使用 GCP KMS 自动解封 Vault
[英]Autounseal Vault with GCP KMS
问题描述
I would like to use auto unseal vault mechanism using the GCP KMS.
我想使用 GCP KMS 使用自动启封保险库机制。
I have been following this tutorial (section: 'Google KMS Auto Unseal') and applying the official hashicorp helm chart with the following values:我一直在关注本教程(部分:'Google KMS Auto Unseal')并应用具有以下值的官方hashcorp helm 图表:
global:
enabled: true
server:
logLevel: "debug"
injector:
logLevel: "debug"
extraEnvironmentVars:
GOOGLE_REGION: global
GOOGLE_PROJECT: ESGI-projects
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
extraVolumes:
- type: 'secret'
name: 'kms-creds'
ha:
enabled: true
replicas: 3
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "gcpckms" {
project = "ESGI-projects"
region = "global"
key_ring = "gitter"
crypto_key = "vault-helm-unseal-key"
}
storage "raft" {
path = "/vault/data"
}
I have created a kms-creds with the json credentials for a service account (I have tried with Cloud KMS Service Agent and owner role but none of them work.我已经使用服务帐户的 json 凭据创建了kms-creds (我尝试过使用 Cloud KMS 服务代理和所有者角色,但它们都不起作用。
Here are the keys in my key ring :这是我钥匙圈里的钥匙:
My cluster is just a local cluster created with kind.我的集群只是一个用 kind 创建的本地集群。
On the first replica of the vault server all seems ok (but not running though):在保管库服务器的第一个副本上,一切似乎都正常(但没有运行):
And on the two others got the normal message claiming that the vault is sealed:另外两个人收到了正常的消息,声称保险库已被密封:
Any idea what could be wrong?知道有什么问题吗? Should I create one key for each replica?我应该为每个副本创建一个密钥吗?
1 个解决方案
解决方案1
1 已采纳 2022-06-23 10:10:36
OK well, I have succeeded in setting in place the Vault with auto unseal !好的,我已经成功地设置了自动开封的保险柜! What I did:我做了什么:
Change the project (the id was required, not the name)
更改项目(需要 id,而不是名称)I disabled the raft (
raft.enabled: false)我禁用了筏( raft.enabled: false)I moved the backend to google cloud storage adding to the config:
我将后端移动到谷歌云存储添加到配置:
storage "gcs" {
bucket = "gitter-secrets"
ha_enabled = "true"
}
ha_enabled=true was compulsory (with regional bucket) ha_enabled=true是强制性的(带有区域存储桶)
My final helm values is:我最终的掌舵值是:
global:
enabled: true
server:
logLevel: "debug"
injector:
logLevel: "debug"
extraEnvironmentVars:
GOOGLE_REGION: global
GOOGLE_PROJECT: esgi-projects-354109
GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
extraVolumes:
- type: 'secret'
name: 'kms-creds'
ha:
enabled: true
replicas: 3
raft:
enabled: false
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "gcpckms" {
project = "esgi-projects-354109"
region = "global"
key_ring = "gitter"
crypto_key = "vault-helm-unseal-key"
}
storage "gcs" {
bucket = "gitter-secrets"
ha_enabled = "true"
}
Using a service account with permissions:使用具有权限的服务帐户:
- Cloud KMS CryptoKey Encrypter/Decrypter Cloud KMS CryptoKey 加密器/解密器
- Storage Object Admin Permission on gitter-secrets only仅对 gitter-secrets 的存储对象管理员权限
I had an issue at first, the vault-0 needed to run a vault operator init .起初我遇到了一个问题,vault-0 需要运行vault operator init 。 After trying several things (post install hooks among others) and comming back to the initial state the pod were unsealing normally without running anything.在尝试了几件事(安装后挂钩等)并返回到初始状态后,吊舱正常启封而没有运行任何东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.