Vault

Search…
Vault
This document contains the steps needed to initialize an existing Vault instance and to obtain the role_id and app_id needed for Garden Enterprise.
At this point, you should already have a Vault instance running that you can connect to.
Setting up Vault JWT Authentication
The commands below should be run from a host that has access to Vault, not in the Vault instance itself.
After going through the these steps, you'll have the Vault App ID and Vault Secret ID that Garden Enterprise needs. These values are provided to Garden Enterprise via the admin console during the installation process.
Connect to Vault
How you connect to Vault depends on your set up. In what follows, we'll assume you're coming here from Initialize Bundled Vault step of our installation guide and that you will connect to Vault via a kubectl port-forward.
Assuming you have the kubectl context set to that of the Garden Enterprise cluster, run:
kubectl --namespace garden-enterprise port-forward svc/prod-charts-vault 8200:8200
Note: If you're installing Garden Enterprise into a namespace other than the default garden-enterprise, use that namespace name instead.
Set Environment
Export the following environment variables:
export VAULT_SKIP_VERIFY=TRUE
export VAULT_ADDR=http://localhost:8200
Note: If you're not connecting to Vault over a port-forward as described in Connect to Vault step above, you may need to set a different VAULT_ADDR.
To verify that everything works, try running:
vault status
You should see a response like:
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
Version: x.y.z
Cluster Name: vault-cluster-49ffd45f
Cluster ID: d2dad792-fb99-1c8d-452e-528d073ba205
​
High-Availability Enabled: false
Initialize Vault
Run:
vault operator init
You should get a response like:
Recovery Key 1: /4+9fBQXFjjwWZiTHr96Xz**********************
Recovery Key 2: Xqc0bUNTKXVaQiKR73HyLj**********************
Recovery Key 3: hwOB4Hw5jVEgxf+LbnnGpf**********************
Recovery Key 4: pi0v0uUWUmjlQiyJvHalIi**********************
Recovery Key 5: iGAmfc9zyTuOAfC01rvvVA**********************
​
Initial Root Token: s.hf9vNpHLWS8*************
​
Success! Vault is initialized
​
Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.
Add Root Token to Environment
Export the root token from the step above by running:
export VAULT_TOKEN=<root-token>
Enable JWT Auth
Run:
vault auth enable jwt
Write JWT Public Key
Write the JWT private key you created for the Garden Enterprise installation (see the Prepare Environment Variables step of the installation guide).
vault write auth/jwt/config [email protected]
Write Policy
Create a file called policy.hcl and add the following to it:
path "/sys/mounts" {
  capabilities = ["create", "read", "update", "list"]
}
​
path "/sys/mounts/*" {
  capabilities = ["create", "read", "update", "list"]
}
​
path "/sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
​
path "/auth/jwt/role/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
and then run:
vault policy write garden-enterprise policy.hcl
Enable App Role
Run:
vault auth enable approle
Update App Role
Run:
curl --insecure -X PUT \
  ${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H "x-vault-token: ${VAULT_TOKEN}" \
  -d '{
    "role_name":"garden-enterprise-approle",
    "bind_secret_id": true,
    "token_no_default_policy": true,
    "policies":["garden-enterprise"]
}'
Here, we're using the environment variables set in the Set Environment step above, and the app role we enabled in the previous step.
Get App Role ID
Run:
curl --insecure -X GET \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/role-id \
-H 'cache-control: no-cache' \
-H "x-vault-token: ${VAULT_TOKEN}"
...and make note of the role_id in the response.
Example response:
{"request_id":"37c93ba5-c05f-1fb8-b82f-bdaf9ad75048","lease_id":"","renewable":false,"lease_duration":0,"data":{"role_id":"a5f945ec-2dd1-557c-ae50-aa9c62e000b5"},"wrap_info":null,"warnings":null,"auth":null}
Create Secret
Run:
curl --insecure -X POST \
  ${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/secret-id \
  -H 'cache-control: no-cache' \
  -H "x-vault-token: ${VAULT_TOKEN}"
...and make note of the secret_id in the response.
Example response:
{"request_id":"cf9b1d37-a2a9-bf8c-76eb-81eb6d16bb45","lease_id":"","renewable":false,"lease_duration":0,"data":{"secret_id":"33481814-06c1-fb40-e61b-baebf9257c61","secret_id_accessor":"9c367c60-1acb-5918-8479-9aa4a2281b37"},"wrap_info":null,"warnings":null,"auth":null}
Add App Role ID and Secret ID to Admin Console
Add the app role ID and secret ID from the steps above to the Garden Enterprise admin console. If you came here from the Initialize Bundled Vault step of the installation guide, you can now proceed with the installation.