vault-operator/

Vault Operator

Overview

This Vault operator is a re-implementation of the Vault operator using the operator-sdk tools and APIs. The SDK CLI operator-sdk generates the project layout and controls the development life cycle. In addition, this implementation replaces the use of client-go with the SDK APIs to watch, query, and mutate Kubernetes resources.

Quick Start

The quick start guide walks through the process of building the Vault operator image using the SDK CLI, setting up the RBAC, deploying operators, and creating a vault cluster.

Prerequisites

• dep version v0.5.0+.
• go version v1.10+.
• docker version 17.03+.
• kubectl version v1.9.0+.
• Access to a kubernetes v.1.9.0+ cluster.

Note: This guide uses minikube version v0.25.0+ as the local kubernetes cluster and quay.io for the public registry.

Install the Operator SDK CLI

First, checkout and install the operator-sdk CLI:

$ cd $GOPATH/src/github.com/operator-framework/operator-sdk
$ git checkout master
$ dep ensure
$ go install github.com/operator-framework/operator-sdk/commands/operator-sdk

Initial Setup

Checkout this Vault Operator repository:

$ mkdir $GOPATH/src/github.com/operator-framework
$ cd $GOPATH/src/github.com/operator-framework
$ git clone https://github.com/operator-framework/operator-sdk-samples.git
$ cd operator-sdk-samples/vault-operator

Vendor the dependencies:

$ dep ensure

Build and run the operator

Build the Vault operator image and push it to a public registry such as quay.io:

$ export IMAGE=quay.io/example/vault-operator:v0.0.1
$ operator-sdk build $IMAGE
$ docker push $IMAGE

Setup RBAC for the Vault operator and its related resources:

$ kubectl create -f deploy/rbac.yaml

Deploy the etcd-operator first because the Vault operator depends on it for provisioning an etcd cluster as the storage backend of a Vault cluster:

$ kubectl create -f deploy/etcd-operator.yaml

Deploy the Vault CRD:

$ kubectl create -f deploy/crd.yaml

Deploy the Vault operator:

$ kubectl create -f deploy/operator.yaml

Deploying a Vault cluster

Create a Vault cluster:

$ kubectl create -f deploy/cr.yaml

Verify that the Vault cluster is up:

$ kubectl get pods -l app=vault,vault_cluster=example
NAME                       READY     STATUS    RESTARTS   AGE
example-654658f5fc-2wdlq   1/2       Running   0          1m
example-654658f5fc-7ztzf   1/2       Running   0          1m

Vault Guide

Once the vault cluster is up, see the Vault Usage Guide from the original Vault operator repository on how to initialize, unseal, and interact with the vault cluster.

Note The Vault Usage Guide uses the short name vault for the kind VaultService. However, we have not register a short name for this vault Custom Resource Definition (CRD). As a workaround when use a command from Vault Usage Guide that has the vault keyword to access a vault Custom Resource(CR), replace it with the keyword vaultservice instead.

For example:

kubectl -n default get vault example ... -> kubectl -n default get vaultservice example ...

Tests

This repo contains some tests that use the operator-sdk's test framework. These tests are based directly on the original vault-operator tests, and thus cannot fully complete when run on a local machine and must be run inside a kubernetes cluster instead. This is a very specific use case, so it is not handled by the sdk's test framework. However, it is a good example of how to use the framework for an operator that needs more resources than standard to initilize due to the dependency on etcd. These tests fully initialize a vault cluster and tear it down when run on a local machine, even though they do fail due to not being able to use the vault-client to communicate with the vault pods. To run these tests using the specific test init files, modify the vault-operator's spec inside deploy/namespaced-init.yaml to point to your repo containing the vault-operator, and then run this command:

$ operator-sdk test -t ./test/e2e/ -g deploy/global-init.yaml -n deploy/namespaced-init.yaml