Merge pull request #89 from concourse/auto-unseal

enable auto-unseal with leveraging gkms
concourse · Dec 4, 2019 · 2690e34 · 2690e34
2 parents c57869e + a67e295
commit 2690e34
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/deployments/with-creds/vault/templates/vault-gcp.yml b/deployments/with-creds/vault/templates/vault-gcp.yml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-gcp
+type: Opaque
+data:
+  vault.gcp: {{ default "" .Values.vault.gcp | b64enc | quote }}
+
diff --git a/deployments/with-creds/vault/values.yaml b/deployments/with-creds/vault/values.yaml
@@ -6,6 +6,12 @@ vault:
     extraVolumes:
       - type: secret
         name: vault-server-tls
+      - type: secret
+        name: vault-gcp
+    extraEnvironmentVars:
+      GOOGLE_REGION: global
+      GOOGLE_PROJECT: cf-concourse-production
+      GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/vault-gcp/vault.gcp
     standalone:
       enabled: true
       config: |
@@ -20,3 +26,8 @@ vault:
         storage "file" {
           path = "/vault/data"
         }
+
+        seal "gcpckms" {
+          key_ring = "vault-helm-unseal-kr"
+          crypto_key = "vault-helm-unseal-key"
+        }
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -154,3 +154,23 @@ module "ci-database" {
   zone            = "${var.zone}"
   max_connections = "100"
 }
+
+# gkms key for vault unseal
+# Concourse deployment.
+#
+resource "google_kms_key_ring" "keyring" {
+  name     = "vault-helm-unseal-kr"
+  location = "global"
+}
+
+# crypto key for vault unseal
+# Concourse deployment.
+#
+resource "google_kms_crypto_key" "vault-helm-unseal-key" {
+  name            = "vault-helm-unseal-key"
+  key_ring        = google_kms_key_ring.keyring.self_link
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}