From feda60fd2e889845187d3ab3159a37d3b8218666 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Thu, 6 Feb 2020 12:23:35 +1000 Subject: [PATCH 01/24] Add Installation instructions for Vault using Gitlab Managed Apps via CI This is for https://gitlab.com/gitlab-org/gitlab/issues/9982 The actual work to add the application is done in https://gitlab.com/gitlab-org/cluster-integration/cluster-applications/-/merge_requests/28 --- doc/user/clusters/applications.md | 67 +++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 8abbb715ed5224..730daf06b89e81 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -471,6 +471,7 @@ Supported applications: - [Sentry](#install-sentry-using-gitlab-ci) - [GitLab Runner](#install-gitlab-runner-using-gitlab-ci) - [Cilium](#install-cilium-using-gitlab-ci) +- [Vault](#install-vault-using-gitlab-ci) ### Usage @@ -733,6 +734,72 @@ agent: enabled: false ``` +### Install Vault using GitLab CI +[Hashicorp Vault](https://vaultproject.io/) is a secrets management solution which +can be used to safely manage and store passwords, credentials, certificates and more. + +Enable Vault in the `.gitlab/managed-apps/config.yaml` file to install it: + +```yaml +vault: + installed: true +``` + +By default you will get a basic Vault setup with no high availability nor any scalable +storage backend. It is advised to read through the Vault helm chart [values.yaml](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml) +As well as read the Vault documentation [here](https://www.vaultproject.io/docs/internals/) +to get a good understanding of the internals of Vault and how to configure it correctly. + +At a minimum you will likely be looking to setup +* An [seal](https://www.vaultproject.io/docs/configuration/seal/) for extra encryption +of the master key +* A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is +suitable for environment and storage security requirements +* Enabling [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) +* Enabling the [Vault UI](https://www.vaultproject.io/docs/configuration/ui/) + +The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) +that configures GKMS for auto-unseal, using a Google Cloud Storage backend, enabling +the vault UI, and enabling HA with 3 pod replicas. + +```yml +ui: + enabled: true +server: + dataStorage: + enabled: false + ha: + enabled: true + config: | + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "gcs" { + path = "gcs://my-vault-storage/vault-bucket" + ha_enabled = "true" + } + seal "gcpckms" { + project = "vault-helm-dev-246514" + region = "global" + key_ring = "vault-helm-unseal-kr" + crypto_key = "vault-helm-unseal-key" + } +``` + +Once you have successfully installed Vault, you will need to [initialize the Vault](https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault) +and obtain the initial root token. This is done by using kubectl to connect to the Vault pod in +your cluster and running the `vault operator init` command. + +``` +kubectl -n gitlab-managed-apps exec -it vault-0 sh +/ $ vault operator init +``` + +This should give you your unseal keys and initial root token. Make sure to note these down +and keep these safe as you will need them to unseal the Vault throughout its lifecycle. + ## Upgrading applications > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/24789) in GitLab 11.8. -- GitLab From 3b611df4f2ad12eb3f74510d47408f2ea98c3078 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Thu, 6 Feb 2020 12:50:05 +1000 Subject: [PATCH 02/24] Fixed formatting on Vault documentation after markdownlint --- doc/user/clusters/applications.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 730daf06b89e81..172156ccfc6c0d 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -735,6 +735,7 @@ agent: ``` ### Install Vault using GitLab CI + [Hashicorp Vault](https://vaultproject.io/) is a secrets management solution which can be used to safely manage and store passwords, credentials, certificates and more. @@ -746,17 +747,18 @@ vault: ``` By default you will get a basic Vault setup with no high availability nor any scalable -storage backend. It is advised to read through the Vault helm chart [values.yaml](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml) +storage backend. It is advised to read through the Vault Helm chart [values.yaml](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml) As well as read the Vault documentation [here](https://www.vaultproject.io/docs/internals/) to get a good understanding of the internals of Vault and how to configure it correctly. At a minimum you will likely be looking to setup -* An [seal](https://www.vaultproject.io/docs/configuration/seal/) for extra encryption + +- A [seal](https://www.vaultproject.io/docs/configuration/seal/) for extra encryption of the master key -* A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is +- A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is suitable for environment and storage security requirements -* Enabling [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) -* Enabling the [Vault UI](https://www.vaultproject.io/docs/configuration/ui/) +- Enabling [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) +- Enabling the [Vault UI](https://www.vaultproject.io/docs/configuration/ui/) The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) that configures GKMS for auto-unseal, using a Google Cloud Storage backend, enabling -- GitLab From 8235cca64476bff10d7298d4de7bd9257d5613cf Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:41:49 +0000 Subject: [PATCH 03/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 172156ccfc6c0d..0ed30b143be1af 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -736,6 +736,8 @@ agent: ### Install Vault using GitLab CI +> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9982) in GitLab 12.9. + [Hashicorp Vault](https://vaultproject.io/) is a secrets management solution which can be used to safely manage and store passwords, credentials, certificates and more. -- GitLab From b26cc09e523c36b5afccc7ad740423177ab53445 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:43:00 +0000 Subject: [PATCH 04/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 0ed30b143be1af..dcde7a9cc73ab4 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -741,7 +741,7 @@ agent: [Hashicorp Vault](https://vaultproject.io/) is a secrets management solution which can be used to safely manage and store passwords, credentials, certificates and more. -Enable Vault in the `.gitlab/managed-apps/config.yaml` file to install it: +To install Vault, enable it in the `.gitlab/managed-apps/config.yaml` file: ```yaml vault: -- GitLab From 6cca2c400409fa9acf0a45a7b54f9bf7198a4bf9 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:43:15 +0000 Subject: [PATCH 05/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index dcde7a9cc73ab4..6521877e22e902 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -753,7 +753,7 @@ storage backend. It is advised to read through the Vault Helm chart [values.yaml As well as read the Vault documentation [here](https://www.vaultproject.io/docs/internals/) to get a good understanding of the internals of Vault and how to configure it correctly. -At a minimum you will likely be looking to setup +At a minimum you will likely set up: - A [seal](https://www.vaultproject.io/docs/configuration/seal/) for extra encryption of the master key -- GitLab From 8366c10f04e463f372b66055b601506c6f801b42 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:43:48 +0000 Subject: [PATCH 06/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 6521877e22e902..3749aff79988bf 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -759,8 +759,8 @@ At a minimum you will likely set up: of the master key - A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is suitable for environment and storage security requirements -- Enabling [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) -- Enabling the [Vault UI](https://www.vaultproject.io/docs/configuration/ui/) +- [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) +- [The Vault UI](https://www.vaultproject.io/docs/configuration/ui/) The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) that configures GKMS for auto-unseal, using a Google Cloud Storage backend, enabling -- GitLab From cf61d94839379972caf98845df7dbe0f103db163 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:44:18 +0000 Subject: [PATCH 07/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 3749aff79988bf..84a47ef74814f0 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -766,7 +766,7 @@ The following is an example values file (`.gitlab/managed-apps/vault/values.yaml that configures GKMS for auto-unseal, using a Google Cloud Storage backend, enabling the vault UI, and enabling HA with 3 pod replicas. -```yml +```yaml ui: enabled: true server: -- GitLab From 8104cd1f456dfaf686d8ed95e0ba75b626353015 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:44:35 +0000 Subject: [PATCH 08/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 84a47ef74814f0..e2f3afa4a09540 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -796,7 +796,7 @@ Once you have successfully installed Vault, you will need to [initialize the Vau and obtain the initial root token. This is done by using kubectl to connect to the Vault pod in your cluster and running the `vault operator init` command. -``` +```shell kubectl -n gitlab-managed-apps exec -it vault-0 sh / $ vault operator init ``` -- GitLab From f6b60e2744a40fc8f6cb4e109d627f657dee8d0d Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:48:33 +0000 Subject: [PATCH 09/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index e2f3afa4a09540..6b49fc0522d2ff 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -749,9 +749,9 @@ vault: ``` By default you will get a basic Vault setup with no high availability nor any scalable -storage backend. It is advised to read through the Vault Helm chart [values.yaml](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml) -As well as read the Vault documentation [here](https://www.vaultproject.io/docs/internals/) -to get a good understanding of the internals of Vault and how to configure it correctly. +storage backend. To get a good understanding of the internals of Vault and how to configure it, +read the Vault Helm chart [values.yaml file](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml) +as well as [the Vault documentation](https://www.vaultproject.io/docs/internals/). At a minimum you will likely set up: -- GitLab From 487d1814c31b79e068690fd4c63c120c573286c4 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 26 Feb 2020 22:56:03 +0000 Subject: [PATCH 10/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 6b49fc0522d2ff..80041e3c7c375a 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -764,7 +764,7 @@ suitable for environment and storage security requirements The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) that configures GKMS for auto-unseal, using a Google Cloud Storage backend, enabling -the vault UI, and enabling HA with 3 pod replicas. +the Vault UI, and enabling HA with 3 pod replicas. ```yaml ui: -- GitLab From 8879c420f12a758059e90e074e52f20ab227fe01 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Thu, 27 Feb 2020 09:16:28 +1000 Subject: [PATCH 11/24] Correct GKMS abbreviation to Google Key Management Service --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 80041e3c7c375a..54a0fa8072071f 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -763,7 +763,7 @@ suitable for environment and storage security requirements - [The Vault UI](https://www.vaultproject.io/docs/configuration/ui/) The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) -that configures GKMS for auto-unseal, using a Google Cloud Storage backend, enabling +that configures Google Key Management Service for auto-unseal, using a Google Cloud Storage backend, enabling the Vault UI, and enabling HA with 3 pod replicas. ```yaml -- GitLab From 54971343e455238519ef7ab687a80470ff9336b7 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 3 Mar 2020 03:37:44 +0000 Subject: [PATCH 12/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 54a0fa8072071f..bb06bf613d3d62 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -756,7 +756,7 @@ as well as [the Vault documentation](https://www.vaultproject.io/docs/internals/ At a minimum you will likely set up: - A [seal](https://www.vaultproject.io/docs/configuration/seal/) for extra encryption -of the master key + of the master key. - A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is suitable for environment and storage security requirements - [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) -- GitLab From 82593b00ebe5057074c6c4818c76240218b47bf2 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Mon, 9 Mar 2020 23:04:33 +0000 Subject: [PATCH 13/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index bb06bf613d3d62..e1ade6473466d9 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -794,7 +794,7 @@ server: Once you have successfully installed Vault, you will need to [initialize the Vault](https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault) and obtain the initial root token. This is done by using kubectl to connect to the Vault pod in -your cluster and running the `vault operator init` command. +your cluster and running the `vault operator init` command: ```shell kubectl -n gitlab-managed-apps exec -it vault-0 sh -- GitLab From 4d7cc8cb674b1ddce14a74e7f8878004858c4c0e Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Mon, 9 Mar 2020 23:04:52 +0000 Subject: [PATCH 14/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index e1ade6473466d9..f605cb4b2e2794 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -793,7 +793,7 @@ server: ``` Once you have successfully installed Vault, you will need to [initialize the Vault](https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault) -and obtain the initial root token. This is done by using kubectl to connect to the Vault pod in +and obtain the initial root token. This is done by using `kubectl` to connect to the Vault pod in your cluster and running the `vault operator init` command: ```shell -- GitLab From dce44cb705b8f41dc28c75d2449e4e6f6cf33d9d Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 10 Mar 2020 00:01:36 +0000 Subject: [PATCH 15/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index f605cb4b2e2794..6fe6eea334c20e 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -758,7 +758,7 @@ At a minimum you will likely set up: - A [seal](https://www.vaultproject.io/docs/configuration/seal/) for extra encryption of the master key. - A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is -suitable for environment and storage security requirements + suitable for environment and storage security requirements. - [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) - [The Vault UI](https://www.vaultproject.io/docs/configuration/ui/) -- GitLab From f87881e71654034e5977ad1596a944d591f4b948 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 10 Mar 2020 00:02:00 +0000 Subject: [PATCH 16/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 6fe6eea334c20e..714eda96f8a7ff 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -759,7 +759,7 @@ At a minimum you will likely set up: of the master key. - A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is suitable for environment and storage security requirements. -- [HA Mode](https://www.vaultproject.io/docs/concepts/ha/) +- [HA Mode](https://www.vaultproject.io/docs/concepts/ha/). - [The Vault UI](https://www.vaultproject.io/docs/configuration/ui/) The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) -- GitLab From 21fd5374f49b3304dffdded78416183195bd077f Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 10 Mar 2020 00:02:10 +0000 Subject: [PATCH 17/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 714eda96f8a7ff..3fb8bfbed5b987 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -760,7 +760,7 @@ At a minimum you will likely set up: - A [storage backend](https://www.vaultproject.io/docs/configuration/storage/) that is suitable for environment and storage security requirements. - [HA Mode](https://www.vaultproject.io/docs/concepts/ha/). -- [The Vault UI](https://www.vaultproject.io/docs/configuration/ui/) +- [The Vault UI](https://www.vaultproject.io/docs/configuration/ui/). The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) that configures Google Key Management Service for auto-unseal, using a Google Cloud Storage backend, enabling -- GitLab From f39b3381003e3023c4af875c8ad55d96e36c8f7f Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 10 Mar 2020 10:25:57 +1000 Subject: [PATCH 18/24] Annotate Vault configuration example to make it easier to understand --- doc/user/clusters/applications.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 3fb8bfbed5b987..25e59590edcb72 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -767,23 +767,29 @@ that configures Google Key Management Service for auto-unseal, using a Google Cl the Vault UI, and enabling HA with 3 pod replicas. ```yaml +# Enable the Vault WebUI ui: enabled: true server: + # Disable the built in data storage volume as it's not safe for Hight Availablity mode dataStorage: enabled: false + # Enable High Availability Mode ha: enabled: true + # Configure Vault to listen on port 8200 for normal traffic and port 8201 for inter-cluster traffic config: | listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" } + # Configure Vault to store its data in a GCS Bucket backend storage "gcs" { path = "gcs://my-vault-storage/vault-bucket" ha_enabled = "true" } + # Configure Vault to automatically unseal storage using a GKMS key seal "gcpckms" { project = "vault-helm-dev-246514" region = "global" -- GitLab From dc518092b6b617769cf6b332f9bef96bba002f2e Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 10 Mar 2020 10:56:53 +1000 Subject: [PATCH 19/24] Update Vault documentation to provide more clarity This includes the benefits of using Vault, as well as the differences between a simple and production ready installation. --- doc/user/clusters/applications.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 25e59590edcb72..18ea8d36f9a2cb 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -739,7 +739,13 @@ agent: > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9982) in GitLab 12.9. [Hashicorp Vault](https://vaultproject.io/) is a secrets management solution which -can be used to safely manage and store passwords, credentials, certificates and more. +can be used to safely manage and store passwords, credentials, certificates and more. A vault +installation could be leveraged to provide a single secure data store for credentials +used in your applications, Gitlab CI jobs, and more. It could also serve as a way of +providing SSL certificates to systems and deployments in your infrastructure. Leveraging +Vault as a single source for all these credentials allows greater security by having +a single source of access, control, and auditability around all your sensitive +credentials and certificates. To install Vault, enable it in the `.gitlab/managed-apps/config.yaml` file: @@ -749,9 +755,14 @@ vault: ``` By default you will get a basic Vault setup with no high availability nor any scalable -storage backend. To get a good understanding of the internals of Vault and how to configure it, -read the Vault Helm chart [values.yaml file](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml) -as well as [the Vault documentation](https://www.vaultproject.io/docs/internals/). +storage backend. This is enough for simple testing and small scale deployments, though has limits +to how much it can scale, and as it is a single instance deployment, you will experience downtime +when upgrading the Vault application. + +To optimally use Vault in a production environment, it's ideal to have a good understanding +of the internals of Vault and how to configure it. This can be done by reading the +[the Vault documentation](https://www.vaultproject.io/docs/internals/) as well as +the Vault Helm chart [values.yaml file](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml). At a minimum you will likely set up: -- GitLab From 14be2f1dc2079651bc3da570690fdae3e1c989c3 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 10 Mar 2020 23:31:48 +0000 Subject: [PATCH 20/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 18ea8d36f9a2cb..7a44da9ad73584 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -741,7 +741,7 @@ agent: [Hashicorp Vault](https://vaultproject.io/) is a secrets management solution which can be used to safely manage and store passwords, credentials, certificates and more. A vault installation could be leveraged to provide a single secure data store for credentials -used in your applications, Gitlab CI jobs, and more. It could also serve as a way of +used in your applications, GitLab CI jobs, and more. It could also serve as a way of providing SSL certificates to systems and deployments in your infrastructure. Leveraging Vault as a single source for all these credentials allows greater security by having a single source of access, control, and auditability around all your sensitive -- GitLab From 50deaed5013230a77f7b3340b4a3282effb73fa0 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 10 Mar 2020 23:43:30 +0000 Subject: [PATCH 21/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 7a44da9ad73584..c8492b4c8a8a81 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -742,7 +742,7 @@ agent: can be used to safely manage and store passwords, credentials, certificates and more. A vault installation could be leveraged to provide a single secure data store for credentials used in your applications, GitLab CI jobs, and more. It could also serve as a way of -providing SSL certificates to systems and deployments in your infrastructure. Leveraging +providing SSL/TLS certificates to systems and deployments in your infrastructure. Leveraging Vault as a single source for all these credentials allows greater security by having a single source of access, control, and auditability around all your sensitive credentials and certificates. -- GitLab From f50c297103219609c31bda8fa90c8a1695034940 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 11 Mar 2020 10:00:52 +1000 Subject: [PATCH 22/24] Update Vault initialization instructions for extra clarity This update should make it clearer that ultimately what we are trying to achieve is to get a shell into a Kubernetes pod to run a command. --- doc/user/clusters/applications.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index c8492b4c8a8a81..0904153f35e0fd 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -810,8 +810,9 @@ server: ``` Once you have successfully installed Vault, you will need to [initialize the Vault](https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault) -and obtain the initial root token. This is done by using `kubectl` to connect to the Vault pod in -your cluster and running the `vault operator init` command: +and obtain the initial root token. You will need access to your Kubernetes cluster that Vault has been deployed into in order to do this. +To initialise the Vault, get a shell to one of the Vault pods running inside Kubernetes (typically this is done by using the `kubectl` command line tool). +Once you have a shell into the pod, run the `vault operator init` command: ```shell kubectl -n gitlab-managed-apps exec -it vault-0 sh -- GitLab From 0ba94e23e17c67bb8026fecac28338da2ac7e9bc Mon Sep 17 00:00:00 2001 From: Marcia Ramos Date: Thu, 12 Mar 2020 16:51:10 +0000 Subject: [PATCH 23/24] Apply suggestion to doc/user/clusters/applications.md --- doc/user/clusters/applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 0904153f35e0fd..bd41e4b2b19a88 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -739,7 +739,7 @@ agent: > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9982) in GitLab 12.9. [Hashicorp Vault](https://vaultproject.io/) is a secrets management solution which -can be used to safely manage and store passwords, credentials, certificates and more. A vault +can be used to safely manage and store passwords, credentials, certificates and more. A Vault installation could be leveraged to provide a single secure data store for credentials used in your applications, GitLab CI jobs, and more. It could also serve as a way of providing SSL/TLS certificates to systems and deployments in your infrastructure. Leveraging -- GitLab From dd4c89c415b4210f12739c580f9ca0ecf2f9b2a0 Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Tue, 17 Mar 2020 14:37:04 +1000 Subject: [PATCH 24/24] Modify Vault managed app documentation to clarify example. --- doc/user/clusters/applications.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 1e1e396fb7e2f2..2e03c35297c301 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -793,7 +793,8 @@ At a minimum you will likely set up: The following is an example values file (`.gitlab/managed-apps/vault/values.yaml`) that configures Google Key Management Service for auto-unseal, using a Google Cloud Storage backend, enabling -the Vault UI, and enabling HA with 3 pod replicas. +the Vault UI, and enabling HA with 3 pod replicas. The `storage` and `seal` stanzas +below are examples and should be replaced with settings specific to your environment. ```yaml # Enable the Vault WebUI -- GitLab