enable auto-unseal with leveraging gkms

[pivotal-bin-ju]

fixes: https://github.com/concourse/prod/issues/48 The process for auto-unseal:

• terraform apply. if it is failed with 403, open the gcp console to grant the access that error descripted.
• merge PR https://github.com/concourse/hush-house/pull/87
• helm deploy (for this case it is make deploy-vault-nci). Be aware we are in the ln -s vault vault-nci directory. We do not want to overwrite the existed vault after we migrate the secrets.
• vault init
  • kubectl -n vault-nci exec -it vault-nci-0 /bin/sh to login to vault container.
  • export VAULT_SKIP_VERIFY=1
  • vault init
  • log the credentials into lastpass
• verify
  • vault login with the secret that your save in the last step.
  • vault secrets enable -path=/concourse kv
  • vault write /concourse/test key1=12345
  • kubectl delete pod vault-nci-0 -n vault-nci
  • kubectl -n vault-nci exec -it vault-nci-0 /bin/sh to login to vault container.
  • vault status you should see:

    Key                      Value
    ---                      -----
    Recovery Seal Type       shamir
    Initialized              true
    Sealed                   false
    Total Recovery Shares    5
    Threshold                3
    Version                  1.2.4
    Cluster Name             vault-cluster-d2c84530
    Cluster ID               972... ........33037b9
    HA Enabled               false

    The Sealed should be false

  • vault login
  • vault read /concourse/test

    Key                 Value
    ---                 -----
    refresh_interval    768h
    key1                12345

[deniseyu]

We decided to decouple the auto-unseal work from the backend migration, because migrating data turned out to be a little trickier. It's not blocking work, so we're going to prioritize that and finish it up later.