luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

doc: update helm doc to include init/unseal (#7955)

Browse source 
* doc: update helm doc to include init/unseal

* Update website/source/docs/platform/k8s/run.html.md

Co-Authored-By: Clint <catsby@users.noreply.github.com>

* Update website/source/docs/platform/k8s/run.html.md

Co-Authored-By: Clint <catsby@users.noreply.github.com>

* Clarify vault helm default note
This commit is contained in:
Jason O'Donnell 2019-12-02 15:51:51 -05:00 committed by GitHub
parent 404b064cce
commit a988d0367d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
website/source/docs/platform/k8s/run.html.md
View file

@ -67,7 +67,25 @@ $ helm install --name vault ./
... ...
``` ```
_That's it._ The Helm chart does everything to setup a Vault-on-Kubernetes deployment. !> **IMPORTANT NOTE:** Vault Helm will not initialize and unseal Vault automatically.
Initialization is required after installation followed by unsealing. Vault can be
configured to auto-unseal using KMS providers such as
[Google Cloud Platform](/docs/platform/k8s/run.html#google-kms-auto-unseal). This
allows the pods to auto unseal if they're rescheduled in Kubernetes.
If standalone or HA mode are being used, the Vault pods must be initialized and unsealed.
For HA deployments, only one of the Vault pods needs to be initialized.
```sh
$ kubectl exec -ti vault-0 -- vault operator init
$ kubectl exec -ti vault-0 -- vault operator unseal
```
For HA deployments, unseal the remaining pods:
```sh
$ kubectl exec -ti <NAME OF POD> -- vault operator unseal
```
### Viewing the Vault UI ### Viewing the Vault UI
@ -176,10 +194,12 @@ cluster is now upgraded!
#### Google KMS Auto Unseal #### Google KMS Auto Unseal
The following example demonstrates configuring Vault Helm to use
[Google KMS for Auto Unseal](/docs/configuration/seal/gcpckms.html).
In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials. The `credentials.json` In order to authenticate and use KMS in Google Cloud, Vault Helm needs credentials. The `credentials.json`
file will need to be mounted as a secret to the Vault container. file will need to be mounted as a secret to the Vault container.
##### Create the Secret ##### Create the Secret
First, create the secret in Kubernetes: First, create the secret in Kubernetes:
@ -201,7 +221,7 @@ global:
server: server:
extraEnvironmentVars: extraEnvironmentVars:
GOOGLE_REGION: <REGION WHERE KMS IS LOCATED> GOOGLE_REGION: global
GOOGLE_PROJECT: <PROJECT NAME> GOOGLE_PROJECT: <PROJECT NAME>
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
@ -224,7 +244,7 @@ server:
seal "gcpckms" { seal "gcpckms" {
project = "<NAME OF PROJECT>" project = "<NAME OF PROJECT>"
region = "<NAME OF REGION>" region = "global"
key_ring = "<NAME OF KEYRING>" key_ring = "<NAME OF KEYRING>"
crypto_key = "<NAME OF KEY>" crypto_key = "<NAME OF KEY>"
} }
@ -237,6 +257,9 @@ server:
#### Amazon EKS Auto Unseal #### Amazon EKS Auto Unseal
The following example demonstrates configuring Vault Helm to use
[AWS EKS for Auto Unseal](/docs/configuration/seal/awskms.html).
In order to authenticate and use EKS in AWS, Vault Helm needs credentials. The AWS access key In order to authenticate and use EKS in AWS, Vault Helm needs credentials. The AWS access key
ID and key will be mounted as secret environment variables in the Vault pods. ID and key will be mounted as secret environment variables in the Vault pods.