vault-unsealer-operator

command module

v0.0.0-...-85a0c52 Latest Latest Go to latest Published: Aug 18, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aamoyel/vault-unsealer-operator

Links

Open Source Insights

README ¶

vault-unsealer-operator

Table of Contents

About The Project
- Purpose
- Built With
Getting Started
- Prerequisites
- Installation
Usage
Contribute
License
Contact

About The Project

Purpose

This kubernetes operator allows you to automate unseal process of your HashiCorp Vault clusters or instances with a sample file and secret.

(back to top)

Built With

Kubebuilder

(back to top)

Getting Started

Prerequisites

You need to have :

An operationnal Kubernetes cluster
HashiCorp Vault cluster or instance
kubectl binary

Installation

Deploy the latest operator release via the 'bundle' file :

kubectl apply -f https://raw.githubusercontent.com/aamoyel/vault-unsealer-operator/main/deploy/bundle.yml

(back to top)

Usage

First you need to create your secret with your threshold unseal keys. You can find an example at this link . Here you can find an example:

 apiVersion: v1
 kind: Secret
 metadata:
   name: thresholdkeys
 type: Opaque
 stringData:
   key1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
   key2: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Apply this file with kubectl

(Optionnal) If you have your own PKI and CA certificate, you can create a secret (example file here) like that:

 apiVersion: v1
 kind: Secret
 metadata:
   name: cacertificate
 type: Opaque
 stringData:
   ca.crt: |
     -----BEGIN CERTIFICATE-----
     .....................................
     -----END CERTIFICATE-----

Apply this file with kubectl

Now you can create your config file and custom fields:

 apiVersion: unsealer.amoyel.fr/v1alpha1
 kind: Unseal
 metadata:
   name: unseal-sample
 spec:
   vaultNodes:
     - https://vault-cluster-node-url-1:8200
     - https://vault-cluster-node-url-2:8200
     - https://vault-cluster-node-url-3:8200
   thresholdKeysSecret: thresholdkeys
   # Optional, but important if you have internal pki for your vault certificate. Secret need to be in the same namespace as this resource
   caCertSecret: cacertificate
   # Optional, set this parameter to true if you want to skip tls certificate verification
   tlsSkipVerify: false
   # Optional
   retryCount: 3

Apply this file with kubectl

(back to top)

Contribute

You can create issues on this project if you have any problems or suggestions.

(back to top)

License

Distributed under the Apache-2.0 license. See LICENSE.txt for more information.

(back to top)

Contact

Alan Amoyel - @AlanAmoyel

Project Link: https://github.com/aamoyel/vault-unsealer-operator

(back to top)

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1alpha1 Package v1alpha1 contains API Schema definitions for the unsealer v1alpha1 API group +kubebuilder:object:generate=true +groupName=unsealer.amoyel.fr	Package v1alpha1 contains API Schema definitions for the unsealer v1alpha1 API group +kubebuilder:object:generate=true +groupName=unsealer.amoyel.fr
controllers
pkg
vault

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL