Skip to content

HOWTO: Bootstrap Vault and Seed Platform Secrets

Purpose: Initialise Vault, configure secrets and auth backends, and seed the initial credential set for the HybridOps platform.

Difficulty: Advanced

Track: Platform Services

Overview

Run init once. Store all unseal key shares offline before continuing: they cannot be retrieved from Vault itself. Revoke the root token after seeding is complete; modules authenticate via AppRole at runtime, not root.

1. Vault Deployment

  • Installation and storage backend configuration.
  • TLS configuration for the Vault listener.
  • Systemd service setup.

2. Initialisation and Unseal

  • vault operator init: key shares and threshold.
  • Initial unseal procedure.
  • Root token handling and revocation plan.

3. Secrets Engine Configuration

  • KV v2 engine mount path: secret/.
  • Namespace layout aligned with HybridOps module conventions.
  • Seeding initial credentials: database passwords, SSH keys, API tokens.

4. Auth Backend Configuration

  • AppRole auth for HybridOps CLI.
  • AppRole auth for Jenkins.
  • Policy files: least-privilege access per consumer.

5. Auto-Unseal Configuration

  • Cloud KMS-based auto-unseal (GCP KMS or AWS KMS).
  • Testing auto-unseal after node reboot.
  • Backup unseal key storage.

6. Validation

  • HybridOps CLI secret read test.
  • Jenkins credential injection test.
  • Audit log enabled and writing correctly.

References

License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.