Vault
This document contains the steps needed to initialize an existing Vault instance and to obtain the
role_id and app_id needed for Garden Enterprise.At this point, you should already have a Vault instance running that you can connect to.
The commands below should be run from a host that has access to Vault, not in the Vault instance itself.
After going through the these steps, you'll have the Vault App ID and Vault Secret ID that Garden Enterprise needs. These values are provided to Garden Enterprise via the admin console during the installation process.
How you connect to Vault depends on your set up. In what follows, we'll assume you're coming here from Initialize Bundled Vault step of our installation guide and that you will connect to Vault via a kubectl port-forward.
Assuming you have the kubectl context set to that of the Garden Enterprise cluster, run:
kubectl --namespace garden-enterprise port-forward svc/prod-charts-vault 8200:8200
Note: If you're installing Garden Enterprise into a namespace other than the defaultgarden-enterprise, use that namespace name instead.
Export the following environment variables:
export VAULT_SKIP_VERIFY=TRUE
export VAULT_ADDR=http://localhost:8200
Note: If you're not connecting to Vault over a port-forward as described in Connect to Vault step above, you may need to set a differentVAULT_ADDR.
To verify that everything works, try running:
vault status
You should see a response like:
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
Version: x.y.z
Cluster Name: vault-cluster-49ffd45f
Cluster ID: d2dad792-fb99-1c8d-452e-528d073ba205
High-Availability Enabled: false
Run:
vault operator init
You should get a response like:
Recovery Key 1: /4+9fBQXFjjwWZiTHr96Xz**********************
Recovery Key 2: Xqc0bUNTKXVaQiKR73HyLj**********************
Recovery Key 3: hwOB4Hw5jVEgxf+LbnnGpf**********************
Recovery Key 4: pi0v0uUWUmjlQiyJvHalIi**********************
Recovery Key 5: iGAmfc9zyTuOAfC01rvvVA**********************
Initial Root Token: s.hf9vNpHLWS8*************
Success! Vault is initialized
Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.
Export the root token from the step above by running:
export VAULT_TOKEN=<root-token>
Run:
vault auth enable jwt
Write the JWT private key you created for the Garden Enterprise installation (see the Prepare Environment Variables step of the installation guide).
vault write auth/jwt/config [email protected]
Create a file called
policy.hcl and add the following to it:path "/sys/mounts" {
capabilities = ["create", "read", "update", "list"]
}
path "/sys/mounts/*" {
capabilities = ["create", "read", "update", "list"]
}
path "/sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "/auth/jwt/role/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
and then run:
vault policy write garden-enterprise policy.hcl
Run:
vault auth enable approle
Run:
curl --insecure -X PUT \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H "x-vault-token: ${VAULT_TOKEN}" \
-d '{
"role_name":"garden-enterprise-approle",
"bind_secret_id": true,
"token_no_default_policy": true,
"policies":["garden-enterprise"]
}'
Here, we're using the environment variables set in the Set Environment step above, and the app role we enabled in the previous step.
Run:
curl --insecure -X GET \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/role-id \
-H 'cache-control: no-cache' \
-H "x-vault-token: ${VAULT_TOKEN}"
...and make note of the
role_id in the response.Example response:
{"request_id":"37c93ba5-c05f-1fb8-b82f-bdaf9ad75048","lease_id":"","renewable":false,"lease_duration":0,"data":{"role_id":"a5f945ec-2dd1-557c-ae50-aa9c62e000b5"},"wrap_info":null,"warnings":null,"auth":null}
Run:
curl --insecure -X POST \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/secret-id \
-H 'cache-control: no-cache' \
-H "x-vault-token: ${VAULT_TOKEN}"
...and make note of the
secret_id in the response.Example response:
{"request_id":"cf9b1d37-a2a9-bf8c-76eb-81eb6d16bb45","lease_id":"","renewable":false,"lease_duration":0,"data":{"secret_id":"33481814-06c1-fb40-e61b-baebf9257c61","secret_id_accessor":"9c367c60-1acb-5918-8479-9aa4a2281b37"},"wrap_info":null,"warnings":null,"auth":null}
Add the app role ID and secret ID from the steps above to the Garden Enterprise admin console. If you came here from the Initialize Bundled Vault step of the installation guide, you can now proceed with the installation.