

hello-cuelang

Learning CUE in public
Go
29
star
87

kube-rsa

Generate self-signed TLS certificates for Kubernetes
Go
29
star
88

kur

Kubernetes Up and Running
Shell
28
star
89

echod

A small echo server written in x86-32 asm
Assembly
28
star
90

redis-enterprise-on-kubernetes

How to deploy Redis Enterprise on Kubernetes
Shell
27
star
91

kubernetes-letsencrypt-tutorial

WIP: Kubernetes Lets Encrypt Tutorial
Go
27
star
92

krane

Convert Google Compute Engine (GCE) autoscaling instance groups to Kubernetes autoscaling deployments.
Go
27
star
93

twelve

Go
26
star
94

buildinfo

Go
25
star
95

etcd-pod-gen

Generate etcd pod specs for running under the Kubernetes Kubelet
Go
24
star
96

istio-initializer

Kubernetes Initializer that injects the Istio sidecar into pods.
Go
24
star
97

config-connector-policy-demo

Kubernetes Config Connector Policy Demo.
Open Policy Agent
24
star
98

dialogflow

The best way to create Dialogflow webhooks in Go.
Go
23
star
99

functions

Google Cloud Functions Helpers
Go
23
star
100

terraform-kcc-demo

Terraform KCC Demo
Shell
22
star