GCP KMS的汽车拱顶

发布于 2025-02-09 16:41:40 字数 1803 浏览 1 评论 0原文

我想使用GCP KMS使用自动关键保险库机制。

global:
  enabled: true

server:
  logLevel: "debug"
  injector:
    logLevel: "debug"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: ESGI-projects
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json

  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "ESGI-projects"
        region      = "global"
        key_ring    = "gitter"
        crypto_key  = "vault-helm-unseal-key"
      }

      storage "raft" {
        path = "/vault/data"
      }

我已经创建了一个使用JSON凭据的服务帐户的KMS-CREDS（我尝试使用Cloud KMS服务代理和所有者角色，但它们都没有工作。

以下是密钥在我的钥匙戒指中：

的群集只是

在Vault服务器的第一个复制品上

我创建的本地群集。 /I.SSTATIC.NET/QYG2Z.PNG“ rel =” nofollow noreferrer“>

另外两个人收到了正常消息，声称保管库已密封：

有什么想法可能是什么问题？我应该为每个复制品创建一个密钥吗？

原文

I would like to use auto unseal vault mechanism using the GCP KMS.

I have been following this tutorial (section: 'Google KMS Auto Unseal') and applying the official hashicorp helm chart with the following values:

global:
  enabled: true

server:
  logLevel: "debug"
  injector:
    logLevel: "debug"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: ESGI-projects
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json

  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "ESGI-projects"
        region      = "global"
        key_ring    = "gitter"
        crypto_key  = "vault-helm-unseal-key"
      }

      storage "raft" {
        path = "/vault/data"
      }

I have created a kms-creds with the json credentials for a service account (I have tried with Cloud KMS Service Agent and owner role but none of them work.

Here are the keys in my key ring :

My cluster is just a local cluster created with kind.

On the first replica of the vault server all seems ok (but not running though):

And on the two others got the normal message claiming that the vault is sealed:

Any idea what could be wrong? Should I create one key for each replica?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

柠檬 2025-02-16 16:41:40

好吧，我已经成功地用自动启动设置了保险库！
我做了什么：

更改项目（需要ID，而不是名称）
我禁用RAFT（raft.enabled：false））
我将后端移至Google Cloud Storage，添加到配置：

storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
}

ha_enabled = true是强制性的（带有区域存储桶）

我的最终头盔值是：

global:
  enabled: true

server:
  logLevel: "debug"
  injector:
    logLevel: "debug"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: esgi-projects-354109
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: false
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "esgi-projects-354109"
        region      = "global"
        key_ring    = "gitter"
        crypto_key  = "vault-helm-unseal-key"
      }

      storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
      }

使用具有权限的服务帐户：

Cloud KMS Cryptokey Encrypter/decrypter
Storage gitter-secrets上的对象管理员的权限起初

，我首先只有一个问题，即可运行Vault Operator Init需要的Vault-0。尝试了几件事（后安装钩子）并回到初始状态后，Pod正常启动而没有任何操作。

OK well, I have succeeded in setting in place the Vault with auto unseal !
What I did:

Change the project (the id was required, not the name)
I disabled the raft (raft.enabled: false)
I moved the backend to google cloud storage adding to the config:

storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
}

ha_enabled=true was compulsory (with regional bucket)

My final helm values is:

global:
  enabled: true

server:
  logLevel: "debug"
  injector:
    logLevel: "debug"
  extraEnvironmentVars:
    GOOGLE_REGION: global
    GOOGLE_PROJECT: esgi-projects-354109
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: false
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "esgi-projects-354109"
        region      = "global"
        key_ring    = "gitter"
        crypto_key  = "vault-helm-unseal-key"
      }

      storage "gcs" {
        bucket = "gitter-secrets"
        ha_enabled    = "true"
      }

Using a service account with permissions:

Cloud KMS CryptoKey Encrypter/Decrypter
Storage Object Admin Permission on gitter-secrets only

I had an issue at first, the vault-0 needed to run a vault operator init. After trying several things (post install hooks among others) and comming back to the initial state the pod were unsealing normally without running anything.

回复收藏 0 原文

~没有更多了~