vault-k8s-helper

module

v1.1.3 Latest Latest Go to latest Published: Jul 25, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/camaeel/vault-k8s-helper

Links

Open Source Insights

README ¶

vault-k8s-helper

Helper application for managing vault with Raft storage & TLS in kubernetes clusters.

Takes care of following aspects:

preparing a certificate for vault pods signed by cluster CA
initializing a new cluster
joining raft nodes to the first node
automatic unsealing existing cluster

Application consists of 2 commands:

setup-tls - creates certificates for vault cluster signed by cluster's CA
vault-autounseal - initialzies, stores secrets and unseals vault.

Helm chart usage

Helm must be installed to use the charts. Please refer to Helm's documentation to get started.

Once Helm has been set up correctly, add the repo as follows:

helm repo add vault-k8s-helper https://camaeel.github.io/vault-k8s-helper

If you had already added this repo earlier, run helm repo update to retrieve the latest versions of the packages. You can then run helm search repo vault-k8s-helper to see the charts.

Helm repository has 2 helm charts:

vault-cert-creator - which installs setup-tls tool and provides secrets for the vault. It will also renew certificates if they are near to be expired
vault-autounseal - this chart sets up vault-autounseal utility which is responsible for initializing and establishing a new cluster and unsealing sealed pods.

Setup

Installation

Prefered way of instalation is using helm charts. Simplest setup can be achieved using following steps:

Install setup-tls:

helm upgrade --install -n vault --create-namespace vault-cert-creator vault-cert-creator --repo https://camaeel.github.io/vault-k8s-helper/

Install vault

helm upgrade --install -n vault --create-namespace vault vault --repo https://helm.releases.hashicorp.com/ --version 0.24.0 -f example/vault/vault-values.yaml

Install vault-autounseal

helm upgrade --install -n vault-autounseal --create-namespace vault-autounseal vault-autounseal --repo https://camaeel.github.io/vault-k8s-helper/

Root token

To obtain root token you can: kubectl get secret -ojson -n vault-autounseal vault-autounseal-root-token | jq -r '.data.token' | base64 -d

Configuration

Vault client library used in vault-autounseal can be also configured using vault's env variables: https://github.com/hashicorp/vault/blob/api/v1.8.2/api/client.go#L36

Directories ¶

Path	Synopsis
cmd
setupTls
vaultAutounseal
pkg
autounseal
certificates
config
k8sProvider
providers/vaultClient

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL