Open Source Vault deployment Guidence
Prerequisites
There are several decisions need to be made before deployment:
1. what should the container orchestration for Vault?
Even I am a big fan of K8S, but GCP container on VM still can an option if you just need to deploy on container.
GCP container on VM:
Compute Engine executes the following tasks after you make a request to create a VM instance:
Compute Engine creates a VM instance that uses a Google-provided Container-Optimized OS image. This image includes a Docker runtime and additional software that is responsible for starting your container.
Compute Engine stores your container settings in instance metadata under the gce-container-declaration metadata key. When the VM starts, the Container-Optimized OS image uses the docker run command configuration that is stored in the instance’s metadata, pulls the container image from the repository, and starts the container.
but you can only: only deploy one container for each VM instance
Usage:
Create: gcloud compute instance-templates create-with-container TEMPLATE_NAME \
--container-image DOCKER_IMAGE
Update: gcloud compute instances update-container nginx-vm \
--container-image gcr.io/cloud-marketplace/google/nginx1:latest
Terraform module: https://registry.terraform.io/modules/terraform-google-modules/container-vm/google/latest
k8s:
- Run a large number of microservices
- Have faster container startup time
- Take advantage of Kubernetes automated orchestration, including auto upgrades, node auto repair, and autoscaling
But, note: GKE SLA: 99.95%
2. Where to store the data? local host, persistent disk or volume, GCP Cloud Storage(GCS), Google Spanner?
- Both GCP container on VM and K8S supports local host and persistent disk.
- Vault supports GGCS as storage backend with high availability.
- Vault support Google spanner storage backednd with HA.