README
¶
vault-controller
Image for Bitesize vault controller
If you align to the defaults then in most cases the controller will work without providing any explicit vars.
It will:
- Discover Vault pods on your cluster.
- Ascertain their init status and initialise them if necessary.
- Ascertain their Seal status and unseal them if necessary.
- It uses Kubernetes(k8s) secrets to store Unseal keys and tokens when it creates them and to read them when required.
Reqd vars:
-
VAULT_TOKEN or VAULT_TOKEN_FILE (VAULT_TOKEN takes precedence). See below example.
-
If VAULT_TOKEN is not a valid uuid and VAULT_TOKEN_FILE exists then VAULT_TOKEN will be exported from its contents.
-
VAULT_UNSEAL_KEYS or VAULT_UNSEAL_KEYS_FILE (VAULT_UNSEAL_KEYS takes precedence). See below example.
-
If VAULT_TOKEN is empty and VAULT_UNSEAL_KEYS_FILE exists then VAULT_UNSEAL_KEYS will be exported from their contents.
-
VAULT_UNSEAL_KEYS_FILE and VAULT_TOKEN_FILE would typically point to files mounted in secret volumes on the controller deployment (see below)
Optional vars:
- VAULT_LABEL_KEY label key on target pods. Default = "k8s-app".
- VAULT_LABEL_VALUE label value on target pods. Default = "vault".
- VAULT_NAMESPACE namespace for target pods. Default = "kube-system".
- VAULT_INSTANCES static, comma-separated list of target hosts for local testing in docker. If provided overrides - VAULT_LABEL and VAULT_NAMESPACE.
- VAULT_PORT vault service port. Default = "8243".
- VAULT_SCHEME vault transport scheme. Default = "https".
- VAULT_ADDR vault address for cluster. Default = "https://vault.kusbe-syetm.svc.cluster.local:8543".
- VAULT_TOKEN vault token for access. No default.
- VAULT_INIT_SHARES number of shares for unseal. Default = 5.
- VAULT_INIT_THRESHOLD threshold for unseal. Default = 3.
- VAULT_UNSEAL_KEYS if already initialised, the keys. No default.
- RELOAD_FREQUENCY how often to run controller loop. Default = "30s".
- VAULT_UNSEAL_SECRET_NAME k8s secret name for unseal keys in. Default = "vault-unseal-keys".
- VAULT_UNSEAL_SECRET_KEY k8s secret key for unseal keys. Default = "unseal-keys".
- VAULT_TOKEN_SECRET_NAME k8s secret name for root token. Default = "vault-tokens".
- VAULT_TOKEN_SECRET_KEY k8s secret key for root token. Default = "root-token".
Note: Building on Linux:
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build controller.go
Example controller deployment:
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: vault-controller
namespace: kube-system
labels:
app: vault-controller
name: vault-controller
spec:
replicas: 1
selector:
matchLabels:
app: vault-controller
template:
metadata:
labels:
app: vault-controller
name: vault-controller
spec:
containers:
- name: vault-controller
image: pearsontechnology/vault-controller:0.1
imagePullPolicy: Always
env:
- name: "DEBUG"
value: "false"
- name: "VAULT_SCHEME"
value: "https"
- name: "VAULT_SKIP_VERIFY"
value: "true"
- name: "VAULT_PORT"
value: "8543"
- name: "SERVICE_DOMAIN"
value: "svc.cluster.local"
- name: "VAULT_LABEL"
value: "vault"
- name: "VAULT_NAMESPACE"
value: "kube-system"
- name: "VAULT_UNSEAL_KEYS_FILE"
value: "/etc/vault-secret-unseal-keys/unseal-keys"
- name: "VAULT_TOKEN_FILE"
value: "/etc/vault-token-file/root-key"
volumeMounts:
- name: vault-volume-unseal-keys
mountPath: /etc/vault-secret-unseal-keys
- name: vault-token-file
mountPath: /etc/vault-token-file
volumes:
- name: vault-volume-unseal-keys
secret:
secretName: vault-unseal-keys
- name: vault-token-file
secret:
secretName: "vault-tokens"
Policies
The controller optionally supports a CRD to handle creating Vault policies and tokens for them, it will stash these tokens in a secret in the namespace the CRD was created in. Definition:
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: vaultpolicies.vault.local
spec:
scope: Namespaced
group: vault.local
version: v1
names:
kind: VaultPolicy
plural: vaultpolicies
singular: vaultpolicy
Example of a policy:
---
apiVersion: vault.local/v1
kind: VaultPolicy
metadata:
name: vault-mysecrets-read-only
namespace: my-ns
labels:
name: vault-mysecrets-read-only
app: myapp
spec:
- Path: secret/mysecrets/*
Permission: read
Period: 24h
In this case a policy 'vault-mysecrets-read-only' would be created and a periodic token for it stashed in my-ns/vault-mysecrets-read-only:vault-mysecrets-read-only. A TTL may be specified in place of Period, the default TTL in this case is 720h. If Period is specified however, TTL is ignored.
End
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
apis/vault.local/v1
Package v1 is the v1 version of the API.
|
Package v1 is the v1 version of the API. |
|
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
client/clientset/versioned/typed/vaultpolicy/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
client/clientset/versioned/typed/vaultpolicy/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |