This document contains the steps needed to initialize an existing Vault instance and to obtain the role_id and app_id needed for Garden Enterprise.

At this point, you should already have a Vault instance running that you can connect to.

Setting up Vault JWT Authentication

The commands below should be run from a host that has access to Vault, not in the Vault instance itself.

After going through the these steps, you'll have the Vault App ID and Vault Secret ID that Garden Enterprise needs. These values are provided to Garden Enterprise via the admin console during the installation process.

Connect to Vault

How you connect to Vault depends on your set up. In what follows, we'll assume you're coming here from Initialize Bundled Vault step of our installation guide and that you will connect to Vault via a kubectl port-forward.

Assuming you have the kubectl context set to that of the Garden Enterprise cluster, run:

kubectl --namespace garden-enterprise port-forward svc/prod-charts-vault 8200:8200

Note: If you're installing Garden Enterprise into a namespace other than the default garden-enterprise, use that namespace name instead.

Set Environment

Export the following environment variables:

export VAULT_ADDR=http://localhost:8200

Note: If you're not connecting to Vault over a port-forward as described in Connect to Vault step above, you may need to set a different VAULT_ADDR.

To verify that everything works, try running:

vault status

You should see a response like:

Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
Version: x.y.z
Cluster Name: vault-cluster-49ffd45f
Cluster ID: d2dad792-fb99-1c8d-452e-528d073ba205
High-Availability Enabled: false

Initialize Vault


vault operator init

You should get a response like:

Recovery Key 1: /4+9fBQXFjjwWZiTHr96Xz**********************
Recovery Key 2: Xqc0bUNTKXVaQiKR73HyLj**********************
Recovery Key 3: hwOB4Hw5jVEgxf+LbnnGpf**********************
Recovery Key 4: pi0v0uUWUmjlQiyJvHalIi**********************
Recovery Key 5: iGAmfc9zyTuOAfC01rvvVA**********************
Initial Root Token: s.hf9vNpHLWS8*************
Success! Vault is initialized
Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.

Add Root Token to Environment

Export the root token from the step above by running:

export VAULT_TOKEN=<root-token>

Enable JWT Auth


vault auth enable jwt

Write JWT Public Key

Write the JWT private key you created for the Garden Enterprise installation (see the Prepare Environment Variables step of the installation guide).

vault write auth/jwt/config [email protected]

Write Policy

Create a file called policy.hcl and add the following to it:

path "/sys/mounts" {
capabilities = ["create", "read", "update", "list"]
path "/sys/mounts/*" {
capabilities = ["create", "read", "update", "list"]
path "/sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list"]
path "/auth/jwt/role/*" {
capabilities = ["create", "read", "update", "delete", "list"]

and then run:

vault policy write garden-enterprise policy.hcl

Enable App Role


vault auth enable approle

Update App Role


curl --insecure -X PUT \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H "x-vault-token: ${VAULT_TOKEN}" \
-d '{
"bind_secret_id": true,
"token_no_default_policy": true,

Here, we're using the environment variables set in the Set Environment step above, and the app role we enabled in the previous step.

Get App Role ID


curl --insecure -X GET \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/role-id \
-H 'cache-control: no-cache' \
-H "x-vault-token: ${VAULT_TOKEN}"

...and make note of the role_id in the response.

Example response:


Create Secret


curl --insecure -X POST \
${VAULT_ADDR}/v1/auth/approle/role/garden-enterprise-approle/secret-id \
-H 'cache-control: no-cache' \
-H "x-vault-token: ${VAULT_TOKEN}"

...and make note of the secret_id in the response.

Example response:


Add App Role ID and Secret ID to Admin Console

Add the app role ID and secret ID from the steps above to the Garden Enterprise admin console. If you came here from the Initialize Bundled Vault step of the installation guide, you can now proceed with the installation.