vault-unsealer

command module

v0.2.1 Latest Latest Go to latest Published: Apr 23, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bakito/vault-unsealer

Links

Open Source Insights

README ¶

vault-unsealer

A kubernetes controller that can auto unseal vault pods.

Secrets

Secrets must be labelled with the following label vault-unsealer.bakito.net/stateful-set where the value is the name of the vault's StatefulSet.

With Keys in Secret

Unseal keys can directly be stored in a secret. The keys must have the prefix unsealKey.

apiVersion: v1
kind: Secret
metadata:
  labels:
    vault-unsealer.bakito.net/stateful-set: vault
  name: vault-unsealer-config
type: Opaque
data:
  unsealKey1: <...>
  unsealKey2: <...>
  unsealKey3: <...>
  unsealKey4: <...>
  unsealKey5: <...>

With Vault userpass

If the unseal keys are stored in vault itself, userpass access can be configured.

Key	Description
username	The username for vault userpass access.
password	The password for vault userpass access.
secretPath	The secret path within vault . Do NOT add the /data path element as it is required by the vault cli or API.

apiVersion: v1
kind: Secret
metadata:
  labels:
    vault-unsealer.bakito.net/stateful-set: vault
  name: vault-unsealer-config-userpass
type: Opaque
data:
  username: <...>
  password: <...>
  secretPath: <...>

Test

# Get Token
vault login -method=userpass username=<username>

# Read the secret (for kv version 2 '/data' must be added to the secret path,
# but only for the cli, not the unsealer secret)
vault read kv/data/unsealer

With Vault kubernetes service account

Another option to access unseal keys stored in vault is to use kubernetes auth, where the service account of the unsealer must be granted access to vault.

Key	Description
role	The role the kubernetes service account is assigned to.
secretPath	The secret path within vault . Do NOT add the /data path element as it is required by the vault cli or API.

apiVersion: v1
kind: Secret
metadata:
  labels:
    vault-unsealer.bakito.net/stateful-set: vault
  name: vault-unsealer-config-kubernetes
type: Opaque
data:
  role: <...>
  secretPath: <...>

Test

# Get Token
vault write auth/kubernetes/login role=<role> jwt=<k8s-token>

# Login wit received vault token
vault login

# Read the secret (for kv version 2 '/data' must be added to the secret path,
# but only for the cli, not the unsealer secret)
vault read kv/data/unsealer

Required vault policy for userpass and kubernetes auth

# allow access to read the secret
path "path/to/your/unseal/secret" {
  capabilities = ["read"]
}
# allow access to read the mounts (used to check the kv version of the secret engine)
path "sys/mounts" {
  capabilities = ["read"]
}

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
controllers
pkg
cache
constants
hierarchy
logging
types
version

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL