Upgrade vault to latest, vault injector, separate namespace

[agates4]

• updated vault to latest version
• added full vault injector config for enabling sidecar injection
• moved everything into a namespace of your choice (via variables. vault for default)

[agates4]

@sethvargo this is ready for review!

fully updates this project to latest terraform versions, added sidecar injector (works across external clusters), and an isolated namespace for all vault things.

I added to the README.MD here: https://github.com/agates4/vault-on-gke#expose-vault-to-external-cluster-along-with-sidecar-injector this goes over how to get the sidecar injector fully working with a sample helm example.

[prankin272]

hi all,

using this (@agates4 repo) for my config (all being deployed via azure pipeline) but having a few issues:

• finding the initial root token, I can't see anything in the storage bucket and not sure if the state file contains it either
• this all deploys fine and vault initialises, however, the unseal doesn't seem to be working, when looking at the logs:

[WARN] failed to unseal core: error="fetching stored unseal keys failed: failed to decrypt keys from storage: failed to decrypt envelope: rpc error: code = InvalidArgument desc = Decryption failed: verify that 'name' refers to the correct CryptoKey."

Yet when I look at the yaml (I've removed key details):

seal "gcpckms" { project = "<secret>" region = "europe-west2" key_ring = "vault-9cb4c8781da207ea" crypto_key = "vault-init"

That all is correct.

Logs from the kubectl describe cmd:

warning Unhealthy 3m4s (x12120 over 16h) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503

EDIT:

NVM, fixed it, just setting up a new bucket worked.

EDIT:

Seems the root token doesn't work when I try to login on the UI page. Any ideas?