This document contains the steps needed to initialize an existing Vault instance and to obtain the role_id and app_id needed for Garden Enterprise.
At this point, you should already have a Vault instance running that you can connect to.
Setting up Vault JWT Authentication
The commands below should be run from a host that has access to Vault, not in the Vault instance itself.
After going through the these steps, you'll have the Vault App ID and Vault Secret ID that Garden Enterprise needs. These values are provided to Garden Enterprise via the admin console during the installation process.
Connect to Vault
How you connect to Vault depends on your set up. In what follows, we'll assume you're coming here from Initialize Bundled Vault
Assuming you have the kubectl context set to that of the Garden Enterprise cluster, run:
Copy kubectl --namespace garden-enterprise port-forward svc/prod-charts-vault 8200:8200 Note: If you're installing Garden Enterprise into a namespace other than the default garden-enterprise, use that namespace name instead.
Set Environment
Export the following environment variables:
Copy export VAULT_SKIP_VERIFY=TRUE
export VAULT_ADDR=http://localhost:8200 Note: If you're not connecting to Vault over a port-forward as described in Connect to Vault step above, you may need to set a different VAULT_ADDR.
To verify that everything works, try running:
You should see a response like:
Copy Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
Version: x.y.z
Cluster Name: vault-cluster-49ffd45f
Cluster ID: d2dad792-fb99-1c8d-452e-528d073ba205
High-Availability Enabled: false Initialize Vault
Run:
You should get a response like:
Copy Recovery Key 1: /4+9fBQXFjjwWZiTHr96Xz**********************
Recovery Key 2: Xqc0bUNTKXVaQiKR73HyLj**********************
Recovery Key 3: hwOB4Hw5jVEgxf+LbnnGpf**********************
Recovery Key 4: pi0v0uUWUmjlQiyJvHalIi**********************
Recovery Key 5: iGAmfc9zyTuOAfC01rvvVA**********************
Initial Root Token: s.hf9vNpHLWS8*************
Success! Vault is initialized
Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above. Add Root Token to Environment
Export the root token from the step above by running:
Copy export VAULT_TOKEN=<root-token> Enable JWT Auth
Run:
Copy vault auth enable jwt Write JWT Public Key
Write the JWT private key you created for the Garden Enterprise installation (see the Prepare Environment Variables
Copy vault write auth/jwt/config jwt_validation_pubkeys=@cert.pem Write Policy
Create a file called policy.hcl and add the following to it:
Copy path "/sys/mounts" {
capabilities = ["create", "read", "update", "list"]
}
path "/sys/mounts/*" {
capabilities = ["create", "read", "update", "list"]
}
path "/sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "/auth/jwt/role/*" {
capabilities = ["create", "read", "update", "delete", "list"]
} and then run:
Copy vault policy write garden-enterprise policy.hcl Enable App Role
Run:
Copy vault auth enable approle Update App Role
Run:
Copy curl --insecure -X PUT \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H "x-vault-token: ${VAULT_TOKEN}" \
-d '{
"role_name":"garden-enterprise-approle",
"bind_secret_id": true,
"token_no_default_policy": true,
"policies":["garden-enterprise"]
}' Here, we're using the environment variables set in the Set Environment step above, and the app role we enabled in the previous step.
Get App Role ID
Run:
Copy curl --insecure -X GET \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/role-id \
-H 'cache-control: no-cache' \
-H "x-vault-token: ${VAULT_TOKEN}" ...and make note of the role_id in the response.
Example response:
Copy {"request_id":"37c93ba5-c05f-1fb8-b82f-bdaf9ad75048","lease_id":"","renewable":false,"lease_duration":0,"data":{"role_id":"a5f945ec-2dd1-557c-ae50-aa9c62e000b5"},"wrap_info":null,"warnings":null,"auth":null} Create Secret
Run:
Copy curl --insecure -X POST \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/secret-id \
-H 'cache-control: no-cache' \
-H "x-vault-token: ${VAULT_TOKEN}" ...and make note of the secret_id in the response.
Example response:
Copy {"request_id":"cf9b1d37-a2a9-bf8c-76eb-81eb6d16bb45","lease_id":"","renewable":false,"lease_duration":0,"data":{"secret_id":"33481814-06c1-fb40-e61b-baebf9257c61","secret_id_accessor":"9c367c60-1acb-5918-8479-9aa4a2281b37"},"wrap_info":null,"warnings":null,"auth":null} Add App Role ID and Secret ID to Admin Console
Add the app role ID and secret ID from the steps above to the Garden Enterprise admin console. If you came here from the Initialize Bundled Vault
