From a67e29530ae62f89c8734d6e1ab5c63494037cf8 Mon Sep 17 00:00:00 2001
From: Bin Ju <bju@pivotal.io>
Date: Tue, 3 Dec 2019 16:45:18 -0500
Subject: [PATCH] enable auto-unseal with leveraging gkms

Signed-off-by: Bin Ju <bju@pivotal.io>
---
 .../with-creds/vault/templates/vault-gcp.yml  |  8 ++++++++
 deployments/with-creds/vault/values.yaml      | 11 ++++++++++
 terraform/main.tf                             | 20 +++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 deployments/with-creds/vault/templates/vault-gcp.yml

diff --git a/deployments/with-creds/vault/templates/vault-gcp.yml b/deployments/with-creds/vault/templates/vault-gcp.yml
new file mode 100644
index 0000000..59f8dbe
--- /dev/null
+++ b/deployments/with-creds/vault/templates/vault-gcp.yml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-gcp
+type: Opaque
+data:
+  vault.gcp: {{ default "" .Values.vault.gcp | b64enc | quote }}
+
diff --git a/deployments/with-creds/vault/values.yaml b/deployments/with-creds/vault/values.yaml
index 02d0ba1..484b053 100644
--- a/deployments/with-creds/vault/values.yaml
+++ b/deployments/with-creds/vault/values.yaml
@@ -6,6 +6,12 @@ vault:
     extraVolumes:
       - type: secret
         name: vault-server-tls
+      - type: secret
+        name: vault-gcp
+    extraEnvironmentVars:
+      GOOGLE_REGION: global
+      GOOGLE_PROJECT: cf-concourse-production
+      GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/vault-gcp/vault.gcp
     standalone:
       enabled: true
       config: |
@@ -20,3 +26,8 @@ vault:
         storage "file" {
           path = "/vault/data"
         }
+
+        seal "gcpckms" {
+          key_ring = "vault-helm-unseal-kr"
+          crypto_key = "vault-helm-unseal-key"
+        }
diff --git a/terraform/main.tf b/terraform/main.tf
index c7b6a61..a626a9a 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -154,3 +154,23 @@ module "ci-database" {
   zone            = "${var.zone}"
   max_connections = "100"
 }
+
+# gkms key for vault unseal
+# Concourse deployment.
+#
+resource "google_kms_key_ring" "keyring" {
+  name     = "vault-helm-unseal-kr"
+  location = "global"
+}
+
+# crypto key for vault unseal
+# Concourse deployment.
+#
+resource "google_kms_crypto_key" "vault-helm-unseal-key" {
+  name            = "vault-helm-unseal-key"
+  key_ring        = google_kms_key_ring.keyring.self_link
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}