vault-unsealer-operator

command module
v0.0.0-...-85a0c52 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 18, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

README

vault-unsealer-operator

Table of Contents
  1. About The Project
  2. Getting Started
  3. Usage
  4. Contribute
  5. License
  6. Contact

About The Project

Purpose

This kubernetes operator allows you to automate unseal process of your HashiCorp Vault clusters or instances with a sample file and secret.

(back to top)

Built With

(back to top)

Getting Started

Prerequisites

You need to have :

  • An operationnal Kubernetes cluster
  • HashiCorp Vault cluster or instance
  • kubectl binary
Installation
  1. Deploy the latest operator release via the 'bundle' file : 
    kubectl apply -f https://raw.githubusercontent.com/aamoyel/vault-unsealer-operator/main/deploy/bundle.yml

(back to top)

Usage

  1. First you need to create your secret with your threshold unseal keys. You can find an example at this link . Here you can find an example: 
     apiVersion: v1
 kind: Secret
 metadata:
   name: thresholdkeys
 type: Opaque
 stringData:
   key1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
   key2: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Apply this file with kubectl
  2. (Optionnal) If you have your own PKI and CA certificate, you can create a secret (example file here) like that: 
     apiVersion: v1
 kind: Secret
 metadata:
   name: cacertificate
 type: Opaque
 stringData:
   ca.crt: |
     -----BEGIN CERTIFICATE-----
     .....................................
     -----END CERTIFICATE-----
    Apply this file with kubectl
  3. Now you can create your config file and custom fields: 
     apiVersion: unsealer.amoyel.fr/v1alpha1
 kind: Unseal
 metadata:
   name: unseal-sample
 spec:
   vaultNodes:
     - https://vault-cluster-node-url-1:8200
     - https://vault-cluster-node-url-2:8200
     - https://vault-cluster-node-url-3:8200
   thresholdKeysSecret: thresholdkeys
   # Optional, but important if you have internal pki for your vault certificate. Secret need to be in the same namespace as this resource
   caCertSecret: cacertificate
   # Optional, set this parameter to true if you want to skip tls certificate verification
   tlsSkipVerify: false
   # Optional
   retryCount: 3
    Apply this file with kubectl

(back to top)

Contribute

You can create issues on this project if you have any problems or suggestions.

(back to top)

License

Distributed under the Apache-2.0 license. See LICENSE.txt for more information.

(back to top)

Contact

Alan Amoyel - @AlanAmoyel

Project Link: https://github.com/aamoyel/vault-unsealer-operator

(back to top)

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
v1alpha1
Package v1alpha1 contains API Schema definitions for the unsealer v1alpha1 API group +kubebuilder:object:generate=true +groupName=unsealer.amoyel.fr
 Package v1alpha1 contains API Schema definitions for the unsealer v1alpha1 API group +kubebuilder:object:generate=true +groupName=unsealer.amoyel.fr
pkg
vault

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.