search

hashicorp / vault-k8s

First-class support for Vault and Kubernetes.
Mozilla Public License 2.0
784 stars 171 forks source link

Problems when using GCP KMS decryption #658

Closed ForcemCS closed 2 months ago

ForcemCS commented 2 months ago

The configuration regarding GCP KMS decryption is as follows

  extraEnvironmentVars:
      VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca
      VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt
      VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key
      GOOGLE_REGION: asia-east2
      GOOGLE_PROJECT: k8s-vault-426910
      GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
   extraVolumes:
     - type: "secret"
       name: "kms-creds"
       defaultMode: 0600

      ....
            seal "gcpckms" {
              project     = "k8s-vault-426910"
              region      = "asia-east2"
              key_ring    = "vault-on-k8s"
              crypto_key  = "vault-seal"
            }

            storage "raft" {
              path = "/vault/data"
              retry_join {
                leader_api_addr = "https://vault-0.vault-internal:8200"
                leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca"
                leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
                leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key"
              }
              retry_join {
                leader_api_addr = "https://vault-1.vault-internal:8200"
                leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca"
                leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
                leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key"
              }
              retry_join {
                leader_api_addr = "https://vault-2.vault-internal:8200"
                leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca"
                leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
                leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key"
              }
              autopilot {
                server_stabilization_time = "10s"
                last_contact_threshold = "10s"
                min_quorum = 5
                cleanup_dead_servers = false
                dead_server_last_contact_threshold = "10m"
                max_trailing_logs = 1000
                disable_upgrade_migration = false
              }
            }

Then I executed the following command and received the following error, I don't know how to solve it

root@master01:~/v1.30/03-vault# kubectl exec -n $VAULT_K8S_NAMESPACE vault-0 -- vault operator init     -key-shares=1     -key-threshold=1     -format=json > ${WORKDIR}/cluster-keys.json  
Error initializing: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:

* parameters secret_shares,secret_threshold not applicable to seal type gcpckms
command terminated with exit code 2