kelseyhightower / vault-on-google-kubernetes-engine

How to guide on running HashiCorp's Vault on Google Kubernetes Engine

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Question] Should the ca.pem be persisted for further access in KMS?

vorotech opened this issue · comments

Hello and thank you for very detailed tutorial.
Have a question related to keeping cert authority certificate,

As long as VAULT_CACERT=ca.pem is set the vault cluster can be accessed.
But, the cleanup script will remove old temporary files including the ca.pem
If this file is not persistent, you will end up adding -tls-skip-verify flag to vault commands; otherwise x509: certificate signed by unknown authority error will appear.

Question, can this cert file be fetched somehow later (similar we do with VAULT_TOKEN)?
Or, should the tutorial be updated to add an instruction how to encrypt the file and store it in the KMS key-ring?

So, to get ca.pem file persisted, I do the following.

Encrypt ca.pem using KMS:

gcloud kms encrypt \
--location=global \
--keyring=vault \
--key=vault-init \
--project=${PROJECT_ID} \
--plaintext-file=ca.pem \
--ciphertext-file=ca.pem.enc

Upload file to vault storage bucket:

$ gsutil cp ca.pem.enc gs://${GCS_BUCKET_NAME}
Copying file://ca.pem.enc [Content-Type=application/octet-stream]...
/ [1 files][  1.3 KiB/  1.3 KiB]
Operation completed over 1 objects/1.3 KiB.

To retrieve and decrypt file:

gsutil cat gs://${GCS_BUCKET_NAME}/ca.pem.enc | \
  gcloud kms decrypt \
    --project ${PROJECT_ID} \
    --location global \
    --keyring vault \
    --key vault-init \
    --ciphertext-file - \
    --plaintext-file ca.pem

The ca.pem is a public certificate (not a secret), so there's not a lot of value in encrypting it. You could store it in plaintext if you wanted.