doc: update helm doc to include init/unseal (#7955)

* doc: update helm doc to include init/unseal * Update website/source/docs/platform/k8s/run.html.md Co-Authored-By: Clint <catsby@users.noreply.github.com> * Update website/source/docs/platform/k8s/run.html.md Co-Authored-By: Clint <catsby@users.noreply.github.com> * Clarify vault helm default note
2019-12-02 15:51:51 -05:00 · 2019-12-02 15:51:51 -05:00 · a988d0367d
parent 404b064cce
commit a988d0367d
1 changed files with 27 additions and 4 deletions
--- a/website/source/docs/platform/k8s/run.html.md
+++ b/website/source/docs/platform/k8s/run.html.md
@ -67,7 +67,25 @@ $ helm install --name vault ./
 ...
 ```

-_That's it._ The Helm chart does everything to setup a Vault-on-Kubernetes deployment.
+!> **IMPORTANT NOTE:** Vault Helm will not initialize and unseal Vault automatically.  
+Initialization is required after installation followed by unsealing.  Vault can be 
+configured to auto-unseal using KMS providers such as 
+[Google Cloud Platform](/docs/platform/k8s/run.html#google-kms-auto-unseal).  This 
+allows the pods to auto unseal if they're rescheduled in Kubernetes.
+
+If standalone or HA mode are being used, the Vault pods must be initialized and unsealed.  
+For HA deployments, only one of the Vault pods needs to be initialized.
+
+```sh
+$ kubectl exec -ti vault-0 -- vault operator init
+$ kubectl exec -ti vault-0 -- vault operator unseal
+```
+
+For HA deployments, unseal the remaining pods:
+
+```sh
+$ kubectl exec -ti <NAME OF POD> -- vault operator unseal
+```

 ### Viewing the Vault UI

@ -176,10 +194,12 @@ cluster is now upgraded!

 #### Google KMS Auto Unseal

+The following example demonstrates configuring Vault Helm to use 
+[Google KMS for Auto Unseal](/docs/configuration/seal/gcpckms.html).
+
 In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials.  The `credentials.json` 
 file will need to be mounted as a secret to the Vault container.

-
 ##### Create the Secret

 First, create the secret in Kubernetes:
@ -201,7 +221,7 @@ global:

 server:
  extraEnvironmentVars:
-    GOOGLE_REGION: <REGION WHERE KMS IS LOCATED>
+    GOOGLE_REGION: global
    GOOGLE_PROJECT: <PROJECT NAME>
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json

@ -224,7 +244,7 @@ server:

      seal "gcpckms" {
        project     = "<NAME OF PROJECT>"
-        region      = "<NAME OF REGION>"
+        region      = "global"
        key_ring    = "<NAME OF KEYRING>"
        crypto_key  = "<NAME OF KEY>"
      }
@ -237,6 +257,9 @@ server:

 #### Amazon EKS Auto Unseal

+The following example demonstrates configuring Vault Helm to use 
+[AWS EKS for Auto Unseal](/docs/configuration/seal/awskms.html).
+
 In order to authenticate and use EKS in AWS, Vault Helm needs credentials.  The AWS access key 
 ID and key will be mounted as secret environment variables in the Vault pods.