vault-autounseal-operator

module

v0.2.3 Latest Latest Go to latest Published: Jul 16, 2024 License: GPL-3.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/camaeel/vault-autounseal-operator

Links

Open Source Insights

README ¶

vault-autounseal-operator

Vault operator for managing vault clusters running in Kubernetes. Operator handles:

automated initialization of new clusters
automated unsealing of pods in a clusters
upgrading statefulset pods in graceful manner
rotating vault pods if TLS certificate is updated

Operator assumes vault is deployed using official Hashicorp Vault helm chart.

Installation

Prerequisites

Vault installed in the cluster. Important parts of the configuration:

if using ha mode with raft storage retry_join block is configured for auto joining the cluster. .server.standalone is set to false then.

Example configuration (for kind cluster) can be found in manifests/vault-values.yml

Installation using helm

First add helm repository:

helm repo add vault-autounseal-operator https://camaeel.github.io/vault-autounseal-operator
helm repo update

Install:

helm upgrade --install vault-autounseal-operator vault-autounseal-operator/vault-autounseal-operator

Algorithm:

build vault client
get pod seal & init status - https://localhost:8200/v1/sys/seal-status
if !initialized
1. check if init secret is not there
2. sync (create lease or lock)
3. call sys/initialize
4. create secret - unseal keys
5. create secret - root token
if sealed
1. get secret - unseal keys
2. call sys/unseal

Development

Setting local environment

Create kind cluster (or use any other cluster).

It is easiest to use Makefile run make kind or alternatively

kind create cluster \
  --wait 120s \
  --config manifests/kind-config.yaml

Install preprequisites & vault

Either use attached Makefile: make kind_install

Or do it manually:

Add repositories:

helm repo add cert-manager https://charts.jetstack.io
helm repo add kong https://charts.konghq.com
helm repo add hashicorp https://helm.releases.hashicorp.com/
helm repo update

Install cert-manager:

helm upgrade --install cert-manager cert-manager/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true \
  --wait

Install kong ingress controller:

helm upgrade --install kong kong/kong \
  --namespace kong --create-namespace \
  --values manifests/kong-values.yml \
  --wait

Install vault:

kubectl create namespace vault || echo 0
kubectl apply -f manifests/certs.yml
helm upgrade --install --namespace vault \
  vault hashicorp/vault \
  --values manifests/vault-values.yml \
  --wait

Install vault-autounseal:

Either with makefile: make helm_install or use:

helm upgrade --install vault-autounseal-operator charts/vault-autounseal-operator -n vault

Directories ¶

Path	Synopsis
cmd
vault-autounseal-operator
pkg
config
health
providers/kubeclient
providers/vault
utils/logging
vault-autounseal-operator
vault-autounseal-operator/pod_handler
vault-autounseal-operator/secrets
vault-autounseal-operator/sts_handler

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL