Install Vault with a cluster management project

Introduced in GitLab 14.0.

HashiCorp Vault is a secrets management solution which can be used to safely manage and store passwords, credentials, certificates, and more. A Vault installation could be leveraged to provide a single secure data store for credentials used in your applications, GitLab CI/CD jobs, and more. It could also serve as a way of providing SSL/TLS certificates to systems and deployments in your infrastructure. Leveraging Vault as a single source for all these credentials allows greater security by having a single source of access, control, and auditability around all your sensitive credentials and certificates. This feature requires giving GitLab the highest level of access and control. Therefore, if GitLab is compromised, the security of this Vault instance is as well. To avoid this security risk, GitLab recommends using your own HashiCorp Vault to leverage external secrets with CI.

Assuming you already have a project created from a management project template, to install Vault you should uncomment this line from your helmfile.yaml:

  - path: applications/vault/helmfile.yaml

By default you receive a basic Vault setup with no scalable storage backend. This is enough for simple testing and small-scale deployments, though has limits to how much it can scale, and as it’s a single instance deployment, upgrading the Vault application causes downtime.

To optimally use Vault in a production environment, it’s ideal to have a good understanding of the internals of Vault and how to configure it. This can be done by reading the Vault Configuration guide, the Vault documentation and the Vault Helm chart values.yaml file.

At a minimum, most users set up:

The following is an example values file (applications/vault/values.yaml) that configures Google Key Management Service for auto-unseal, using a Google Cloud Storage backend, enabling the Vault UI, and enabling HA with 3 pod replicas. The storage and seal stanzas below are examples and should be replaced with settings specific to your environment.

# Enable the Vault WebUI
ui:
  enabled: true
server:
  # Disable the built in data storage volume as it's not safe for High Availability mode
  dataStorage:
    enabled: false
  # Enable High Availability Mode
  ha:
    enabled: true
    # Configure Vault to listen on port 8200 for normal traffic and port 8201 for inter-cluster traffic
    config: |
      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      # Configure Vault to store its data in a GCS Bucket backend
      storage "gcs" {
        path = "gcs://my-vault-storage/vault-bucket"
        ha_enabled = "true"
      }
      # Configure Vault to unseal storage using a GKMS key
      seal "gcpckms" {
         project     = "vault-helm-dev-246514"
         region      = "global"
         key_ring    = "vault-helm-unseal-kr"
         crypto_key  = "vault-helm-unseal-key"
      }

After you have successfully installed Vault, you must initialize the Vault and obtain the initial root token. You need access to your Kubernetes cluster that Vault has been deployed into to do this. To initialize the Vault, get a shell to one of the Vault pods running inside Kubernetes (typically this is done by using the kubectl command-line tool). After you have a shell into the pod, run the vault operator init command:

kubectl -n gitlab-managed-apps exec -it vault-0 sh
/ $ vault operator init

This should give you your unseal keys and initial root token. Make sure to note these down and keep these safe, as they’re required to unseal the Vault throughout its lifecycle.