

Managing secrets natively in Kubernetes is not a secure option. Secrets in Kubernetes is just a base64 encoded plain text that can be consumed in a running pod.

在Kubernetes中本地管理机密不是安全的选择。 Kubernetes中的秘密只是base64编码的纯文本,可以在运行的pod中使用。

Disclaimer:This tutorial is designed to give you the understanding of each component on the setup in a step by step fashion. Nothing stopping you from using terraform to create that setup, but going blindly after such an important setup will lead to issues that would be harder to resolve without that deep understanding.

免责声明本教程旨在使您逐步了解设置中的每个组件。 没有什么可以阻止您使用 terraform 来创建该设置的,但是在如此重要的设置之后盲目地操作会导致问题,如果没有那么深入的了解就很难解决。

Sure you can encrypt a secret in Kubernetes, but that secret is only encrypted at rest and when mounted inside the Pod, it is only a file or env vars that can be easily accessed from within the Pod so in case of a breach the data could be compromised if someone has access to the Pod or even to the namespace where the pod is via kubectl.

当然,您可以在Kubernetes中加密一个机密 ,但是该机密仅在静态时加密,并且在挂载到Pod内时,只有文件或env vars可以从Pod内轻松访问,因此在发生数据泄露时可以如果有人可以通过kubectl访问Pod,甚至可以访问Pod所在的名称空间,就会受到损害。

Hasicorp Vault is a secure way to manage secrets as well as audit and revoke access to them. it’s one thing to install and use vault but another to consume those secrets on a Pod.

Hasicorp Vault是管理机密以及审核和撤消对它们的访问的安全方法。 安装和使用保管库是一回事,而在Pod上使用这些机密则是另一回事。

This post is about installing Vault on GKE with Terraform and Helm, for consuming these secrets you can further read my other blog post on consuming secrets from Vault transparently on a Pod.

这篇文章是关于使用Terraform和Helm在GKE上安装Vault的,为了使用这些秘密,您可以进一步阅读我的其他博客文章, 在Pod上透明地从Vault中消费秘密 。

This approach is somewhat easier to manage if you’re only looking for Vault and do not need the advance Consul features such as Consul template with Vault.

如果您只想寻找Vault而不需要高级的Consul功能(例如Vault的 C onsul模板),则这种方法的管理会更容易一些。

In this tutorial, I will go over how to install a high availability vault using Google Storage GCS as Vault backend with TLS end to end.

在本教程中,我将介绍如何使用Google Storage GCS作为具有TLS端到端的保管库后端来安装高可用性保管库。

Note:You should create the Vault setup per environment, to better tests upgrades and separate the environments from each other.

注意: 您应该为每个环境创建保管库设置,以更好地测试升级并将环境彼此分离。

I do not recommend exposing the vault as a service, should you need to access it you can do that via the command:


$ kubectl port-forward vault-0 8200:8200

and access the UI via as detailed below.


If you have VM’s that need to access that vault, you should use VPC peering since services and pods are native IP’s — this is not covered here.

如果您有需要访问该保管库的VM,则应使用VPC对等,因为服务和Pod是本机IP -在此不介绍。

教程: (Tutorial:)



  • Create TLS certificates for vault

  • Create a GCS Bucket for Vault storage backend

  • Create KMS keyring and encryption key for Vault auto-unseal.

  • Create service accounts for Vault to access KMS and GCS storage backend.

  • Install Hashicorp vault official Helm chart via helm tillerless.

    通过头盔舵柄安装Hashicorp Vault官方头盔表。

为保险柜创建TLS证书: (Creating TLS certificates for Vault:)

One of the Production hardening recommendations is that communications between vault and clients will be encrypted by TLS both for incoming and outgoing traffic.


We are going to create a certificate that will be used for:


  • Kubernetes vault service address.


We will use CloudFlare SSL took kit (cfssl and cfssljson) in order to generate these certificates.

我们将使用CloudFlare SSL接受套件( cfssl和cfssljson )来生成这些证书。

Installation requires a working Go 1.12+ installation and a properly set GOPATH.

安装需要可正常运行的Go 1.12+安装和正确设置的GOPATH

Important!: make sure the GOPATH bin is in your path:


export PATH=$GOPATH/bin:$PATH

Installing CloudFlare SSL ToolKit:

安装CloudFlare SSL ToolKit:

go get -u github.com/cloudflare/cfssl/cmd/cfssl
go get -u github.com/cloudflare/cfssl/cmd/cfssljson

Initialize a Certificate Authority (CA):


$ mkdir vault-ca && cd vault-ca

Create the CA files:CA config file with the expiration of 5 years

创建CA文件: CA配置文件,有效期为5年

$ cat < ca-config.json
"signing": {
"default": {
"expiry": "8760h"
"profiles": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"

CA Signing Request:


$ cat < ca-csr.json
"hosts": [
"key": {
"algo": "rsa",
"size": 2048
"names": [
"C": "US",
"L": "NewYork",
"O": "Kubernetes",
"OU": "CA",
"ST": "NewYork"

VAULT Certificate Signing Request to be signed by the CA above:note: change the namespace for vault if it's not the default namespace

上面的CA将对VAULT证书签名请求进行签名: 注意:如果不是默认名称空间,请更改Vault的名称空间

$ cat < vault-csr.json
"CN": "Vault-GKE",
"hosts": [
"key": {
"algo": "rsa",
"size": 2048
"names": [
"C": "US",
"L": "NewYork",
"O": "Innovia",
"OU": "Vault",
"ST": "NewYork"

Obviously, you can change the cert info on the bottom under the “names” section to your liking.


Run the following command to initialize the CA using the file you’ve just edited:


$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca2019/11/12 16:35:01 [INFO] generating a new CA key and certificate from CSR
2019/11/12 16:35:01 [INFO] generate received request
2019/11/12 16:35:01 [INFO] received CSR
2019/11/12 16:35:01 [INFO] generating key: rsa-2048
2019/11/12 16:35:01 [INFO] encoded CSR
2019/11/12 16:35:01 [INFO] signed certificate with serial number 425581644650417483788325060652779897454211028144

Create a private key and sign the TLS certificate:


$ cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=default \
vault-csr.json | cfssljson -bare vault2019/11/12 16:36:33 [INFO] generate received request
2019/11/12 16:36:33 [INFO] received CSR
2019/11/12 16:36:33 [INFO] generating key: rsa-2048
2019/11/12 16:36:34 [INFO] encoded CSR
2019/11/12 16:36:34 [INFO] signed certificate with serial number 311973563616303179057952194819087555625015840298

At this point you should have the following files in the current working directory:



keep the CA files secured you will need to use them to resign the cert when its expires (CA is for 5 years, Vault is for 1year)


Create a secret for the Vault TLS and CA.pem

为Vault TLS和CA.pem创建机密

kubectl create secret generic vault-tls \
--from-file=ca.pem \
--from-file=vault.pem \

Set GCP Project for rest of this tutorial:


$ export GCP_PROJECT=

Enabling GCP APIs required by this tutorial:

启用本教程所需的GCP API:

$ gcloud services enable \
cloudapis.googleapis.com \
cloudkms.googleapis.com \
container.googleapis.com \
containerregistry.googleapis.com \
iam.googleapis.com \
--project ${GCP_PROJECT}Operation "operations/acf.8e126724-bbde-4c0d-b516-5dca5b8443ee" finished successfully.

保管库存储后端 (Vault Storage Backend)

Google Cloud Storage 谷歌云存储

When running in HA mode, Vault servers have two additional states: standby and active. Within a Vault cluster, only a single instance will be active and handles all requests (reads and writes) and all standby nodes redirect requests to the active node.

在高可用性模式下运行时,Vault服务器具有两个附加状态: 待机活动 。 在Vault群集中,只有一个实例将处于活动状态并处理所有请求(读取和写入),并且所有备用节点都将请求重定向到活动节点。

Let’s create the bucket on gcs using the gsutil command, Bucket names must be globally unique across all of Google Cloud, so choose a unique name

让我们使用gsutil命令在gcs上创建存储桶,存储桶名称在所有Google Cloud中必须是全局唯一的,因此请选择一个唯一的名称

$ export $ gsutil mb gs://$$ gsutil versioning set on gs://

Even though the data is encrypted in transit and at rest, be sure to set the appropriate permissions on the bucket to limit exposure. You may want to create a service account that limits Vault’s interactions with Google Cloud to objects in the storage bucket using IAM permissions.

即使数据在传输和静止时都已加密,也请确保在存储桶上设置适当的权限以限制暴露。 您可能想要创建一个服务帐户,以使用IAM权限将保险柜与Google Cloud的交互限制到存储桶中的对象。

保管箱自动开封 (Vault Auto unseal)


when Vault is restarted it starts up sealed and encrypted. in order to use it you must unseal it, there’s a new feature with is auto unseal that can read the master keys and root token from CloudKMS automatically.

重新启动保管库后,它将启动并进行密封和加密。 为了使用它,您必须将其开封,其中有一个具有自动开封功能的新功能,该功能可以自动从CloudKMS读取主密钥和根令牌。

Create KMS Keyring and Crypto Key:


In this section we will create the KMS keyring and key for encrypting and decrypting vault master keys and root token:


Create the vault-helm-unseal-kr kms keyring:

创建vault-helm-unseal-kr kms密钥环:

$ gcloud kms keyrings create 
--location global \
--project ${GCP_PROJECT}

Create the encryption key:


$ gcloud kms keys create 
--location global \
--purpose encryption \
--project ${GCP_PROJECT}

创建GCP服务帐户和Vault的IAM权限 (Create the GCP service accounts and IAM permissions for vault)

Setup variables:


$ export VAULT_SA_NAME=vault-server;
export VAULT_SA=iam.gserviceaccount.com

Create the vault server service account:


$ gcloud iam service-accounts create $VAULT_SA_NAME \
--display-name "Vault server service account" \
--project ${GCP_PROJECT}

Create the Vault server service account key (credentials JSON file):


$ gcloud iam service-accounts keys create \
--iam-account $VAULT_SA /tmp/vault_gcs_key.jsoncreated key [be22cfe6e30f3a3fcfc6ebaa23ca3ba905dd60ab] of type [json] as [/tmp/vault_gcs_key.json] for [[email protected]]

Create the secret to store the vault google service account in

创建秘密以将Vault Google服务帐户存储在

$ kubectl create secret generic vault-gcs \
--from-file=/tmp/vault_gcs_key.jsonsecret/vault-gcs created

Grant access to vault storage GCS Bucket:



Grant access to the vault kms key:


$ gcloud kms keys add-iam-policy-binding \
--location global \
--member serviceAccount:${VAULT_SA} \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter \
--project ${GCP_PROJECT}Updated IAM policy for key [vault-helm-unseal-key].
- members:
- serviceAccount:[email protected]
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: BwWZ6sIYovk=
version: 1

Note:If for some reason you have deleted the service account and recreated it you must delete the IAM policy on the key, else skip to the Get the vault hashicorp official chart

注意: 如果由于某种原因删除了服务帐户并重新创建了该帐户,则必须删除密钥上的IAM策略,否则请跳至“获取文件库hashicorp官方图表”

$ gcloud kms keys get-iam-policy vault-helm-unseal-key --location global --keyring vault-helm-unseal-kr > kms-policy.yaml

edit the policy file and remove the members under binding then save the file


bindings:etag: BwWXQz4HjuI=version: 1

re-apply the policy:


$ gcloud kms keys set-iam-policy vault-helm-unseal-key --location global --keyring vault-helm-unseal-kr  kms-policy.yaml

Get the Vault official Hashicorp chart:





starting from version 0.3.0 there’s a Kubernetes vault integration that will automatically inject secrets to Pod by rendering the secret as a file on a volume. I highly recommend using my vault secrets webhook because it is a more secure way of injecting a secret to a Pod as well as automating the consumption of the secrets.

从0.3.0版本开始,提供了Kubernetes保管库集成,通过将秘密作为文件呈现在卷上,它将自动将秘密注入Pod。 我强烈建议使用我的保管库秘密Webhook,因为它是将秘密注入Pod以及自动使用秘密的一种更安全的方法。

export CHART_VERSION=0.3.0

Get the chart and unpack it:


$ wget https://github.com/hashicorp/vault-helm/archive/v$CHART_VERSION.tar.gz && tar zxf v$CHART_VERSION.tar.gz && rm v$CHART_VERSION.tar.gz

Setting the values.yaml for the chart:


The following gist has place holders for variables substitution


  tlsDisable: false

  # resources:
  #   requests:
  #     memory: 256Mi
  #     cpu: 250m
  #   limits:
  #     memory: 256Mi
  #     cpu: 250m
    GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/vault-gcs/vault_gcs_key.json
  - type: secret
    name: vault-gcs
    path: "/vault/userconfig"
  - type: secret
    name: vault-tls
    path: "/etc/tls"

    enabled: true

    enabled: true
    # This should be HCL.
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 0
        tls_cert_file = "/etc/tls/vault-tls/vault.pem"
        tls_key_file = "/etc/tls/vault-tls/vault-key.pem"
        tls_client_ca_file =  "/etc/tls/vault-tls/ca.pem"
        tls_min_version = "tls12"
        address = "[::]:8200"
        cluster_address = "[::]:8201"

      storage "gcs" {
        bucket     = "GCS_BUCKET_NAME"
        ha_enabled = "true"

      # Example configuration for using auto-unseal, using Google Cloud KMS. The
      # GKMS keys must already exist, and the cluster must have a service account
      # that is authorized to access GCP KMS.
      seal "gcpckms" {
        project     = "GCP_PROJECT"
        region      = "global"
        key_ring    = "vault-helm-unseal-kr"
        crypto_key  = "vault-helm-unseal-key"

  # Exposing VAULT UI to a GCP loadbalancer WITH IAP Backend config
  # 1. create the backend config https://cloud.google.com/iap/docs/enabling-kubernetes-howto
  # 2. create a Google Managed Certificate https://cloud.google.com/load-balancing/docs/ssl-certificates
  # 3. create static global ip  "gcloud compute addresses create vault-ui --global"
  #    and set the loadBalancerIP below
  # 4. create a DNS entry for that IP - and update the host in the ingress section below
  # 5. uncomment the section below
  # 6. install
  # -------------------------------------
  # readinessProbe:
  #   enabled: true
  #   path: /v1/sys/health?standbyok=true

  # ui:
  #   enabled: true
  #   serviceType: "NodePort"
  #   externalPort: 443
  #   loadBalancerIP: "LOAD_BALANCER_IP"

  # service:
  #   clusterIP: {}
  #   type: NodePort
  #   annotations:
  #     cloud.google.com/app-protocols: '{"http":"HTTPS"}'
  #     beta.cloud.google.com/backend-config: '{"ports": {"http":"config-default"}}'

  # ingress:
  #   enabled: true
  #   labels: {}
  #   # traffic: external
  #   annotations:
  #     # must be global static ip not regional!
  #     kubernetes.io/ingress.global-static-ip-name: "vault-ui"
  #     #the controller will only create rules for port 443 based on the TLS section.
  #     kubernetes.io/ingress.allow-http: "false"
  #     # represents the specific pre-shared SSL certificate for the Ingress controller to use.
  #     networking.gke.io/managed-certificates: "vault-ui-certificate"
  #     # kubernetes.io/tls-acme: "true"
  #   hosts:
  #     - host: vault.domain.com
  #       paths:
  #       - /*

use the command below to create a new values files called vault-gke-values.yaml


$ curl -s https://gist.githubusercontent.com/innovia/53c05bf69312706fc93ffe3bb685b223/raw/adc169605984da8ba82082191c8f631579b1b199/vault-gke-values.yaml | sed  "s/GCP_PROJECT/$GCP_PROJECT/g" | sed "s/GCS_BUCKET_NAME/$GCS_BUCKET_NAME/g" > vault-helm-$CHART_VERSION/vault-gke-values.yaml

Inspect the created file to make sure you have the correct project and GCS bucket.


$ cat vault-helm-$CHART_VERSION/vault-gke-values.yaml | grep -E 'bucket|project'bucket     = "-vault-data"
project = "ami-playground"

using helm 2.x:


If you don’t have tiller installed on the cluster you can skip the tiller setup by installing a tillerless plugin for helm, which will bring up local tiller on your computer and point helm to use that, otherwise skip to the install the vault chart section below.


Install the tillerless helm plugin:


if you don't have helm already install it via


$ brew install helm@2

Initialize the client-only so that tiller server is not installed


helm init --client-only

install helm-tillerless plugin


helm plugin install https://github.com/rimusz/helm-tiller

start tiller via helm


$ helm tiller startInstalled Helm version v2.16.1
Copied found /usr/local/bin/tiller to helm-tiller/bin
Helm and Tiller are the same version!
Starting Tiller...
Tiller namespace: kube-system

Using helm 3


$ brew install helm

Install the Vault chart:


note: if you are using helm 3 the output will not list the resources.


$ helm upgrade --install vault -f vault-helm-$CHART_VERSION/vault-gke-values.yaml vault-helm-$CHART_VERSIONrelease "vault" does not exist. Installing it now.
NAME: vault
LAST DEPLOYED: Wed Nov 13 15:41:55 2019
NAMESPACE: default
==> v1/ConfigMap
vault-config 0s==> v1/Service
vault 0s==> v1/ServiceAccount
vault 0s==> v1/StatefulSet
vault 0s==> v1beta1/ClusterRoleBinding
vault-server-binding 0s==> v1beta1/PodDisruptionBudget
vault 0sNOTES:Thank you for installing HashiCorp Vault!Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:https://www.vaultproject.io/docs/Your release is named vault. To learn more about the release, try:$ helm status vault
$ helm get vault

Vault should start running and be in an uninitialized state.


The following warnings are OK since vault is un-initialized yet:


=> Vault server started! Log data will stream in below:2019-12-17T19:07:37.937Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2019-12-17T19:07:38.909Z [INFO] core: stored unseal keys supported, attempting fetch
2019-12-17T19:07:39.037Z [WARN] failed to unseal core: error="stored unseal keys are supported, but none were found"
2019-12-17T19:07:44.038Z [INFO] core: stored unseal keys supported, attempting fetch
2019-12-17T19:07:44.080Z [INFO] core: autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2019-12-17T19:07:44.174Z [WARN] failed to unseal core: error="stored unseal keys are supported, but none were found"---
kubectl describe pod vault-0Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Unhealthy 3s (x9 over 27s) kubelet, minikube Readiness probe failed: Key Value

使用KMS自动解封初始化保管库 (Initialize vault with KMS auto unseal)

open up a port-forward to Vault using the command:


$ kubectl port-forward vault-0 8200:8200 > /dev/null & export PID=$!; echo "vault port-forward pid: $PID"

Connect to Vault using the CA.pem cert


$ export VAULT_ADDR=;
export VAULT_CACERT=$PWD/ca.pemmy vault ca.pem for example is at:
VAULT_CACERT: /Users/ami/vault-gke-medium/ca.pem

Install vault client (make sure your client is the same version as the server)


$ brew install vault

Check the status:


$ vault status
Key Value
--- -----
Recovery Seal Type gcpckms
Initialized false
Sealed true
Total Recovery Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version n/a
HA Enabled true

now initialize vault:


vault operator initRecovery Key 1: 33nCanHWgYMR/VPj6bNQdHXJiayL6WeB8Ourx4kHYNaX
Recovery Key 2: IMf7RjptFxtGQUbEWUWehanCBiSY7VhElkM7rRVxczGc
Recovery Key 3: zGuzk/PhNet9OHL4cW2H7d3XypDxfwWXkmajclLPklK4
Recovery Key 4: nCFS0dt0cNGB2LWk0F+3Vmz9TbVNpeIsXbIXDbRarlnT
Recovery Key 5: 9GxXr/6T8OJWJrWqyHQxayR0BAK+WTdbT870AzKEFl2VInitial Root Token: s.1ukhSgycySjZUJRD0bZjSEitSuccess! Vault is initializedRecovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.

Keep these keys safe.


Trusting the self-signed certificate authority:


Since we have created the ca.pem by ourselves, it will not be trusted since it is not a part of the CA’s bundle that comes with your computer.


we can add a trust by following the instructions below for your operating system.


Mac OS:Setting “always trust” for the CA will allow you to open Vault UI in the browser without any errors:

Mac OS:为CA设置“始终信任”将使您可以在浏览器中打开Vault UI,而不会出现任何错误:

$ sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain $VAULT_CACERT

Windows 10:Follow the instructions here to add the cert to the trusted publishers:

Windows 10:按照此处的说明将证书添加到受信任的发布者:

使用Vault设置Kubernetes后端身份验证 (Setting up Kubernetes backend authentication with Vault)

Now that Vault is up and highly available we can move forward and connect Vault with Kubernetes.


We will use a service account to do the initial login of Vault to Kubernetes,


This service account token will be configured inside the vault using vault CLI.

将使用Vault CLI在Vault内部配置此服务帐户令牌。

This service account has special permission called “system:auth-delegator” that will allow vault to pass the service account of the pod to Kubernetes for authentication, once authenticated vault returns a vault login token to the client that will talk to Vault and get the secrets it needs.

该服务帐户具有特殊的权限,称为“ system:auth-delegator”,该权限将允许Vault将Pod的服务帐户传递给Kubernetes进行身份验证,一旦经过身份验证的Vault将Vault登录令牌返回给客户端,客户端将与Vault进行对话并获取Vault登录令牌。它需要的秘密。

The client will use the login token and login to Vault to get the secretVault will check a mapping between a vault role, service account, namespace and the policy to allows/deny the access.


let’s create the service account for that vault-reviewer


apiVersion: v1
kind: ServiceAccount
  name: vault-reviewer
  namespace: default
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
  name: role-tokenreview-binding
  namespace: default
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
- kind: ServiceAccount
  name: vault-reviewer
  namespace: default

link to original gist


Please note; if you have set up Vault on any other namespace, make sure to update this file accordingly.

请注意; 如果您已在任何其他命名空间上设置了Vault,请确保相应地更新此文件。

kubectl apply -f vault-reviewer.yaml

enable the Kubernetes auth backend:


# Make sure you are logged in to vault using the root token$ vault login$ vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/

Configure Vault with the vault-reviewer token and ca:


note: if you setup vault on any other namespace set the -n flag after each kubectl command

注意:如果您在其他任何命名空间上设置了Vault,则在每个kubectl命令之后设置-n 标志

$ VAULT_SA_TOKEN_NAME=$(kubectl get sa vault-reviewer -o jsonpath="{.secrets[*]['name']}")$ SA_JWT_TOKEN=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo)$ SA_CA_CRT=$(kubectl get secret "$VAULT_SA_TOKEN_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)$ vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host=https://kubernetes.default kubernetes_ca_cert="$SA_CA_CRT"Success! Data written to: auth/kubernetes/config

Basic requirements for a pod to access a secret:


  • the Pod must have a service account

  • the Vault CA.pem secret must exist on the namespace that the Pod is running on

    Vault CA.pem机密必须存在于Pod运行所在的名称空间上
  • a policy with a minimum read to the secret must exist

path "secret/foo" {
capabilities = ["read"]
  • a Vault role must be created in Vault:

vault write auth/kubernetes/role/ \
bound_service_account_names= \
bound_service_account_namespaces= \

This concludes the setup for Hashicorp vault on GKE, I highly recommend setting up vault secrets webhooks to seamlessly consume secrets from Vault based only on a few annotations.

这样就结束了在GKE上对Hashicorp Vault的设置,我强烈建议您设置Vault机密Webhooks ,以仅基于一些注释无缝地使用Vault的机密。

如何通过负载平衡器使用身份识别代理(IAP)设置Vault UI (How to setup Vault UI with Identity-Aware Proxy (IAP) via a load-balancer)


Identity-aware proxy is a way to authenticate a user without the need to set up a VPN or SSH Bastion.


More info on IAP


If you want to set up a load balancer for the service with identity-aware proxy you can do that by following the steps below, otherwise, you can access vault UI via kubectl port-forward vault-0 8200

如果要使用身份识别代理为服务设置负载平衡器,请按照以下步骤操作,否则,可以通过kubectl port-forward vault-0 8200访问Vault UI。

The following process does not bind a google user to Vault by any means — it serves as a multi-factor authentication only, there is a way to use JWT for vault authentication but that allows any user from your domain to choose a role which is less secure…


Note:You still need the self-signed certificate for Vault service itself, the load balancer certificate is required to enable IAP and https.

注意: 您仍需要Vault Service本身的自签名证书,需要负载均衡器证书才能启用IAP和https。



  • A certificate for the load balancer must be created via Google Managed certificate, or created as a Kubernetes secret.


    A certificate for the load balancer must be created via Google Managed certificate, or created as a Kubernetes secret.https://cloud.google.com/load-balancing/docs/ssl-certificates

    必须通过Google托管证书创建负载平衡器的证书,或者将其创建为Kubernetes机密。 https://cloud.google.com/load-balancing/docs/ssl-certificates

  • The domain must be verified via Google webmaster tools

    该域必须通过Google 网站管理员工具进行验证

  • A global static IP must be created and a DNS entry needs to be created


    (if you are using


    externalDNS service then you don’t need that)


$ gcloud compute addresses create vault-ui --global

You can create a certificate using the following YAML


apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
  name: vault-ui-certificate
    - vault.domain.com
$ kubectl apply -f managed-cert.yaml

Once created, give it 15-20 minutes to change the status from Proviosning to Active

创建完成后,请等待 15-20分钟,将状态从“ 禁止”更改为“ 有效”

Check the status of the cert:


$ kubectl describe ManagedCertificate vault-ui-certificateName:         vault-ui-certificate
Namespace: default
Annotations: kubectl.kubernetes.io/last-applied-configuration:
API Version: networking.gke.io/v1beta1
Kind: ManagedCertificate
Creation Timestamp: 2020-01-13T23:10:28Z
Generation: 3
Resource Version: 7120865
Self Link: /apis/networking.gke.io/v1beta1/namespaces/default/managedcertificates/vault-ui-certificate
UID: e35e7a1b-3659-11ea-ae90-42010aa80174
Certificate Name: mcrt-9462e1f4-6dd6-4cf2-8769-9693ba29789e
Certificate Status: Active
Domain Status:
Domain: vault.ami-playground.doit-intl.com Status: Active Expire Time: 2020-04-12T15:12:29.000-07:00

为GKE配置IAP: (Configuring IAP for GKE:)

You may choose to follow the complete instructions instead of the steps summarized below:


Configure the IAP for your domain via Oauth consent screen and create the client credentials.

通过Oauth同意屏幕为您的域配置IAP并创建客户端凭据 。

Once you created the client you need to copy the client ID and add it to the authorized redirect URIs field in the following format:



Create the secret that will be used by the backend config:


kubectl create secret generic my-secret --from-literal=client_id=client_id_key \

Create a backend config for the IAP:


apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
  name: config-default
    enabled: true
      secretName: my-secret

enable the section on the bottom of the vault-gke.yaml files and make sure the values for the global static IP as well as the DNS for the host are updated


Note:you must delete the vault installation and recreate it with helm since GKE ingress has issues updating existing ingresses.


to summarize the values yaml file:


  • we are enabling the vault UI service on port 443 and exposing it via a NodePort

    我们正在端口443上启用Vault UI服务,并通过NodePort将其公开
  • we are setting up the vault service with the IAP via a backend config

  • we are enabling the ingress with a static global IP and the DNS as the host that is mapped to it

  • we are disabling HTTP on the load balancer

  • we are configuring the communication between the load balancer and the vault pods to be https only

  • we are setting up the managed certificate for the load balancer so that the load balancer will be an HTTPS listener


Once deployed, if you will check the IAP page you will see the following errors and warnings (you might see both backend services with an ERROR if you are using a shared VPC networking. the real test is to check the vault UI URL in the browser)

部署后,如果您将检查IAP页面,则会看到以下错误和警告(如果使用共享VPC网络,则两个后端服务都可能显示ERROR。真正的测试是在浏览器中检查Vault UI URL。 )

The first error is for the default backend (the one that serves 404’s), the error is simply an indication that IAP won’t be active for any 404 page, which is the intended behavior.


The other is just a warning, if you click on the warning you will see something like this:



All it means is that GCP detected that some firewall rules will bypass the IAP such as internal networks, and the load balancer talking to vault backend.


select the default/vault on the IAP page and from the info panel on the left add members that will need access to the vault-ui via the load balancer


add the member with the “IAP-secured Web App User” permission to allow that user to access vault ui.

添加具有“ IAP安全的Web应用程序用户”权限的成员,以允许该用户访问库ui。

翻译自: https://blog.doit-intl.com/vault-high-availability-on-gke-68ef4fd7ca33

